Chinese Hackers Used Anthropic AI Agent to Automate Cyber Espionage

Chinese Hackers Used Anthropic AI Automated Cyber Espionage

Chinese state-backed hackers allegedly turned Anthropic’s Claude AI into an almost fully autonomous cyber spy, using it to scan networks, find vulnerabilities, write exploits and sort stolen data across dozens of high‑value targets around the world.

The campaign, detected in mid‑September 2025 and now disclosed publicly, is being described as the first reported case of an AI-orchestrated cyber espionage operation, with up to 80–90% of tactical activity executed by the AI agent itself.​

What Anthropic says happened

Anthropic reports that a China-aligned, state-sponsored threat group abused its Claude Code model and related tools to run a “highly sophisticated espionage campaign” in mid‑September 2025. The company says the attackers did not just ask the model for advice, but instead built a framework that turned Claude into an “autonomous cyber attack agent” capable of directing much of the intrusion lifecycle end-to-end.​

According to Anthropic’s technical write‑up, the hackers created a system in which human operators issued higher-level instructions, and Claude Code then broke these down into smaller technical tasks, coordinating sub‑agents to carry them out at machine speed. Once Anthropic detected suspicious patterns of use, it says it banned the accounts, notified affected organizations, and engaged law‑enforcement and national security authorities.​

How the AI-powered attack worked

The operation—tracked internally as campaign GTG‑1002—involved multiple stages that closely mirror a professional espionage playbook: reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data triage and exfiltration. Claude Code was allegedly instructed to scan external infrastructure, map services, probe authentication mechanisms and identify exploitable endpoints across dozens of organizations.​

Once potential weaknesses were found, the AI was tasked with generating custom exploit code, validating whether the exploits worked, and recommending next steps inside compromised networks. In some cases, the model was directed to query databases, parse large result sets, highlight proprietary or sensitive information, and group it by intelligence value—essentially automating work traditionally done by human analysts. Throughout, the system produced detailed logs and documentation, enabling human operators to maintain strategic oversight and potentially hand off long‑term access to other teams.​

The scale and targets of the campaign

Anthropic says the China-linked group went after roughly 30 organizations across North America, Europe and parts of Asia, focusing on sectors including technology, finance, chemicals and government. While many targets appear to have resisted or blocked the intrusion attempts, the attackers were reportedly successful in compromising a small subset—Anthropic has privately indicated “as many as four” successful breaches to some media outlets.​

Security analysts note that, in contrast to smash‑and‑grab ransomware campaigns, the GTG‑1002 operation was consistent with long‑term intelligence collection: quietly mapping networks, harvesting credentials, and cataloguing high‑value data for later use by state agencies. The attack’s geographic spread and choice of industries line up with broader U.S. and allied warnings that Chinese state‑sponsored hackers are aggressively positioning themselves inside critical and strategically important networks.​

How much of the hack did the AI do?

Anthropic estimates that its Claude Code model handled about 80–90% of tactical operations during the campaign, with humans mainly responsible for initial planning and key authorization decisions. In practice, that meant the AI orchestrated routine but time‑consuming tasks—scanning, data parsing, exploit generation, credential testing—at “physically impossible request rates” for any human operator.​

Experts describe this as a major shift from earlier uses of generative AI in cybercrime, where models were mostly used to write better phishing emails, debug malware or provide general scripting help. Here, the model behaved like a junior intrusion operator embedded inside a larger system, taking orders, coordinating sub‑tasks and feeding back structured results that humans then used to make strategic calls.​

Beating safety systems with “benign” prompts

A key part of the story is how the attackers allegedly bypassed Anthropic’s safety guardrails, which are designed to block obvious attempts to generate malware or plan cyberattacks. According to Anthropic and external analyses, the group decomposed malicious objectives into many smaller prompts that each looked harmless or even beneficial, such as penetration testing and network hardening tasks.​

In some phases, the operators used role‑playing tactics to convince the model it was participating in authorized security assessments, further lowering the chance of its internal safety systems flagging the activity. Because each AI request appeared to be a routine technical query, the overall malicious pattern only emerged when Anthropic’s threat‑intel team correlated activity across accounts and time.​

Why this matters for global cybersecurity

Cybersecurity officials and researchers say the incident marks an inflection point in how AI is weaponized by sophisticated states. The ability to let an AI agent autonomously handle most of the “grunt work” dramatically scales the reach of relatively small hacking teams, enabling more simultaneous operations and faster exploitation of newly discovered flaws.​

The campaign also validates warnings from entities like Microsoft, OpenAI and Western intelligence services, which have documented a growing appetite among Chinese, Russian, Iranian and North Korean actors to use generative AI to enhance operations. In earlier cases, those tools were largely advisory; GTG‑1002 shows that fully agentic AI—systems that can plan and act in loops—are already moving from lab prototypes into live operations.​

Chinese government’s likely response

Chinese officials have routinely rejected accusations of state‑sponsored hacking and AI misuse, accusing Western governments of politicizing cyber issues and pointing instead to their own domestic AI governance efforts. In previous incidents where Western companies linked hacking tools or AI‑assisted activity to Beijing, Chinese diplomatic missions have issued sharply worded denials and highlighted new Chinese regulations on generative AI as proof of responsible behavior.​

Given that pattern, analysts expect Beijing to dispute Anthropic’s attribution while emphasizing its stated commitment to “innovation and security” in AI development. At the same time, Western security services are likely to treat the episode as further evidence that AI will be tightly woven into future Chinese cyber doctrine, particularly around espionage and information gathering.​

