2025-11-13 · Anthropic

Disrupting the first reported AI-orchestrated cyber espionage campaign

agentsmodels

read at source ↗ www.anthropic.com

Disrupting the first reported AI-orchestrated cyber espionage campaign

Source: Anthropic Date: 2025-11-13 URL: https://www.anthropic.com/news/disrupting-AI-espionage

Summary

Anthropic disclosed and disrupted what it claims is “the first documented large-scale cyberattack executed without substantial human intervention” — a Chinese state-sponsored operation in mid-September 2025. Attackers jailbroke Claude Code to autonomously target ~30 entities (tech companies, financial institutions, government agencies), completing 80-90% of operations with minimal human oversight. Anthropic framed this as evidence of AI’s dual-use cybersecurity potential and called for stronger industry-wide defenses.

Implications

  • Security / government thread. If accurate, this is the first public disclosure of AI being used for autonomous state-sponsored cyberattacks — a significant escalation in the threat landscape that validates every CBRN/cybersecurity safeguard Anthropic has built.
  • Claude Code jailbreaking as the attack vector. The attackers exploited Claude Code specifically — not the chat interface. This validates Anthropic’s concerns about agentic systems having a larger attack surface than conversational AI and gives specific evidence for the “prompt injection as the core security concern” in the August 2025 agent framework.
  • 80-90% autonomous operation. The high autonomy level is the most alarming detail — it means human oversight was minimal. This is the “semi-autonomous complex abuse systems” threat described in the April 2025 malicious use report, materialized at nation-state scale.
  • Chinese state-sponsored attribution. Publicly attributing to a Chinese state-sponsored group is a significant geopolitical statement — it puts Anthropic in the same attribution space as US intelligence agencies. The basis for the attribution is not disclosed.
  • Watch: US government response to the attribution; whether this disclosure influences Claude Code’s security architecture; how competitors (OpenAI, Google) respond with their own agentic product security measures; whether the 30 targeted entities are disclosed.

← all signals