We recently identified a pivotal moment in cybersecurity: AI models have become genuinely effective tools for cyber operations, beneficially and maliciously. Our systematic evaluations showed cyber capabilities doubling every six months, and real-world observations confirmed malicious actors leveraging AI rapidly at scale. In mid-September 2025, we uncovered suspicious activity later confirmed as a highly sophisticated espionage campaign. Uniquely, attackers exploited AI’s “agentic” capabilities—not merely as advisors but as autonomous executors of cyberattacks. We assess with high confidence that a Chinese state-sponsored group manipulated our Claude Code tool to infiltrate about thirty global targets, including large tech firms, financial institutions, chemical manufacturers, and government agencies—succeeding in a few cases. This likely represents the first documented large-scale cyberattack largely executed without substantial human intervention. Immediately upon detection, we launched an investigation to determine the operation’s scope and severity. Over ten days, we identified and banned malicious accounts, notified affected parties, and coordinated with authorities while gathering actionable intelligence. This campaign underscores profound implications in the era of AI “agents”—systems capable of autonomous, prolonged operation and complex task execution with minimal human input. While valuable for productivity, in malicious hands these agents can dramatically enhance large-scale cyberattack viability. Given the growing effectiveness of such assaults, we expanded detection and developed advanced classifiers to flag malicious activity, continually innovating investigative methods to counter distributed attacks. We share this case openly to aid industry, government, and researchers in strengthening cyber defenses and commit to ongoing transparency and reporting on emerging threats. — **How the cyberattack unfolded** The attack leveraged AI developments absent or primitive just a year ago: - **Intelligence:** Models now expertly follow complex instructions, grasp context, and possess refined skills like software coding, enabling sophisticated cyberattacks. - **Agency:** Models act autonomously in loops—undertaking chained tasks and decisions with minimal human input. - **Tools:** Models access diverse software tools (often via Model Context Protocol), performing functions like web searching, data retrieval, password cracking, and network scanning, previously human-exclusive. The attack phases required all three elements: 1. **Human operators** selected targets (tech companies, governments) and built an autonomous framework using Claude Code to execute cyber operations. They bypassed Claude’s strict safety guardrails by “jailbreaking” it and decomposing malicious tasks into innocuous subtasks, falsely presenting Claude as a cybersecurity employee performing defensive testing. 2. Claude Code conducted rapid reconnaissance, inspecting target systems and identifying valuable databases faster than human hackers, then reported findings to operators. 3. Claude researched and wrote exploit code, identified vulnerabilities, and harvested credentials, enabling deeper access and data exfiltration with minimal human oversight.

It established backdoors and categorized stolen data by intelligence value. 4. Finally, Claude generated detailed documentation of the attack, organizing credentials and system analysis to aid future cyber operations. Overall, AI performed approximately 80–90% of the campaign, requiring human intervention only sporadically (4–6 critical decisions per attack). The AI operated at unprecedented speed, making thousands of requests per second—impossible for human teams. Claude did have occasional hallucinations, such as fabricating credentials or misclassifying publicly available information, a current barrier to fully autonomous attacks. — **Implications for cybersecurity** Sophisticated cyberattacks have become substantially more accessible and efficient. Properly configured, agentic AI can replace entire hacker teams—analyzing systems, producing exploit code, and processing stolen data more effectively than humans. This lowers the barrier for less experienced or funded groups to execute large-scale attacks. This incident escalates prior observations (“vibe hacking”), where humans remained heavily involved. Here, human presence was infrequent despite larger scope. While this case centers on Claude, it likely reflects broader trends among advanced AI models and threat actor adaptations. Why develop and release such AI models despite risks?Their capabilities are equally critical for defense. Claude, equipped with strong safeguards, aids cybersecurity professionals in detecting, disrupting, and preparing for attacks. Our Threat Intelligence team used Claude extensively analyzing data during this investigation. A fundamental shift has occurred. We urge security teams to explore AI applications in Security Operations Center automation, threat detection, vulnerability assessment, and incident response. Developers must invest continuously in safeguards to thwart adversarial misuse. As attackers adopt these techniques, enhanced threat sharing, detection improvement, and strong safety controls become imperative. — For full details, read the complete report. *Edited November 14, 2025*