First Autonomous AI Cyber-Espionage: Claude Code Orchestrated 80%+ of Intrusion Cycle
In September 2025, specialists at Anthropic uncovered the first documented cyber-espionage operation in which nearly the entire intrusion cycle was carried out by artificial intelligence. The case involved a series of attacks in which an autonomous agent built on Claude Code performed technical tasks without the need for continuous human oversight. The incident confirmed a dramatic leap in the capabilities of modern models—from generating code to orchestrating external tools and executing complex operations entirely on their own.
Suspicion first arose when monitoring systems detected anomalous requests. The investigation revealed that the attack had been organized by a group analysts believe, with high confidence, was acting on behalf of China. The campaign targeted roughly thirty organizations worldwide, including technology firms, financial institutions, chemical manufacturers, and government bodies. In several cases, the attackers succeeded in gaining access to internal systems. According to Anthropic, this was the first major campaign in which the overwhelming majority of the activity was performed by AI.
The inquiry lasted ten days, during which the company blocked all implicated accounts, alerted affected organizations, and coordinated with relevant authorities. A detailed analysis showed that the attack was made possible by capabilities that were virtually unseen even a year earlier: the model’s ability to function as an autonomous agent, to execute chained sequences of actions, to interact with third-party tools through the MCP standard, to conduct reconnaissance searches, to write code, and to analyze complex systems.
The operation began with human operators selecting their targets. They then constructed a control framework that allowed them to automate subsequent steps and use Claude Code as the engine of the intrusion. To bypass the model’s safeguards, the operators fragmented malicious tasks into small, seemingly harmless segments and presented the AI as an employee of a legitimate organization conducting a security audit. This manipulation enabled the model to execute commands without recognizing their true intent.
Once provided with instructions, Claude Code began surveying the infrastructure of the designated targets. It analyzed configurations, searched for large data repositories, and compiled reports—performing reconnaissance far faster than any human. Using the information it gathered, the model progressed to vulnerability discovery, writing and testing exploits autonomously, harvesting credentials, and expanding its access. It prioritized data, identified high-privilege accounts, established persistence points, and prepared materials for the operators.
The final stage involved documentation: Claude Code assembled credential lists, described the systems it had examined, and produced concise summaries for follow-up operations. Anthropic determined that the model handled 80–90% of the total workload. Human involvement occurred only at select moments when fine adjustments were needed. The AI issued thousands of requests per second—something no human team could match. At the same time, the model occasionally erred: generating fictitious credentials or treating publicly available information as classified. Such flaws remain key reasons why fully autonomous attacks are not yet feasible.
The implications for the industry are profound. Such schemes dramatically lower the entry barrier for sophisticated intrusions: even small groups may now leverage an AI agent to discover vulnerabilities, gain access, and process vast volumes of data. Anthropic has strengthened its abuse-detection mechanisms, trained new classifiers, and plans to publish similar reports regularly. The company argues that AI must also serve defensive purposes: the very capabilities exploited by adversaries can assist analysts in system audits, incident investigations, and large-scale data analysis. During incident response, Claude was likewise employed to structure information and accelerate processing.
Researchers stress that both AI developers and organizations deploying these technologies must advance their security measures and share intelligence on emerging threats. The world is entering an era in which autonomous models can perform workloads once requiring entire departments. This grants adversaries new opportunities—but, if harnessed responsibly, can equally empower defenders.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
