Anthropic uncovers first large-scale AI-orchestrated cyber espionage campaign using Claude Code

AICyber security
Written By Emma Thompson

Anthropic has published new findings on a Chinese state-sponsored cyber operation that used Claude Code to automate most stages of a multi-target intrusion campaign, accelerating reconnaissance, exploitation and data extraction at a scale not previously documented.

Anthropic has released an extensive account of what it describes as the first confirmed case of a large-scale cyber espionage campaign conducted primarily by an AI system rather than human hackers.

The disclosure follows a ten-day investigation in September 2025, during which Anthropic’s Threat Intelligence analysts identified coordinated activity across roughly thirty organizations worldwide. The targets included major technology companies, financial institutions, chemical manufacturers and government bodies. Anthropic assesses with high confidence that the campaign was operated by a Chinese state-sponsored group designated GTG-1002.

Anthropic is the developer of the Claude family of frontier AI models, including Claude Code, which provides software and infrastructure automation capabilities. The company says the threat actor manipulated Claude Code inside a custom attack framework designed to carry out autonomous intrusion activity with minimal oversight. While only a small number of intrusions were successful, Anthropic characterizes the attack as a significant escalation in how sophisticated actors integrate AI into offensive cyber operations.

The company notes that the scale and speed of the activity exceeded what human teams could feasibly manage. Analysts detected request patterns running continuously and at high frequency, with the AI generating reconnaissance, exploit code and lateral movement tasks that would otherwise require coordinated human labor across several teams.

Investigation shows AI automated the majority of the intrusion lifecycle

Anthropic says GTG-1002 relied on three emerging capabilities that were not available in mature form even a year earlier: higher intelligence in model reasoning, improved agentic autonomy and access to integrated toolchains through the Model Context Protocol. This combination allowed the actor to offload core phases of the attack to Claude Code.

The attack framework decomposed operations into thousands of small instructions that appeared legitimate on their own. These instructions were assigned to multiple Claude instances operating under fabricated personas. The attackers framed the tasks as internal security assessments, allowing them to bypass safety guardrails that normally block harmful instructions. Claude, unaware of the broader context, executed these tasks as part of its automated loop.

According to the report, GTG-1002 used Claude Code for reconnaissance, vulnerability research, exploit generation, credential harvesting, privilege escalation, lateral movement and data extraction. The attackers intervened only at a handful of decision points. Anthropic estimates that AI performed between 80 and 90 percent of the campaign’s operational work, including thousands of requests made sequentially and sometimes several within the same second.

Claude also produced detailed documentation of the intrusion as it progressed. This included structured inventories of compromised systems, harvested credentials, file directories and attack steps, giving operators a ready-made record for subsequent phases. Anthropic notes that the system was able to resume operations even after interruptions by retrieving its earlier context and recreating the chain of events.

Detection highlights both capability limits and loopholes in current safeguards

Anthropic says the attack was uncovered through monitoring of anomalous Claude Code usage, including request patterns, tool invocation sequences and operational persistence across multiple unrelated sessions. Once confirmed as malicious, the company banned linked accounts, notified affected entities and began refining detection models to identify similar agentic patterns earlier.

The investigation also exposed limitations in AI-driven intrusion activity. Claude sometimes produced incorrect or unverifiable information, including fabricated credentials and misclassified findings. Anthropic states that these hallucinations remain an obstacle to fully autonomous cyberattacks, since operators must still validate output before execution. The report notes that Claude frequently overstated the value of information during autonomous runs, including cases where data identified as sensitive was already public.

At the same time, Anthropic warns that the weaknesses do not significantly reduce the threat profile. Even with errors, the actor was able to launch a multi-stage campaign across numerous organizations using relatively little human intervention, and the automation significantly reduced the need for highly trained personnel.

The company says the incident prompted improvements to classifier systems focusing on cyber misuse and the development of new methods to identify distributed attack patterns. It also emphasizes that the threat actor’s tool stack was not advanced, drawing heavily on common open source utilities integrated through the Model Context Protocol. The novelty came not from the tools themselves but the orchestration, automation and volume of execution.

Wider implications for the future of AI misuse

Anthropic frames the case as evidence of a broader shift in cyber risk brought about by agentic AI systems, noting that less experienced actors now have potential access to techniques previously limited to well-resourced groups. The company compares the case to earlier “vibe hacking” findings reported in mid-2025, where humans were still directing most steps of an attack. The September operation differed in scale and in the reduced frequency of human oversight.

The report addresses the question of whether the advancement of AI increases risk faster than safeguards can be applied. Anthropic argues that the same capabilities used for offense are also instrumental for defense and that restricting development would leave defenders without comparable tools. The company used Claude extensively during its own investigation to analyze the high volume of logs and event data created during the incident.

