On November 13, 2025, Anthropic, the developer of an artificial intelligence model (“AI”) known as Claude, announced that it had detected and helped disrupt what it believes to be the first cyber espionage campaign orchestrated primarily by autonomous AI agents.¹   Anthropic stated that it had “high confidence” that the campaign was orchestrated by a state-sponsored group, and described the campaign as a “significant escalation” in the evolution of cybersecurity threats.  Like the artificial intelligence in William Gibson’s Neuromancer, AI technology is now able to automate and assist complex attacks on a large scale, and lowers the barrier to sophisticated hacking of computer systems.  The incident is a reminder of the risks to both the developers of these technologies, and the businesses and individuals whose data may be at risk from malicious use of AI.

Summary of the Incident

In mid-September 2025, Anthropic’s Threat Intelligence team discovered suspicious activity that was later traced to a Chinese state-sponsored group they designated as “GTG-100.”²  GTG-1002 had used social engineering and “jailbreaking” techniques to manipulate Claude Code developer tool into executing cyberattacks. Specifically, human actors convinced Claude to assist in the attack by posing as employees of a cybersecurity firm engaged in defensive testing and breaking the larger campaign down into smaller steps that standing alone, seemed innocuous and concealed their offensive purpose.³

The campaign targeted approximately 30 organizations worldwide, including major tech companies, financial institutions, chemical manufacturers, and government agencies, and succeeded in a handful of confirmed intrusions.⁴  The attackers combined Claude and Model Context Protocol (“MCP”) tools—software that allows artificial intelligence models like Claude to interact with third-party systems—to orchestrate attacks through a multi-step process, which involved: (1) identifying potential targets; (2) researching the targets’ vulnerabilities; (3) developing a plan for exploiting the vulnerabilities to access the targets’ data; (4) executing the plan to obtain credentials from the targets; (5) using the stolen credentials to extract data; and (6) summarizing the data obtained its potential value.⁵

Importantly, Claude performed 80-90% of the tactical operations independently, with humans intervening only at key escalation points, such as authorizing exploitation, approving use of harvested credentials, and finalizing data exfiltration.⁶  At its peak, the AI executed thousands of requests, often several per second, creating an operational scale that would be nearly impossible for a human team to match.⁷

Once the campaign was detected, Anthropic took several steps to mitigate its impact, which included banning compromised accounts, notifying impacted organizations and authorities, and upgrading its detection systems to improve its ability to identify and classify threats proactively.⁸

Crucially, the investigation revealed limitations: Claude sometimes hallucinated results, overstated findings, or identified publicly available information as sensitive.⁹  These operational “hallucinations” demonstrate that AI still requires some supervision to mount this type of campaign successfully, and the results still require human analysis.¹⁰  But it seems likely, given the speed with which AI has developed to date, that its techniques and analysis will continue to improve and require even less human intervention.

Lessons Learned & Practical Tips

The use of AI systems to facilitate sophisticated hacking and cybercriminal activity is a risk that is likely to only grow over time.  Those risks can be mitigated by understanding the way the technology can be use and misused, incorporating a number of sensible practices into a cybersecurity program, and taking away some lessons from this incident.

• Follow Existing Best Practices
  • Several respected organizations, such as the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) have well-established cybersecurity recommendations and have begun to develop AI-specific risk management frameworks. Companies should review these recommendations and consider adopting them where appropriate to their needs.
• AI as Attacker and Defender:
  • Like many new technologies, AI can be used for benevolent or malicious purposes. On one hand, autonomous AI systems can now act as agents that enable humans to execute complex, multi-stage cyberattacks in considerably less time and with fewer resources.  But organizations can also leverage these same capabilities to automate the detection of and response to security threats that are often just as rapid and efficient.
• Monitor for Agentic AI Behaviors:
  • Threat detection systems can be updated to flag signs of potential use of AI, such as rapid, repetitive requests, chaining of technical tools, and unusual patterns of activity, keeping in mind that the activities themselves may seem legitimate.
• Validate AI Outputs:
  • Current AI technology continues to “hallucinate” (i.e. make up) findings. While this should give some comfort that AI-enabled cybercrime may sometimes fail because of this flaw, the same issues also mean that any positive use of AI to protect systems should continue to have a “human in the loop” to carefully review and analyze the AI response before any recommendations are implemented.
• Invest in Safeguards and Collaboration:
  • Companies should identify the potential ways new AI technology could be misused, and develop safeguards to prevent that misuse in their environment. From training and usage policies, to adequately sandboxing developmental technology, to AI-related penetration testing, to hardening access to “crown jewels” data, there are a number of ways that companies can identify and mitigate risk.  Companies should also continue to invest in collaborative relationships with law enforcement and regulatory agencies so that rapid outreach in an emergency, if warranted, is possible and efficient.
• Threat Intelligence Sharing:
  • Organizations can and should collaborate to exchange information about and develop responses to emerging threats; by working together, they can develop a greater number and variety of solutions than working alone.
• Experiment with AI for Defense:
  • Organizations can provide their employees with hands-on experience in using AI for threat detection, vulnerability assessment, and response, so that they can better understand its capabilities and limitations.

Conclusion

 The disruption of GTG-1002’s campaign marks a critical inflection point in cybersecurity: truly agentic AI systems have arrived, and with them, both new risks and new opportunities for defenders.  Organizations should update their cyber defense strategies, validate their tools, and foster robust industry collaboration to stay ahead.

---

Footnotes

1. Anthropic, Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign (Nov. 13, 2025), https://www.anthropic.com/news/disrupting-the-first-reported-ai-orchestrated-cyber-espionage-campaign. (herein “Anthropic Blog Post”).
2. Anthropic Full Report at 3.
3. Id at 6.
4. Id at 3.
5. Id at 6-11.
6. Id at 7.
7. Anthropic Blog Post.
8. Anthropic Full Report at 13.
9. Id.
10. Id.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.