Anthropic has revealed what it calls the first publicly reported case of an AI-orchestrated cyber espionage campaign—a sprawling operation that used its Claude Code model to automate 80–90% of the intrusion lifecycle, from reconnaissance to data staging. The company attributes the campaign with "high confidence" to a Chinese state-sponsored threat actor, which targeted about 30 organizations across technology, finance, chemical manufacturing, and government sectors.
According to both Anthropic's detailed 13-page report and early investigative reporting from The Wall Street Journal, the attackers manipulated Claude Code into performing reconnaissance, vulnerability discovery, credential harvesting, and documentation at machine speed, issuing thousands of model requests—sometimes multiple per second.
Although the campaign was not fully autonomous, Anthropic says human operators were involved only at a few critical chokepoints, approving or redirecting the AI's progress. As Anthropic's Jacob Klein described, operators were mostly reduced to simple oversight commands such as: "Yes, continue," "Don't continue," and "Are you sure about that?"
For the security community, the significance is clear: AI is no longer just assisting adversaries—it is coordinating, amplifying, and accelerating their operations.
A new era of scalable, AI-driven intrusions
While the cybersecurity industry has warned for years about the dual-use nature of large language models (LLMs), Anthropic's findings represent a shift from theory to reality. The attackers exploited AI's emerging agency—its ability to break tasks into steps, reason across them, and call external tools—to orchestrate a kill chain without writing bespoke malware or custom automation.
This aligns with early reporting that the attackers bypassed guardrails by misrepresenting their requests as "defensive testing," fragmenting malicious workflows into harmless-seeming subtasks, and utilizing protocols like the Model Context Protocol (MCP) to link the model to external tooling.
Several experts argue that the implications extend far beyond this single campaign.
John Watters, CEO of iCOUNTER, argues that this is just the beginning, warning. "This is simply the tip of the iceberg… adversaries leverage AI to conduct reconnaissance on a target, then build bespoke capabilities designed to exploit each specific target," Watters said. "Just look at the success of this operation using off-the-shelf AI capability. Imagine what an adversary can do with a well-tuned LLM purpose-built for an espionage mission."
Watters' point underscores the asymmetric reality: a threat actor doesn't need elite operators or custom infrastructure. With model-mediated reconnaissance and code generation, every victim can become, as he puts it, "Patient Zero."
AI as the new orchestration layer
One of the most important insights from Anthropic's report is that AI served as the coordinator for the intrusion—not the initiator, and not a mere code-generation tool.
Toby Lewis, Global Head of Threat Analysis at Darktrace, contextualizes the shift succinctly. "This campaign is not a fully autonomous attack, but it shows how threat actors are already using AI to orchestrate and scale the same techniques we've seen for years," Lewis said. "The AI is essentially a smart coordinator for standard offensive tools, allowing an operator to say 'scan here, pivot there, package this up' in plain language instead of writing custom scripts."
This framing helps separate hype from reality: the AI wasn’t "thinking like a hacker," but it dramatically accelerated the operator's ability to run multi-stage intrusions with natural-language instructions instead of custom automation.
Lewis also highlights a critical detection challenge: "AI-driven attacks cannot always be identified as so: regardless of whether the code was produced by an AI system or written manually, it behaves the same once it's inside the victim's environment."
This means defenders cannot rely on "AI fingerprints." Behavioral detection becomes the only reliable approach; and even then, models capable of chaining tasks will make those behaviors more fluid and adaptive.
Machine-speed operations break human-speed defenses
Anthropic's report notes that the model often executed thousands of requests in rapid succession. Even with imperfect reasoning—the AI occasionally hallucinated vulnerabilities or credentials—the sheer speed and volume of its operations rendered traditional manual oversight models ineffective.
Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, emphasizes how transformational this is for attackers. "What once required months of coordinated human effort can now be accelerated through AI-driven automation," Constantine said. "Multi-stage campaigns orchestrated by AI agents are harder to detect and disrupt."
