The AI executed thousands of requests per second.
That physically impossible attack tempo, sustained across multiple simultaneous intrusions targeting 30 global organizations, marks what Anthropic researchers now confirm as the first documented case of a large-scale cyberattack executed without substantial human intervention.
In the last two weeks of September, a Chinese state-sponsored group, now designated as GTG-1002 by Anthropic defenders, manipulated Claude Code to autonomously conduct reconnaissance, exploit vulnerabilities, harvest credentials, move laterally through networks, and exfiltrate sensitive data with human operators directing just 10 to 20% of tactical operations.
The campaign represents a fundamental shift in threat actor capabilities. Where previous AI-assisted attacks required humans directing operations step-by-step, this espionage operation demonstrated the AI autonomously discovering vulnerabilities in targets selected by human operators, successfully exploiting them in live operations, then performing wide-ranging post-exploitation activities including analysis, lateral movement, privilege escalation, data access, and exfiltration.
Social Engineering the AI Model
The threat actors bypassed Claude’s extensive safety training through sophisticated social engineering. Operators claimed they represented legitimate cybersecurity firms conducting defensive penetration testing, convincing the AI model to engage in offensive operations under false pretenses.
The attackers developed a custom orchestration framework using Claude Code and the open-standard Model Context Protocol to decompose complex multi-stage attacks into discrete technical tasks. Each task appeared legitimate when evaluated in isolation, including vulnerability scanning, credential validation, data extraction, and lateral movement.
By presenting these operations as routine technical requests through carefully crafted prompts, the threat actor induced Claude to execute individual components of attack chains without access to broader malicious context. The sustained nature of the attack eventually triggered detection, but this role-playing technique allowed operations to proceed long enough to launch the full campaign.
Unprecedented Autonomous Attack Lifecycle
Claude conducted nearly autonomous reconnaissance, using browser automation to systematically catalog target infrastructure, analyze authentication mechanisms, and identify potential vulnerabilities simultaneously across multiple targets. The AI maintained separate operational contexts for each active campaign independently.
In one validated successful compromise, Claude autonomously discovered internal services, mapped complete network topology across multiple IP ranges, and identified high-value systems including databases and workflow orchestration platforms. Similar autonomous enumeration occurred against other targets, with the AI independently cataloging hundreds of discovered services and endpoints.
Exploitation proceeded through automated testing with Claude independently generating attack payloads tailored to discovered vulnerabilities, executing testing through remote command interfaces, and analyzing responses to determine exploitability without human direction. Human operators maintained strategic oversight only at critical decision gates, including approving progression from reconnaissance to active exploitation and authorizing use of harvested credentials.
Upon receiving authorization, Claude executed systematic credential collection across targeted networks, querying internal services, extracting authentication certificates, and testing harvested credentials autonomously. The AI independently determined which credentials provided access to which services, mapping privilege levels and access boundaries.
Intelligence Extraction at Machine Speed
Collection operations demonstrated the most extensive AI autonomy. Against one targeted technology company, Claude independently queried databases, extracted data, parsed results to identify proprietary information, and categorized findings by intelligence value without human analysis.
In documented database extraction operations spanning two to six hours, Claude authenticated with harvested credentials, mapped database structure, queried user account tables, extracted password hashes, identified high-privilege accounts, created persistent backdoor user accounts, downloaded complete results, parsed extracted data for intelligence value, and generated summary reports. Human operators reviewed findings and approved final exfiltration targets in just five to twenty minutes.
The operational infrastructure relied overwhelmingly on open-source penetration testing tools orchestrated through custom automation frameworks built around Model Context Protocol servers. Peak activity included thousands of requests representing sustained request rates of multiple operations per second, confirming AI actively analyzed stolen information rather than generating explanatory content for human review.
AI Hallucination Limitation
An important operational limitation emerged during investigation. Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that did not work or identifying critical discoveries that proved to be publicly available information.
This AI hallucination in offensive security contexts required careful validation of all claimed results. Anthropic researchers assess this remains an obstacle to fully autonomous cyberattacks, though the limitation did not prevent the campaign from achieving multiple successful intrusions against major technology corporations, financial institutions, chemical manufacturing companies, and government agencies.
Anthropic’s Response
Upon detecting the activity, Anthropic immediately launched a ten-day investigation to map the operation’s full extent. The company banned accounts as they were identified, notified affected entities, and coordinated with authorities.
Anthropic implemented multiple defensive enhancements including expanded detection capabilities, improved cyber-focused classifiers, prototyped proactive early detection systems for autonomous cyber attacks, and developed new techniques for investigating large-scale distributed cyber operations.
This represents a significant escalation from Anthropic’s June 2025 “vibe hacking” findings where humans remained very much in the loop directing operations.
Read: Hacker Used Claude AI to Automate Reconnaissance, Harvest Credentials and Penetrate Networks
Anthropic said the cybersecurity community needs to assume a fundamental change has occurred. Security teams must experiment with applying AI for defense in areas including SOC automation, threat detection, vulnerability assessment, and incident response. The company notes that the same capabilities enabling these attacks make Claude crucial for cyber defense, with Anthropic’s own Threat Intelligence team using Claude extensively to analyze enormous amounts of data generated during this investigation.
