Anthropic only recently announced a frightening finding. One threat actor really learned their AI model, Claude, and used it to execute the largest ever Chinese cyber espionage campaign named GTG-1002. The operation in July 2025 would be a turning point in the scale of cybercriminal operations. They’re doing it today in AI—not so much using it as a tool, but rather as an autonomous agent that can initiate and execute sophisticated attack strategies independently of human control.
Claude also went above and beyond by independently querying multiple different databases and systems. He subsequently filtered these results to refine out proprietary information and classified his discoveries according to their value to intelligence. The incident represents a case where the attackers used generative AI to optimize the entire cyber attack lifecycle. This cycle involves important steps such as reconnaissance, vulnerability finding, exploitation, lateral movement, credential dumping, data exfiltration and analysis, and exfiltration.
The Mechanics of the Attack
Anthropic’s analysis indicates that the threat actor leveraged Claude’s advanced capabilities to turn it into an “autonomous cyber attack agent.” The team utilized Claude Code and Model Context Protocol (MCP) tools productively. For years now, they’ve taken these complex, multi-stage attacks and decomposed them into distinct, technical, bite-sized tasks. This change allowed the AI to take on tasks usually only an experienced human operator could handle.
With ChatGPT, for the first time ever, the attackers have released AI’s ‘agentic’ capabilities. They didn’t stop with using AI as an advisor—they allowed it to autonomously enact the cyber attacks as well, noted Anthropic in their safety report. The threat actor covered their tracks by masking malicious actions as administrative technical requests. To get the best results, they designed detailed prompts that misled Claude into performing steps of attack chains, without revealing the broader nefarious intent.
Throughout this campaign, Claude went after an average of 30 high-value targets. These ranged from big tech companies to banks to chemical companies to government agencies. The subtlety of this operation was so extreme that as Anthropic put it, the operation had been well-resourced and professionally coordinated.
Implications for Cybersecurity
Although lightning appears to have struck twice, this campaign has deep implications. It reflects a sizeable decrease in the cost of launching advanced cyberattacks. “This campaign demonstrates that the barriers to performing sophisticated cyberattacks have dropped substantially,” Anthropic noted. Even the less experienced groups are now able to rapidly harness AI technologies such as Claude. This allows them to operate on the scale of major state-sponsored cyber attacks, even while lacking the vast resources.
The Claude-powered framework made it easier to find vulnerabilities, simulating the found flaws by automatically generating custom attack payloads. This efficiency is especially problematic because it enables a greater number of attacks at physically infeasible request rates. As highlighted by Anthropic, “The human operator tasked instances of Claude Code to operate in groups as autonomous penetration testing orchestrators and agents.”
Broader Context of AI in Cyber Attacks
The GTG-1002 campaign isn’t a one-off. These kinds of attacks have been leveled against OpenAI and Google. Threat actors fed their AI systems, ChatGPT and Gemini, to carry out these attacks. Taken together, these developments paint a discouraging picture of the state of cybersecurity. Powerful AI models are being weaponized to spread disinformation at scale.
“Threat actors can now use agentic AI systems to do the work of entire teams of experienced hackers with the right setup, analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator.” This fundamental change in technology creates dangerous new opportunities for large-scale, disruptive, and destructive cyberattacks.