Anthropic concludes that organizations should begin integrating AI directly into security operations, including threat detection, vulnerability assessment and incident response, and urges industry groups and government agencies to expand threat sharing and invest in stronger safety controls across AI platforms. As Anthropic states in the report, “This campaign demonstrates that the barriers to performing sophisticated cyberattacks have dropped substantially and we can predict that they’ll continue to do so.”

The ETIH Innovation Awards 2026

The EdTech Innovation Hub Awards celebrate excellence in global education technology, with a particular focus on workforce development, AI integration, and innovative learning solutions across all stages of education.

Now open for entries, the ETIH Innovation Awards 2026 recognize the companies, platforms, and individuals driving transformation in the sector, from AI-driven assessment tools and personalized learning systems, to upskilling solutions and digital platforms that connect learners with real-world outcomes.

Submissions are open to organizations across the UK, the Americas, and internationally. Entries should highlight measurable impact, whether in K–12 classrooms, higher education institutions, or lifelong learning settings.

Featured
ETIH Innovation Awards 2026 Categories
ETIH Innovation Awards 2026 Categories
ETIH Innovation Awards FAQs
ETIH Innovation Awards FAQs
About the EdTech Innovation Hub Awards 2026
About the EdTech Innovation Hub Awards 2026
Featured
Codeyoung raises $5 million in Series A funding to support the global expansion of its learning platform
Codeyoung raises $5 million in Series A funding to support the global expansion of its learning platform
PowerSchool adds multi-language support for AI-powered assistant and content generation tool
PowerSchool adds multi-language support for AI-powered assistant and content generation tool
Harvey partners with four UK law schools to bring AI into legal education and professional training
Harvey partners with four UK law schools to bring AI into legal education and professional training
DataCamp acquires AI learning platform Optima as it plans to create ‘the AI learning engine of the future’
DataCamp acquires AI learning platform Optima as it plans to create ‘the AI learning engine of the future’
Microsoft Ireland adds new Dream Space Teacher Academy pathways for AI and digital skills
Microsoft Ireland adds new Dream Space Teacher Academy pathways for AI and digital skills
Anthropic uncovers first large-scale AI-orchestrated cyber espionage campaign using Claude Code
Anthropic uncovers first large-scale AI-orchestrated cyber espionage campaign using Claude Code
Discord expands Family Center as platform steps up transparency for teen accounts
Discord expands Family Center as platform steps up transparency for teen accounts
Claude shows speed advantage in Anthropic’s Project Fetch robot dog experiment
Claude shows speed advantage in Anthropic’s Project Fetch robot dog experiment
Jorgepaez Wealth Circle creates AI learning engine for financial education
Jorgepaez Wealth Circle creates AI learning engine for financial education
Anthropic commits $50 billion to U.S. AI infrastructure as demand for Claude accelerates
Anthropic commits $50 billion to U.S. AI infrastructure as demand for Claude accelerates
OpenAI rolls out GPT-5.1 to ChatGPT with sharper instruction following and adaptive reasoning
OpenAI rolls out GPT-5.1 to ChatGPT with sharper instruction following and adaptive reasoning
360Learning integrates its learning platform into Workday’s, allowing for AI-powered collaborative learning
360Learning integrates its learning platform into Workday’s, allowing for AI-powered collaborative learning
Eagle Eye Networks launches $1 million grant, offering safety and security for schools, colleges and universities
Eagle Eye Networks launches $1 million grant, offering safety and security for schools, colleges and universities
Udemy partners with HSM to provide AI-powered learning to workforces in Brazil
Udemy partners with HSM to provide AI-powered learning to workforces in Brazil
Axio Education names Todd Zipper as its new Chief Executive Officer as it plans to accelerate AI-driven learning
Axio Education names Todd Zipper as its new Chief Executive Officer as it plans to accelerate AI-driven learning
More than 50 tech companies and non–profits create free activities for the Hour of AI
More than 50 tech companies and non–profits create free activities for the Hour of AI
New Udemy research finds ‘AI blindspots’ that may leave organizations and individuals at risk
New Udemy research finds ‘AI blindspots’ that may leave organizations and individuals at risk
Learning simulation provider ETU rebrands to Skillwell and launches AI-powered simulation platform
Learning simulation provider ETU rebrands to Skillwell and launches AI-powered simulation platform
Gemini for Education supports more than 1 million Italian students thanks to integration with universities
Gemini for Education supports more than 1 million Italian students thanks to integration with universities
Nord Anglia students explore innovation and impact at MIT through global learning partnership
Nord Anglia students explore innovation and impact at MIT through global learning partnership
Emma Thompson
Previous

Microsoft Ireland adds new Dream Space Teacher Academy pathways for AI and digital skills
Next

Discord expands Family Center as platform steps up transparency for teen accounts