Fascinating (frightening?) report from Anthropic describing how they eventually disrupted the first reported AI-orchestrated cyber espionage campaign.
In mid-September 2025, we detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s “agentic” capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves.
The threat actor—whom we assess with high confidence was a Chinese state-sponsored group—manipulated our Claude Code tool into attempting infiltration into roughly thirty global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention.
Quick aside: The phrase ‘state‑sponsored group’ may sound novel, but history shows otherwise. During the era of maritime exploration, governments issued licenses to privateers who raided enemy trade. They were not formal navies, yet they sailed under state authority and operated in the space between national policy and private agency. One of the most famous British privateers was Sir Francis Drake, commissioned by Queen Elizabeth I to raid settlements and shipping in the Americas. To the Spanish he was simply a pirate.
The barriers to performing sophisticated cyberattacks have dropped substantially—and we predict that they’ll continue to do so. With the correct setup, threat actors can now use agentic AI systems for extended periods to do the work of entire teams of experienced hackers: analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator. Less experienced and resourced groups can now potentially perform large-scale attacks of this nature…
This raises an important question: if AI models can be misused for cyberattacks at this scale, why continue to develop and release them? The answer is that the very abilities that allow Claude to be used in these attacks also make it crucial for cyber defense. When sophisticated cyberattacks inevitably occur, our goal is for Claude—into which we’ve built strong safeguards—to assist cybersecurity professionals to detect, disrupt, and prepare for future versions of the attack. Indeed, our Threat Intelligence team used Claude extensively in analyzing the enormous amounts of data generated during this very investigation.
Artificial intelligence carries immense promise, yet it clearly brings risks familiar from earlier technology breakthroughs. When nuclear weapons emerged, nations had to confront a technology that could deter conflict while holding the power to devastate the world. While these present threats are not existential, AI presents a similar paradox. It can drive progress and solve problems, yet it can, in a very real sense, be turned against us. The issue is not whether AI is good or bad, but how we choose to govern its use.
