Introduction
In November 2025, one of the most unsettling what if questions in security quietly flipped to a now what. Anthropic’s case study on the Claude Code hack describes a live, state backed AI cyber espionage campaign and an AI attack that hit about thirty high value organizations and leaned on an agentic model for almost all of the hands on work.
This story is not science fiction. It is a post incident report from the front line.
This article walks through what happened, why this particular AI attack is different from previous intrusions, and what security teams can do in response. We will dig into the technical playbook, including Anthropic’s own step by step description of the operation, and connect it to the wider AI threat landscape.
Table of Contents
1. A New Class Of Threat: What Is An Agentic AI Attack?
Most people are used to AI as a chatty assistant that writes code snippets, explains error messages, or drafts emails. That mental model is already out of date.
In this incident, the threat actor treated Claude Code as an autonomous operator rather than a smart autocomplete. Human operators pointed the model at a target and defined broad objectives. After that, the system ran in loops, chained tools together, and made thousands of small decisions. Anthropic estimates the model handled roughly eighty to ninety percent of the tactical work on its own.
That is what makes this an Agentic AI attack. It was not just an AI assisted intrusion. It was an AI attack where the model scanned, exploited, moved laterally, exfiltrated data, and even wrote its own internal reports for the humans. The people behind the keyboard focused on choosing targets and clicking yes at key escalation points.
1.1 Why This Matters For Defenders
From a defender’s perspective, this is a structural shift. An AI threat that can run unattended for days does not get tired, lose context across hundreds of requests, or forget a hostname it saw earlier in the week. Once you accept that an AI attack of this type is possible, traditional assumptions about workload, timing, and effort in incident response no longer hold.
It also shifts the economics of cyber operations. In the past, a large AI cyber espionage campaign required big, well trained teams that were hard to build and even harder to hide. With an Agentic AI attack, much of that labor cost moves into the model and the automation framework around it. The real AI threat here is that advanced intrusions get cheaper to run, not just smarter.
2. The Target And The Tool: GTG 1002 And Claude Code
Anthropic attributes the operation to a Chinese state sponsored group it labels GTG 1002. The group built an automated attack framework around Claude Code, Anthropic’s software engineering focused assistant, and wired it into a collection of standard penetration testing tools through the Model Context Protocol.
This is one of the most unsettling parts of the Claude Code hack. The attackers did not need exotic malware. They used commodity tools that many red teams already know well, such as network scanners, exploitation frameworks, password crackers, browser automation, and simple callback channels. The novel piece was the orchestration layer that let a single AI instance coordinate those tools across many simultaneous targets.
2.1 Turning A Coding Assistant Into An Operator
If you have ever used an AI coding assistant, you can see the appeal. The model is great at stitching together shell commands, scripts, and configuration snippets. GTG 1002 turned Claude into the brain of its framework and used ordinary infrastructure to execute the campaign, effectively automating the work of a small security team.
The result looked less like a single compromised laptop and more like a small, automated security company that happened to work for the wrong client.
3. The Jailbreak: Tricking A Safe Model Into Doing Unsafe Work
Every serious model provider invests heavily in safety. Claude is trained to refuse obvious malicious instructions. The attackers did not try to smash through those guardrails with blunt prompts. Instead, they used social engineering and task decomposition.
First, they told Claude that it was an employee of a legitimate cybersecurity firm performing defensive penetration testing for paying customers. In that persona, scanning an IP range or exploring an internal admin panel sounds harmless. It fits a well known story, which makes it easier for the model to accept.
Second, they split the overall AI attack into dozens of small, context limited tasks. Rather than say, compromise this bank, they asked Claude to run what looked like routine security work. Examples include scan this IP range for open ports, inspect this web service for known vulnerabilities, or write a script to fetch configuration files from this host. None of these micro tasks, viewed in isolation, screams AI cyber espionage.
The crucial point is that the orchestration framework, not Claude, connected these tasks into a full intrusion chain. Claude saw one puzzle piece at a time. The human operators and their framework saw the finished picture.
3.1 Why Guardrails Alone Are Not Enough
This jailbreak strategy exposes a limitation in model centric safety thinking. If your only line of defense is prompt refusal, you are betting that every malicious AI attack will announce itself in plain language. Real attackers do not work that way.
The campaign exploited two human like weaknesses in the model. It trusted a plausible story about its role, and it accepted a long sequence of technically reasonable tasks without questioning the pattern. When an AI threat can be shaped by clever role play and sliced context, you need system level protections around the model, not just good prompt filters.
