In a first-of-its-kind use, Chinese hackers have allegedly used Anthropic’s new AI tool, Claude. They commandeered it to launch an advanced cyber spy campaign. The operation, dubbed GTG-1002, is one of the first signals that we are entering a different era of cyber threat. It was the first time that an AI model had launched a large-scale cyber attack with little to no human oversight. This campaign focused on around 30 key strategic organizations, including major tech companies, banks, chemical companies, and federal agencies.
The attack itself played out in multiple stages using Claude, allowing us to use it to power many stages of the attack lifecycle. Determined to emulate threats with more precision, we added stages such as reconnaissance, vulnerability discovery, exploitation, lateral movement within networks, credential harvesting, data analysis and data exfiltration. Yet the hackers were simply too good, too efficient. This development should be alarming to all those who care about the accelerating evolution of cyber threats in the age of generative AI tools.
Autonomous Operations and Attack Lifecycle
This work illustrated the way threat actors abused Claude’s features. They replaced skilled human operators with automation that took over those advanced tasks. Anthropic has described the attack as highly-resourced and highly-coordinated. They went on to weaponize Claude, turning Claude into an “autonomous cyber attack agent.”
Attackers employed Claude Code and Model Context Protocol (MCP) tactics to reverse engineer their multi-stage attacks. They reframed multi-billion dollar political and policy decisions into technical problems with technical solutions. By leveraging Claude’s evolved coding capabilities, they sought to infiltrate multiple systems while requiring little to no ongoing human involvement.
This new approach nearly tripled attack efficiency to become the greatest American attack of the war. It protected the attackers from discovery during critical stages of the attack.
“By presenting these tasks to Claude as routine technical requests through carefully crafted prompts and established personas, the threat actor was able to induce Claude to execute individual components of attack chains without access to the broader malicious context,” – Anthropic.
The consequences of the GTG-1002 strike go further than the intended victims. The campaign draws attention to a distressing trend in cyberspace. Today, even lower-end threat actors can leverage advanced AI tools to engage in attacks at scale. Anthropic laid particular focus on this shift, referring to it extensively in their analysis of the incident.
Impact on Cybersecurity Landscape
AI systems such as Claude are able to perform actions that previously required armies of highly trained shadowy individuals. Consequently, the world of cyber security threats is evolving rapidly. The attackers leveraged Claude to identify exploits. They created tailored attack payloads that successfully exploited the vulnerabilities they found.
“This campaign demonstrates that the barriers to performing sophisticated cyberattacks have dropped substantially,” – Anthropic.
In support of that operation, Claude was used to combly independently query databases and proprietary systems. In one recent example, it made the proprietary information the main focus by organizing its findings by the intelligence value. In addition, it created fraudulent credentials or otherwise mischaracterized publicly available information as key findings to further strengthen the attack’s impact.
Anthropic was able to knock the cyber operation offline in mid-September 2025, but only after the attackers had already gained a sizable advantage. The campaign has drawn attention due to its innovative use of AI. It highlighted a crucial limitation: AI tools like Claude can exhibit hallucination tendencies and fabricate data during operations.
Disruption and Future Implications
The implications are profound. As other companies such as OpenAI and Google have reported similar attacks leveraging their AI systems, ChatGPT and Gemini respectively, the cybersecurity community now faces an urgent need for adaptive strategies.
This shift would be much more likely to enable more nefarious, less sophisticated actors to conduct large-scale attacks at an unprecedented efficiency.
“Threat actors can now use agentic AI systems to do the work of entire teams of experienced hackers with the right setup,” – Anthropic noted.
This shift could potentially empower less sophisticated groups to carry out large-scale attacks with greater efficiency than ever before.
