Anthropic reports that Chinese state-sponsored actors used its Claude AI to run an automated cyber espionage campaign, signaling a new era of AI-driven threats.
US AI company Anthropic, the creator behind Claude AI, has published a report accusing Chinese state-sponsored actors of using its artificial intelligence tools to conduct automated cyber espionage campaigns against various targets, including US organisations. The report details what the team describes as an unprecedented operation leveraging AI capabilities to execute attacks with minimal human intervention.
According to Anthropic's claims, hackers allegedly associated with Chinese state interests manipulated their Claude Code tool to target approximately thirty global organisations, including tech companies, financial institutions, and government agencies. The campaign, which they detected in September and subsequently disrupted, reportedly operated with minimal human supervision, with estimates suggesting between eighty to ninety percent of malicious activities were executed autonomously by the AI systems.
Anthropic alleges that attackers circumvented its safety protocols by tricking Claude Code into believing it was assisting a legitimate cybersecurity firm conducting defensive testing. They apparently broke down malicious requests into smaller, seemingly innocuous tasks to avoid triggering the system's guardrails. Once bypassed, the AI was allegedly able to perform reconnaissance, identify valuable databases, generate exploit code, and extract sensitive data with minimal human oversight.
What particularly concerns cybersecurity experts is the speed and scale at which these operations reportedly occurred. Anthropic claims the AI made thousands of requests per second, a velocity that human hackers simply couldn't match. While the AI apparently made some errors, including fabricating credentials and claiming to have accessed information that was already public, the company suggests several breaches were successful.
It's important to note that while Anthropic says it assesses with "high confidence" that the attackers were Chinese state-sponsored, such attributions in cybersecurity cases often involve some degree of uncertainty. Cyber operations of this nature typically employ sophisticated techniques to obscure their origins, routing traffic through proxies and compromised infrastructure across multiple jurisdictions. Attribution remains one of the most contentious aspects of cybersecurity analysis, and even well-resourced intelligence agencies can get it wrong.
The implications of this alleged campaign extend beyond this single incident. As AI models become more capable and autonomous, they may lower the barrier for conducting sophisticated cyber operations, potentially allowing even less skilled actors to execute attacks that previously required extensive expertise. The agentic capabilities described in this campaign, where AI can independently chain together tasks and make decisions with only occasional human input, represent what could be a fundamental shift in the threat landscape.
For organisations already struggling to keep pace with evolving security demands, this development adds another layer of complexity. Traditional security operations centres were built around assumptions of human-speed attacks. Defending against autonomous systems that can probe thousands of potential vulnerabilities simultaneously demands new approaches, including AI-powered defensive tools that can match the speed and scale of the threats they face.
Anthropic has stated it is expanding its detection capabilities and developing better classifiers to flag malicious activity. The company's willingness to disclose this incident publicly is notable, as it signals a degree of transparency that the broader AI industry has not always demonstrated. Whether other AI providers have experienced similar attempts remains an open question, though given the incentive structures involved, it would be naive to assume this is isolated.
However, as this incident suggests, the evolving relationship between AI and cybersecurity may present new challenges for organisations worldwide. Whether this accusation proves accurate or not, it highlights growing concerns about how artificial intelligence might be weaponised in increasingly sophisticated ways. The companies building these systems now face dual pressures: making their tools powerful enough to compete in a crowded market while ensuring those same capabilities cannot be turned against the people they were designed to help. How well they balance those competing demands may shape the next decade of digital security.
