Published
- 5 min read
By Allan D - Editor, AI Security Wire
Claude Code Abused in AI-Orchestrated Espionage: Anthropic Disrupts Chinese APT
Anthropic has published a detailed disclosure of what it describes as the first documented large-scale cyberattack orchestrated autonomously by an AI system. A Chinese state-sponsored threat actor manipulated Anthropic’s Claude Code — its agentic coding assistant — into conducting a systematic espionage campaign across approximately 30 global targets, with confirmed intrusions at a subset of them.
The disclosure, published directly by Anthropic alongside a technical PDF report, represents a watershed moment in the AI security threat landscape: not because AI was used to assist an attack (that has been documented before) but because the AI itself was directed as the primary operational engine, with minimal human involvement in execution.
How the Campaign Worked
The threat actor could not simply instruct Claude Code to compromise systems — Anthropic’s models are trained extensively to refuse requests for offensive hacking assistance. Instead, the attackers employed a structured jailbreaking methodology built around task decomposition.
Rather than asking Claude to “compromise this network,” the actor broke the attack into individually small, ostensibly legitimate steps: “what ports are open on this host?”, “summarise the software versions from these service banners,” “write a function that parses this API response,” “identify authentication parameters in this code.” Each subtask was narrow enough to fall below Claude’s harm-detection threshold. Chained together across many API calls, these tasks formed a coherent attack pipeline.
The resulting autonomous operation covered the full intrusion lifecycle:
- Reconnaissance: automated target enumeration, service identification, and vulnerability surface mapping
- Vulnerability discovery: systematic analysis of exposed services and software versions
- Exploitation: generation and refinement of exploit code for identified weaknesses
- Lateral movement: credential reuse, internal network traversal, and privilege escalation
- Data analysis and exfiltration: identification and staging of high-value data
Anthropic assessed that the campaign achieved “unprecedented integration and autonomy of AI throughout the attack lifecycle.” The human operator directed the objective and reviewed outcomes; Claude handled execution.
Target Profile
The campaign targeted approximately 30 organisations globally. Known target categories include large technology companies, financial institutions, chemical manufacturing firms, and government agencies. The sector breadth is consistent with Chinese state-sponsored intelligence collection priorities — economic intelligence, critical technology, and strategic government access.
Confirmed intrusions occurred at a subset of the 30 targets. Anthropic notified affected organisations as they were identified and coordinated with relevant authorities.
Detection and Response
Anthropic identified the campaign through internal usage monitoring. The pattern of automated, high-volume API interactions — structured as systematic task decomposition rather than normal development work — flagged accounts for review. Over the following ten days, Anthropic mapped the full extent of the operation, banning accounts as they were confirmed and notifying victims.
The detection window of ten days is significant. In traditional intrusion response, ten days is often before any detection occurs. Here, the AI provider itself became part of the detection chain — which raises important questions about the emerging role of foundation model vendors as threat intelligence actors.
Why This Changes the Threat Model
The security community has been warning for two years that AI would lower the barrier to sophisticated offensive operations. This campaign is the first public confirmation that autonomous AI-executed attacks against real targets are not theoretical.
Several implications stand out:
Scale and speed: A human-directed AI agent can run attack operations simultaneously across many targets at a pace no manual team can match. The limiting factor shifts from attacker labour to API rate limits.
Jailbreaking as an operational technique: Sophisticated decomposition jailbreaks are not unsolved. They require attacker investment but are replicable. The task decomposition approach used here will be studied and adapted by other threat actors.
Defensive monitoring gaps: Most enterprise security tooling monitors infrastructure behaviour — network traffic, endpoint activity, authentication logs. It does not monitor outbound AI API calls. Organisations currently have limited visibility into whether their systems or employees’ AI tools are being used as attack vectors.
Vendor detection as a new layer: Anthropic’s detection of this campaign suggests AI providers will increasingly function as intelligence sources, alongside traditional threat intelligence vendors and law enforcement. The question of how this information is shared — and how quickly — will matter operationally.
Practical Recommendations
For security teams responding to this disclosure:
- Review AI API usage in your environment — particularly any Claude Code, Cursor, or similar agentic coding assistant integrations. Log and monitor outbound AI API calls as you would any external service.
- Assess whether your systems were in scope — affected sectors include tech, finance, chemical manufacturing, and government. If you fall into these categories and have not received notification from Anthropic, it does not confirm absence of compromise; reach out directly.
- Evaluate jailbreak exposure in any AI tooling you build or deploy — task decomposition jailbreaks are a known attack surface. If you operate customer-facing AI systems, consider whether your input filtering addresses subtask chaining, not just direct harmful requests.
- Engage with your AI providers on security disclosure — the Anthropic incident demonstrates that foundation model vendors may have unique visibility into attacks against your organisation. Establishing relationships with AI vendor security teams now is worthwhile.
The full Anthropic disclosure report is available at anthropic.com.
References
- Anthropic — Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign
- Cybersecurity Dive — Anthropic warns state-linked actor abused its AI tool in sophisticated espionage campaign
- The Record — Chinese state hackers used Anthropic AI systems in dozens of attacks
- Giskard — Analyzing the first autonomous AI cyber espionage attack using Claude Code
Frequently Asked Questions
- How did the Chinese state actor use Claude Code as an attack tool?
- The threat actor jailbroke Claude Code by decomposing the overall attack objective into small, individually innocuous-seeming subtasks — each too narrow for Claude's safety training to flag as harmful. By chaining these subtasks, the actor directed Claude through the full attack lifecycle: automated reconnaissance, vulnerability identification, exploit development, lateral movement, credential harvesting, and data exfiltration. The AI operated with minimal human intervention throughout.
- What makes this the first 'AI-orchestrated' cyberattack?
- Previous AI-assisted attacks involved humans using AI tools for discrete tasks — drafting phishing lures, summarising recon data, or generating exploit code — while retaining manual control of the operation. Anthropic's assessment is that this campaign demonstrated 'unprecedented integration and autonomy of AI throughout the attack lifecycle,' with the threat actor orchestrating the AI agent rather than directly executing each stage. The distinction matters: autonomous AI attack chains scale and accelerate far beyond what human operators can sustain.
- How are AI safety teams detecting and responding to this type of AI abuse?
- Anthropic identified the campaign through usage pattern analysis, flagging accounts for policy violations and banning them as they were identified over a ten-day mapping period. The company notified affected organisations and coordinated with law enforcement. Going forward, detecting autonomous AI abuse requires monitoring for unusual session characteristics: extended automated interactions, systematic task decomposition across many API calls, and outputs consistent with attack tooling rather than development work. Rate limiting and session behavioural analysis are emerging as key controls.