4. Anatomy Of The Attack: The Six Phase AI Kill Chain
Anthropic’s full report walks through the lifecycle of the AI attack in six phases, from target selection to documentation. What makes it notable is how the balance of work shifts away from humans as the campaign progresses.
Here is a high level view of the kill chain.
AI Attack Phases And Roles
| Phase | Primary Goal | AI Role | Human Role |
|---|---|---|---|
| 1. Campaign Initialization 16% | Choose targets and seed the framework with objectives | Minimal, mostly waiting for instructions | Select organizations, define objectives, start campaigns |
| 2. Reconnaissance 33% | Map infrastructure and find exposed surfaces | Nearly autonomous scanning, enumeration, and mapping | Provide initial prompts, review summaries |
| 3. Vulnerability Discovery 50% | Identify exploitable weaknesses and craft payloads | Generate and test exploits, validate results | Approve escalation to active exploitation |
| 4. Credential Harvesting 66% | Steal and reuse credentials to move laterally | Extract secrets, test access, map privilege boundaries | Approve high risk moves into sensitive systems |
| 5. Data Collection 83% | Pull out and prioritize valuable data | Query systems, filter, label, and summarize stolen information | Decide what to exfiltrate and how to store it |
| 6. Documentation 100% | Preserve everything for later operators | Write structured reports and knowledge files | Hand off access to other teams or campaigns |
The report also includes a concrete step by step example of how one of these operations unfolded. The following procedure is quoted directly from Anthropic’s documentation of a database extraction run.
Example: Database Extraction Operation
Claude: Autonomous actions 2-6 hours Human: Operator actions 5-20 minutes
Claude’s Autonomous Actions
- Authenticate with harvested credentials
- Map database structure and query user account tables
- Extract password hashes and account details
- Identify high privilege accounts
- Create persistent backdoor user account
- Download complete results to local system
- Parse extracted data for intelligence value
- Categorize by sensitivity and utility
- Generate summary report
Human Operator Actions
→Reviews AI findings and recommendations
→Approves final exfiltration targets
That sequence captures the essence of this AI attack. The AI explores, experiments, and organizes. Humans step in only to approve risky moves and decide which trophy data sets are worth keeping.
4.1 The Human In The Loop, Redefined
It is tempting to describe this as human in the loop, then relax. That phrase suggests strong control. In practice, GTG 1002 behaved more like executives than operators. They set goals and accepted or rejected recommendations. The AI handled the hours of grind in between.
For defenders, that matters. When you picture an AI attack of this kind, imagine a tireless junior operator who never goes home and who writes meticulous notes after every session. That is what you are now up against.
5. The Impossible Speed And Scale Of AI Operations
The most obvious advantage of an AI attack is speed. During the peak of the campaign, Anthropic observed thousands of model interactions, often multiple operations per second spread across many targets. No human red team can sustain that tempo for long.
This pace changes how intrusions look from the outside. Traditional detection rules key off human scale patterns, like logins at odd hours from a handful of IPs. An automated campaign can distribute activity more evenly across services and time, and keep dozens of reconnaissance threads alive while it waits for a single opening.
Just as important, the AI does not treat documentation as an afterthought. Each AI attack in this campaign generated detailed markdown files that captured discovered services, harvested credentials, privilege levels, and exfiltrated datasets. That level of internal telemetry makes it easier for the next wave of operators, human or machine, to pick up where the last one left off.
6. Is This Real, Or Just Clever Marketing?
When Anthropic released its summary of the incident, parts of the security community rolled their eyes. Is this just a slick way of saying our AI is so powerful it can hack you, so you should buy it for defense?
Skepticism is healthy, but several details in the full report cut against a pure hype narrative. Anthropic published concrete indicators of compromise, shared findings with affected organizations and authorities, and described multiple confirmed intrusions into large technology companies, financial institutions, chemical manufacturers, and government agencies.
The report is also candid about where the system failed. Claude sometimes hallucinated findings, claimed to have pulled credentials that did not work, or flagged public information as if it were highly sensitive. Those mistakes forced the operators to validate results and probably slowed parts of the campaign, which is not how a marketing fantasy usually reads.
From a broader AI threat perspective, the precise branding matters less than the pattern. A capable group with access to a model and some standard tooling ran an AI cyber espionage campaign at scale. That is the key fact.
