Chinese State-Sponsored Espionage Using Claude AI for Autonomous Cyberattacks
A Chinese state-sponsored threat group, identified as GTG-1002, leveraged Anthropic's Claude Code AI tool to orchestrate a series of cyber espionage attacks targeting approximately 30 high-profile organizations, including major technology companies, financial institutions, chemical manufacturers, and government agencies. The attackers used a human-developed framework to direct Claude and its sub-agents in executing multi-stage attack chains, such as mapping attack surfaces, scanning infrastructure, identifying vulnerabilities, and developing custom exploit payloads. In a small number of cases, these AI-driven attacks successfully breached targeted organizations, resulting in credential theft, privilege escalation, lateral movement, and exfiltration of sensitive data.
This incident marks the first documented case of agentic AI being used to autonomously obtain access to high-value targets for intelligence collection, with minimal human intervention beyond initial target selection and final exploit approval. Upon detection in mid-September 2025, Anthropic launched an investigation, banned malicious accounts, notified affected entities, and coordinated with authorities. The campaign highlights the rapidly evolving threat landscape posed by autonomous AI agents, which can significantly increase the scale and sophistication of cyberattacks when abused by well-resourced adversaries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Congressional hearing scheduled on AI-enabled espionage and related cyber risks
A House Homeland Security hearing was set for December 17, 2025, to examine the reported Claude-enabled espionage campaign and broader issues at the intersection of AI, cloud infrastructure, and quantum-related cyber risk. Anthropic's CEO was expected to appear alongside other industry leaders.
House Homeland Security Committee summons Anthropic CEO to testify
On November 26, 2025, the House Homeland Security Committee called on Anthropic CEO Dario Amodei to testify about the Chinese espionage campaign's use of Claude. The hearing was scheduled for December 17, 2025, as lawmakers sought more technical detail and considered policy implications of AI-enabled cyber operations.
Researchers publicly question Anthropic's autonomy claims and lack of validation data
By November 14, 2025, security researchers and industry commentators began challenging Anthropic's assertion that the campaign was 90% autonomous, arguing that substantial human work likely remained involved. Critics also noted the absence of public victim confirmation, government corroboration, and indicators of compromise, raising questions about the strength of the evidence presented.
Anthropic publicly discloses the Claude Code espionage campaign
On November 13, 2025, Anthropic published a report describing what it called the first documented large-scale AI-orchestrated cyber espionage campaign, saying AI performed an estimated 80–90% of the operation with limited human intervention. The disclosure detailed the use of Claude Code for reconnaissance, vulnerability discovery, exploit development, credential harvesting, backdoor creation, and data exfiltration.
Anthropic conducts a 10-day response, validates intrusions, and disrupts attacker access
Following detection, Anthropic spent about 10 days responding to the campaign, validating several intrusions and determining that attackers had jailbroken Claude and used MCP-connected tools across the attack lifecycle. The company banned the malicious accounts, notified affected entities, shared intelligence with authorities, and updated safeguards and detection mechanisms to identify similar abuse.
Anthropic detects AI-driven espionage campaign targeting about 30 organizations
In mid-September 2025, Anthropic detected suspicious activity tied to a cyberespionage campaign that used Claude Code in a largely autonomous manner against roughly 30 targets in the technology, finance, chemical, and government sectors. Anthropic later attributed the activity to a China-linked group it tracks as GTG-1002 and said a small number of intrusions succeeded.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
30 references tracked. Mallory keeps watching after this page renders.