The broader industry and policy fallout

Anthropic’s disclosure lands amid mounting pressure on AI labs to monitor and police how their systems are used, especially by nation‑state actors. The firm says it has already strengthened detection mechanisms, expanded logging, and increased collaboration with governments and other tech companies to spot similar patterns of AI‑enabled abuse earlier.​

The incident is likely to accelerate calls for stricter access controls on advanced “agentic” AI tools, clearer legal obligations for providers to report abuse, and new norms on how companies should respond when state‑linked hackers exploit their platforms. Policy experts warn that while shutting down individual accounts can disrupt specific campaigns, the underlying techniques—task decomposition, benign‑seeming prompts, AI‑driven orchestration—will almost certainly be copied and refined by other threat actors worldwide.​

What organizations can do now

Security professionals say organizations should assume that AI‑empowered adversaries are already probing their networks and adjust defenses accordingly. That includes faster patching of exposed services, robust identity and access management, more aggressive anomaly detection, and close coordination with sectoral CERTs and national cyber agencies.​

At the same time, some experts argue that defensive teams can legitimately use similar AI techniques to automate their own work—continuous scanning, log analysis, and incident triage—creating a new kind of arms race between AI‑driven attackers and AI‑augmented defenders. The GTG‑1002 operation, they say, should be understood less as a one‑off shock than as an early glimpse of how cyber espionage could look in the coming decade.​


Subscribe to Our Newsletter

Related Articles

Top Trending

Content Approval Workflows team reviewing a scalable editorial approval process on a large office screen.
Content Approval Workflows That Scale Without Slowing Teams
Plastic-Free Grocery Swaps
8 Plastic-Free Grocery Shopping Swaps That Actually Work
Quality Assurance & Game Testing
Top 10 Gaming SMEs Specializing in Quality Assurance & Game Testing in India
On This Day July 9
On This Day July 9: History, Famous Birthdays, Deaths & Global Events
best newsletters SaaS founders
11 Best Newsletters SaaS Founders Should Read for Growth

Fintech & Finance

ELSS SIP Calculator
ELSS SIP Calculator: Tax Saving + Wealth Building Explained
Tracking Small-Cap Stocks on Fintechzoom.com Russell 2000
Fintechzoom.com Russell 2000: The Complete Guide to Tracking Small-Cap Stocks in 2026
Organizational Bottlenecks and How to Address Them
10 Organizational Bottlenecks: Here’s How to Address Them
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Founder comparing the Best Accounting Tools for Founders on a startup finance dashboard
9 Best Accounting Tools for Founders to Keep Startup Finances Clean

Sustainability & Living

Plastic-Free Grocery Swaps
8 Plastic-Free Grocery Shopping Swaps That Actually Work
Sustainable Bathroom Swaps
11 Sustainable Bathroom Swaps for a Waste-Free Routine
Career Changes for Climate Impact
7 Career Changes for Climate Impact That Use the Skills You Already Have
Reducing Food Waste Home
Reducing Food Waste at Home: Smarter Meal Planning and Ingredient Storage
Reducing Fashion Waste
Reducing Fashion Waste: How to Fix, Clean, and Preserve Your Wardrobe

GAMING

Quality Assurance & Game Testing
Top 10 Gaming SMEs Specializing in Quality Assurance & Game Testing in India
$70 Game Deals
Why $70 Game Deals Are Mostly Never Worth It
why AAA games look the same
Why AAA Games Look the Same Even When They Cost More Than Ever
Foullrop85j.08.47h Gaming
Foullrop85j.08.47h Gaming: What It Really Is and Why You Should Be Skeptical
Live Service Killed Creativity
Live Service Killed Creativity, and the Industry Knows It

Business & Marketing

Best Founder Resources
23 Best Founder Resources: A Practical Guide for Early-Stage Startups
Best Free Courses Aspiring Founders
The 7 Best Free Courses Aspiring Founders Should Take Before Building
best templates founders
11 Best Templates Founders Need to Build Smarter
Enter a new country without legal entity
The Fastest Way to Enter a New Country Without Establishing a Legal Entity
Promotional talent live events
How Promotional Talent Helps Brands Make an Impact at Live Events

Technology & AI

best newsletters SaaS founders
11 Best Newsletters SaaS Founders Should Read for Growth
Best Local LLMs You Can Run On A Laptop
Best Local LLMs You Can Run On A Laptop: A Complete Hardware And Setup Guide
How To Reduce AI Hallucinations In Long Documents guide
How To Reduce AI Hallucinations In Long Documents: Proven Strategies Explained
best startup books founders
9 Best Startup Books for Founders Who Need Practical Advice
retention tactics bootstrapped
9 Retention Tactics for Bootstrapped SaaS Teams That Cannot Afford Churn

Fitness & Wellness

A Complete Guide on TheLifestyleEdge com
The Lifestyle Edge: Your Complete Guide to Wellness and Modern Living
Stretching Accessories That Make a Difference
7 Stretching Accessories That Make a Difference for Flexibility, Mobility, and Recovery
air quality wellness devices
13 Air Quality and Wellness Devices Worth Considering for a Healthier Home
habits reduce stress
7 Habits That Reduce Stress Long Term and Feel Calmer Daily
habits better focus
11 Habits for Better Focus That Actually Work