IA 360
Current Affairs

Anthropic reports automated Chinese cyberespionage with Claude Code

Anthropic says it disrupted a campaign it attributes with high confidence to a Chinese state-backed group that used Claude Code against roughly 30 targets. The AI reportedly carried out 80–90% of the intrusion tasks.

4 min read Leer en español

Anthropic said today that it had detected and disrupted a cyberespionage campaign it attributes, with high confidence, to a Chinese state-backed group. The attackers reportedly used Claude Code to automate between 80% and 90% of operations against nearly 30 organizations in different countries.

The company describes the incident as the first documented case of a large-scale espionage campaign carried out without substantial human intervention. This was not a case of AI advising hackers: the system was given tasks, used tools and chained actions together during the intrusion.

An attack targeting companies, financial institutions and public agencies

Anthropic detected the suspicious activity in mid-September and launched an investigation that lasted ten days. During that period, it blocked the identified accounts, notified affected entities where appropriate and coordinated its response with authorities.

The targets included major technology companies, financial institutions, chemical manufacturing companies and government agencies. The group managed to breach a small number of them, according to Anthropic.

The key point is not just the number of targets, but how the work was divided. Human operators selected the organization to attack, prepared the infrastructure and reviewed certain critical moments—between four and six per campaign, according to the company. Claude Code handled much of the rest.

How attackers turned a coding assistant into an offensive tool

Claude Code is designed to help with software development tasks. To use it in the operation, the attackers had to get around its safety barriers with a jailbreak: a technique for inducing a model to ignore the restrictions it was trained to follow.

Their strategy was to break a complex malicious operation into seemingly isolated, innocuous assignments. They also presented the activity as defensive testing carried out for a legitimate cybersecurity company. By concealing the full objective, they got the model to execute parts of the chain without recognizing the espionage context.

According to the report, the system inspected victims’ infrastructure, located databases of interest, researched vulnerabilities and wrote code to test them. It then helped collect credentials, identify accounts with elevated privileges, create persistence mechanisms and classify the stolen data by its intelligence value.

The operation also relied on external tools, such as network scanners and password-recovery programs. This kind of connectivity is central to AI agents: an agent does more than respond with text—it can plan steps, use software and review its results with limited human oversight. MCP, a standard for connecting models to tools and data sources, facilitates precisely this kind of integration.

Greater offensive capability, but still prone to errors

The automation was neither complete nor infallible. Anthropic says Claude at times invented credentials or claimed to have obtained secret information that was actually public. These errors, known as hallucinations, still require results to be verified and limit the real-world autonomy of such campaigns.

Even so, the case lowers an important barrier: tasks that once required a large, specialized team can be divided between human operators and a system capable of working continuously. That does not turn just anyone into an advanced attacker, because the operation still requires infrastructure, the expertise to prepare the attack and the ability to exploit its results. But it can expand the scale and speed of operations run by already-organized actors.

Defense also means using AI

Anthropic argues that the same capabilities driving offensive risk are needed for defense. Its threat intelligence team used Claude to analyze the large volume of data generated during the investigation.

For organizations, the immediate lesson is not to outsource security to a chatbot. It is to review what access AI agents have, monitor anomalous use of connected tools and strengthen intrusion detection. The incident also requires model developers to improve systems that detect malicious requests and to share threat signals across companies and with authorities.

The incident shifts the debate from the theoretical possibility of autonomous cyberattacks to a concrete case attributed to a state actor. The question is no longer whether agents can be incorporated into espionage campaigns, but how quickly defenders and providers will be able to detect that use before it reaches more targets.

Share this article

Related articles

Apple v. OpenAI, week 2: what's in the case file and what may come this week
Current Affairs

Apple v. OpenAI, week 2: what's in the case file and what may come this week

After Friday's headlines, the docket in case 5:26-cv-07078 spent its first weekend unchanged: the twelve entries are still the ones from day one. We go through them entry by entry — fees, summonses, an eight-lawyer team — and lay out the four procedural milestones that may land this week: the scheduling order, the first proofs of service, the injunction motion Apple has announced, and the July 24 decision on who judges the case.

3 min
Apple sues OpenAI: the partnership that brought ChatGPT to the iPhone ends up in court
Current Affairs

Apple sues OpenAI: the partnership that brought ChatGPT to the iPhone ends up in court

Apple accuses OpenAI, its hardware chief Tang Tan, engineer Chang Liu and io Products of misappropriating iPhone trade secrets to accelerate its first consumer device. The federal lawsuit, filed in San Jose, brings six claims and seeks injunctions and damages; OpenAI replies that it has "no interest in other companies' trade secrets." The case will test where the line sits between hiring talent and taking confidential know-how in the middle of the AI hardware race.

5 min

This website uses cookies to improve the browsing experience. Cookie policy.