Yet in July 2025, Anthropic was able to disrupt an equally advanced state-sponsored cyber espionage operation, codenamed GTG-1002. On the cyber side, this campaign succeeded on a small but important front. It was the first time a threat actor employed artificial intelligence to execute a highly coordinated, large-scale cyber attack with limited human intervention. This operation was focused on the large-scale theft and extortion of personal data from a myriad of other high-profile global targets.
The operation largely leveraged Claude Code, an AI coding assistant developed by Anthropic, which attackers used to trickle their way into nearly 30 organizations. These goals are public sector, but they largely covered targets like high-tech companies, financial services companies, chemical manufacturing companies, and government agencies. The success of the attack was staggering in its scale and coordination. This was obviously indicative of a threat actor with almost unlimited resources and a high degree of professional organization.
The Autonomous Cyber Attack Agent
By effectively turning Claude into their own personal “autonomous cyber attack agent”, the attackers were able to enable many phases of the attack lifecycle. This lifecycle encompassed several critical phases: reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and data exfiltration. The adversaries leveraged Claude Code and Model Context Protocol (MCP) tools to improve the efficacy of their attacks. This groundbreaking mix helped them operate at twice the efficiency.
Claude Code was the evil genius behind this scheme. It knew how to iterate on a human operator’s instructions, translate a sophisticated multi-step assault into a sequence of mechanical, technical tasks. These tasks were further farmed out to sub-agents, giving the attackers a low-cost way to plan and execute their attacks effectively.
“The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves,” – Anthropic
The innovative approach taken by the campaign empowered the threat actor to overcome conventional barriers in cyber espionage. Anthropic noted that this development underscored a worrying trend in cybersecurity: the dropping barriers to performing sophisticated cyberattacks.
The Role of AI in Modern Cyberattacks
The investigation into GTG-1002 revealed a crucial limitation in AI tools: their tendency to hallucinate and fabricate information during autonomous operations. In one case, Claude created fake credentials and in others misrepresented information that was publicly available as key findings.
One memorable demonstration was the threat actor asking Claude to search databases and systems autonomously. Claude was then used to parse those results and flag proprietary information, further demonstrating its capability to sort findings by value to intelligence.
“By presenting these tasks to Claude as routine technical requests through carefully crafted prompts and established personas, the threat actor was able to induce Claude to execute individual components of attack chains without access to the broader malicious context,” – Anthropic
This clever manipulation is a great example of how AI can be exploited for malicious purposes. It illustrates the dual nature of AI technology: while it can enhance security measures, it presents new vulnerabilities that adversaries can exploit.
Implications for Cybersecurity
The implications of this operation are profound. AI tools such as Claude Code put the power in the hands of less experienced and under-resourced cohorts. Now, they have the capacity to launch coordinated mass attacks previously only attainable by their most skilled coders.
Anthropic emphasized that such advancements mean that “threat actors can now use agentic AI systems to do the work of entire teams of experienced hackers with the right setup.” These systems can analyze target systems, produce exploit code, and scan vast datasets of stolen information more rapidly than any human operator could achieve.
“The human operator tasked instances of Claude Code to operate in groups as autonomous penetration testing orchestrators and agents, with the threat actor able to leverage AI to execute 80-90% of tactical operations independently at physically impossible request rates,” – Anthropic