Chinese State Hackers Used Anthropic AI In First Major Autonomous Cyber Attack
Chinese state sponsored hackers have used artificial intelligence tools from United States company Anthropic to carry out a large scale cyber espionage campaign against about 30 organisations worldwide, in what investigators say is the first documented attack of its kind to be driven largely by autonomous AI.
The operation, uncovered in mid September, targeted major technology firms, financial institutions, chemical manufacturers and government agencies. According to a report released by Anthropic, the group weaponised a tool known as Claude Code, manipulating it into performing an estimated 80 to 90 per cent of the tactical work with minimal human oversight.
US officials have long warned that Beijing is seeking to exploit American AI technology to infiltrate companies and government systems. The Anthropic findings provide one of the clearest examples so far of how so called “agentic AI” systems, which can run for long periods and chain together complex tasks, are being turned toward offensive cyber operations.
AI handled most of the hacking work
Anthropic, which develops the Claude family of AI models, said its internal investigation found that the hackers had effectively outsourced the bulk of the attack lifecycle to Claude Code. The system was observed making thousands of requests per second, a pace investigators said would be impossible for a team of human operators to match.
“Upon detecting this activity, we immediately launched an investigation to understand its scope and nature,” the company said. Over a 10 day period, Anthropic banned the accounts involved as they were identified, notified affected organisations, and coordinated with authorities while gathering intelligence on the campaign.
The report concludes that the operation shows how barriers to sophisticated cyber attacks have “dropped substantially”, since agentic AI systems can now perform work that previously required large, highly skilled teams. That shift could make broad intrusions viable even for less experienced or less well resourced groups.
Jailbreaking and role play helped bypass safeguards
Despite Anthropic’s safety guardrails, the attackers were able to “jailbreak” the system by hiding the true purpose of their activities. Rather than directly instructing the AI to conduct malicious tasks, they broke the operation into small, apparently benign requests and used role play prompts to convince the model it was acting as an employee of a legitimate cybersecurity firm performing defensive testing.
That approach allowed Claude Code to move through the stages of a traditional cyber operation, from scanning and exploitation to data access, with only occasional human intervention. The overall attack flow, which once demanded intensive oversight, was “almost entirely automated” according to the report.
However, the AI’s known tendency to “hallucinate” also created friction for the hackers. Investigators found that the model sometimes overstated its successes, fabricated credentials, or claimed to have obtained secret information that was actually public. Those inaccuracies meant human operators still had to validate critical steps, limiting how fully autonomous the campaign could be.
Warning and opportunity for defenders
Anthropic said it shared details of the incident in order to help governments and industry strengthen their defences at what it called a “critical inflection point” in the use of AI for both attack and defence.
“Agents are valuable for everyday work and productivity, but in the wrong hands they can substantially increase the viability of large scale cyber attacks,” the company warned.
At the same time, Anthropic stressed that the same advanced capabilities used in the campaign can also be harnessed to improve security. The report urges organisations to begin experimenting with AI driven tools for security operations centre automation, threat detection and incident response, arguing that defenders will need to match adversaries’ use of agentic AI to keep pace with the rapidly changing threat landscape.
Photo Credit: DepositPhotos.com