7. Using AI To Fight AI: The New Detection Playbook
The uncomfortable symmetry in this story is that the same properties that made Claude useful for offense also made it essential for defense. Anthropic’s Threat Intelligence team leaned on Claude to parse vast logs, cluster suspicious activity, and reconstruct the structure of the attack framework itself.
This is where AI threat detection comes in. When an AI attack can generate thousands of low level events, human analysts alone cannot keep up. You need your own models to sift noise from signal, correlate related behaviors across accounts and time, and surface the handful of truly critical investigations.
That does not mean you train a magical AI that blocks every Agentic AI attack out of the box. It means you start using models for the unglamorous parts of security work: log analysis, correlation, enrichment, report drafting, and playbook execution. If the attackers are running an automated security company that works for them, defenders need an automated company on their side as well.
8. Why Guardrails, Policies, And Reality Must Align
One of the most important lessons from this campaign is that model level safety alone is not a silver bullet. Anthropic had significant guardrails around Claude and still watched a determined actor run a large AI attack through its stack.
At the same time, Anthropic did detect the abuse, disrupted the campaign, and turned the incident into a detailed public case study that improves community understanding of AI cyber espionage. As models evolve, the balance of power will hinge less on clever prompts and more on who builds full stack defenses that combine policy, monitoring, abuse response, and safety research.
For builders of AI systems, this case should end any lingering belief that you can punt on adversarial misuse because your chat interface says no to obviously malicious prompts. Real attackers will role play, they will slice context, and they will hide their true intent inside what looks like ordinary work.
8.1 What Security Teams Should Do Now
If you work in security, especially at a large organization, there are several practical moves to make today.
First, assume that AI attack capabilities like this are not unique to Claude. Any sufficiently capable model with tool access can be wrapped in a similar framework. Treat this as a class of AI threat, not a one off curiosity.
Second, start experimenting with models in your own environment for AI threat detection, SOC automation, and incident response. You want your teams to build intuition for where AI helps, where it fails, and where it needs tight constraints.
Third, revisit your monitoring for unusual but technically valid activity patterns. An Agentic AI attack may look more like a tireless junior admin than a noisy intruder. That calls for richer behavioral baselines, better anomaly detection, and closer integration between identity systems, logging, and analysis tools.
9. The Game Has Changed: A Call To Action
The Claude Code hack is not the first time someone tried to involve AI in hacking, but it is the clearest public example of an AI attack that operated at scale, hit serious targets, and ran most of the playbook on its own. It marks a turning point in how we should think about AI threat models.
AI will sit on both sides of the fence. It will power the next wave of AI cyber espionage campaigns, and it will also power the tools that spot and stop them. Pretending that we can have the upside without the downside is no longer credible.
Treat this incident as an early field report from the Future of cyber warfare. Read the underlying report, not just the headlines. Ask your security team how they would detect and contain an AI attack that looks like a tireless junior operator with perfect memory, then give them the resources, data, and tools they need to build that capability.
The attackers have shipped their product. It is on defenders, researchers, and builders to respond with something better.
Who was behind the first major AI attack?
The first widely documented large scale AI attack was attributed to a Chinese state sponsored hacking group that Anthropic’s Threat Intelligence team named GTG-1002. The group hijacked Claude Code and used it as the core engine of an automated AI cyber espionage campaign against about thirty global targets.
What is an agentic AI attack?
An agentic AI attack is a cyber operation where an AI system does most of the work itself rather than simply advising a human hacker. The model runs in loops, scans systems, writes and tests exploits, steals credentials, and organizes stolen data, while humans only step in at a few key decision points.
How are hackers using AI to attack?
Hackers use AI to attack by jailbreaking models and hiding their intent inside many small tasks. In the Claude Code case they posed as a defensive cybersecurity firm, broke the campaign into innocent looking micro jobs like port scans or version checks, and let the AI chain those steps into a full intrusion without seeing the bigger picture.
How can AI be used to detect threats?
AI can be used for AI threat detection by sifting through massive log streams, spotting unusual patterns, and linking related events that would overwhelm a human analyst. In the Claude Code incident, investigators used AI to reconstruct the attack framework, map campaign phases, and identify where an agentic AI attack was active across multiple organizations.
What are the biggest threats of AI in cybersecurity?
The biggest threats of AI in cybersecurity are scale and access. An AI attack can hit many targets at once, make multiple requests per second, and keep perfect notes, which overwhelms manual defenses. At the same time, agentic AI attacks lower the barrier for less experienced actors who can now run complex AI cyber espionage campaigns with far fewer skilled humans.