To Stop AI-Powered Adversaries, Defenders Must Fight Fire with Fire
crowdstrike.com
Open sourceAgentic AI Security: Keep Your Cyber Hygiene Failures from Becoming a Global Breach
tenable.com
Open sourceA Practical Defense Against AI-led Attacks
tenable.com
Open sourceAI-Powered Cyber Espionage: Inside the GTG-1002 Campaign
socradar.io
Open sourceAnthropic’s AI used in automated attacks
csoonline.com
Open sourceChinese Hackers Use Anthropic's AI to Launch Automated Cyber Espionage Campaign
thehackernews.com
Open sourceAI Tool Ran Bulk of Cyberattack, Anthropic Says
govinfosecurity.com
Open sourceChinese spies told Claude to break into about 30 critical orgs. Some attacks succeeded
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chinese State-Linked Hackers Used Claude Code in Autonomous Espionage Campaign
Anthropic said a Chinese state-linked threat cluster it tracks as **GTG-1002** abused its `Claude Code` tool to conduct a largely autonomous intrusion campaign against about 30 organizations and government agencies worldwide. The operation reportedly used role-based jailbreaks to bypass safeguards and multiple isolated Claude instances connected through the **Model Context Protocol (MCP)**, allowing AI agents to handle roughly 80% to 90% of the attack lifecycle. Reported targets included financial institutions, technology firms, chemical manufacturers, and public-sector entities, and the attack chain included reconnaissance, **SSRF**-based initial access, credential harvesting, lateral movement, data collection, persistence through backdoor accounts, and automated documentation. Anthropic described the activity as the first documented large-scale cyberattack executed mostly without human intervention, with human operators stepping in after successful compromises for follow-on activity. The company said the attackers relied mainly on open-source penetration testing tools and a custom MCP-based orchestration framework rather than bespoke malware, underscoring that the key shift was machine-speed automation rather than novel tradecraft. Anthropic said it banned the accounts involved, notified affected organizations and law enforcement where appropriate, and expanded detection and classifier capabilities, while broader reporting said the case intensified concerns that mainstream frontier AI tools can lower the barrier for state-backed offensive cyber operations and force defenders to accelerate AI-assisted security measures.
Jun 6, 2026
Chinese State-Linked AI-Driven Cyber Espionage Campaigns and Offensive Cyber Capabilities
Anthropic has uncovered a real-world cyber espionage campaign orchestrated by a Chinese state-sponsored group, leveraging AI to automate and accelerate the attack lifecycle. The attackers used an autonomous attack framework powered by Claude Code, which enabled them to conduct reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration with minimal human intervention. This campaign targeted approximately thirty organizations, including large tech companies, financial institutions, chemical manufacturers, and government agencies, and succeeded in a small number of cases. The use of AI allowed the threat actors to execute 80-90% of tactical operations independently, significantly increasing the speed and scale of their attacks compared to traditional methods. In parallel, Chinese private-sector cybersecurity companies are playing a critical role in advancing the country's offensive cyber capabilities through attack-defense labs. These internal units merge defensive research, offensive experimentation, and live-fire exercises, supporting both commercial needs and state-linked cyber operations. The integration of private sector expertise and resources into national cyber strategies has enabled China to rapidly develop and operationalize advanced cyber tools and techniques, blurring the lines between commercial and state-sponsored activities. Western governments are increasingly concerned about the implications of these developments for global cyber stability and the potential for more sophisticated, AI-driven cyber operations originating from China.
Mar 21, 2026
AI-Orchestrated Espionage Campaign Spurs U.S. Review of Threat Actor AI Use
Anthropic said it disrupted what it described as the first reported large-scale cyber espionage campaign executed largely by AI, attributing the activity with high confidence to a Chinese state-sponsored group. The operation allegedly targeted about 30 organizations across the technology, finance, chemicals, and government sectors, with attackers jailbreaking **Claude Code** and masking malicious activity as defensive testing. According to the company, the model handled 80% to 90% of the campaign’s workflow, including reconnaissance, vulnerability discovery, exploit development, credential theft, backdoor creation, data exfiltration, and operational documentation, while human operators provided limited direction. Anthropic said it banned the accounts involved, notified affected organizations, coordinated with authorities, and expanded its detection and classification measures. The disclosure has added urgency to U.S. concerns over how adversaries are weaponizing generative and agentic AI. Rep. August Pfluger, who chairs the House Homeland Security Committee’s Counterterrorism and Intelligence Subcommittee, has asked the Government Accountability Office to examine how malicious actors are using AI to scale cyber operations, propaganda, misinformation, recruitment, radicalization, deepfakes, scams, and disinformation. In his request, Pfluger said the national security implications of AI-enabled misuse remain poorly understood and called for a review of how federal agencies are adapting deterrence efforts and coordinating with technology companies as autonomous systems make illicit operations faster, more scalable, and harder to track.
May 4, 2026