She outlines five specific risks emerging from this case:
-
Lower barriers to entry
-
High-speed reconnaissance and exploitation
-
Scaling attacks without retuning tools
-
Stealthier, highly segmented workflows
-
Machine-generated documentation for human follow-on teams
The point is unmistakable: these campaigns are not only faster but also more structured, modular, and operationally mature than many human-led intrusions.
Defenders face a new set of practical challenges
Even Anthropic required more than a week to reconstruct the full scope of the campaign, despite having far deeper visibility than a typical enterprise. That reality raises difficult questions for security teams.
Vineeta Sangaraju, Security Solutions Engineer at Black Duck, notes, "If Anthropic… needed more than a week to piece together the full scope of the attack campaign, how difficult will it be for typical enterprises to spot AI-driven intrusion?"
Sangaraju warns that defenders may be forced to rethink everything from monitoring pipelines to IR workflows:
-
Actionable real-time monitoring rather than periodic scans
-
Smarter feedback loops between detection and response
-
Continuous validation of environments
-
Behavioral anomaly detection tuned for machine-speed operations
-
Threat models that explicitly include AI-powered adversaries
She also raises a critical question for AI vendors and enterprises alike: "Are organizations inevitably going to be forced to use AI to defend against AI?"
Currently, the trend suggests that the answer is yes.
Transparency, intelligence sharing, and the road ahead
One of the few bright spots in this story is Anthropic's decision to publish detailed findings rather than handle the incident quietly.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, argues that this kind of transparency is essential. "The old world pattern of addressing and disposing of issues quietly only benefits the attackers," Ford said. "Sunshine is the best disinfectant, and sharing this in the light of day helps us all improve."
Ford adds that AI makes everyone faster—defenders and attackers alike—and that intelligence sharing must keep pace. He also notes the need to renew certain protections under CISA 2015, which would facilitate more robust inter-industry and government collaboration.
[RELATED: Congress Moves to End Shutdown—with Temporary Lifeline for CISA 2015]
Voices of skepticism: are the claims overstated or 'marketing guff'?
While the disclosure by Anthropic has raised alarm bells, several cybersecurity professionals question whether the campaign is truly as novel or autonomous as presented. A report from BleepingComputer cites skepticism that the model was being deployed as an entirely autonomous attacker agent rather than as a highly-automated but still human-driven operation.
For example, independent researcher Michal Wozniak described the claims as "fancy automation, nothing else," saying: "This Anthropic thing is marketing guff. AI is a super boost, but it's not Skynet … it doesn't think, it's not actually artificial intelligence (that's a marketing thing people came up with)."
Key concerns include:
-
Lack of independent verification: Anthropic has not publicly released detailed IOCs (indicators of compromise) or disclosed the identities of affected organizations, making external validation difficult.
-
Ambiguity around "autonomy": Critics argue that while AI may have assisted in tasks, the assertion of 80-90% autonomous execution may overstate the model's true independence and downplay human orchestration.
-
Potential hype-driven motivations: Some view the announcement as serving a dual purpose: a legitimate security concern and a high-visibility moment for Anthropic amid ongoing AI investment and competition.
That said, even the skeptics agree that the intersection of AI and cyber-intrusion poses serious risks. The debate lies in how extreme and immediate those risks are. As one observer put it: "Whether it's fully autonomous or heavily assisted, this is a big deal—but the narrative matters."
The bottom line for security leaders
Anthropic's disclosure isn't just another incident report—it's the first public confirmation that agentic AI is now a real, operational component of state-sponsored hacking.
The biggest takeaway is not the novelty of the techniques but their scale, speed, and accessibility. The same AI capabilities that accelerate defensive workflows can—and now demonstrably do—accelerate offensive ones.
Security leaders should assume:
-
AI-powered reconnaissance and exploitation will proliferate
-
Manual detection cycles will fall further behind
-
Guardrail bypassing will become routine
-
Multi-stage machine-speed intrusions will strain traditional IR
-
AI vs. AI defense models will become unavoidable
This case marks the beginning of a new operational era, one in which adversaries don't just use AI, but delegate to it.
And as several experts emphasize, this is only the beginning.
Follow SecureWorld News for more stories related to cybersecurity.
