Anthropic has just surfaced what appears to be the first large-scale, mostly autonomous, AI-orchestrated cyber espionage campaign. In mid-September 2025, they detected suspicious behaviour that turned out to be a sophisticated operation run by a Chinese state-sponsored group. AI wasn’t just “helping.” It was doing most of the work. The attackers jailbroke Claude Code, framed it as doing defensive testing, and then drove it through an automated framework aimed at ~30 global targets, big tech, finance, chemicals, and government. A few intrusions succeeded.

The mechanics matter. Modern models incorporate three key elements that didn’t fully exist a year ago: higher intelligence (especially in coding), workflows with minimal human intervention, and access to tools via standards like MCP (i.e. for scanners or scrapers). Phase by phase, the humans picked targets and built the framework; the AI handled reconnaissance at speed, identified high‑value databases, researched and wrote exploits, harvested credentials, escalated privileges, dropped backdoors, exfiltrated data, and even wrote the documentation for the next move. Human operators stepped in at a handful of decision points, but the AI carried 80,90% of the load, firing thousands of requests, often multiple per second. It wasn’t flawless; hallucinations still tripped it up, but the scale and speed are the point.

Implications are obvious. The barrier to sophisticated attacks is falling. With the proper setup, less experienced teams can run campaigns that used to require seasoned specialists. Anthropic argues that the same capabilities that make attacks feasible are essential for defence: using Claude to detect, disrupt, and learn from these operations. Their Threat Intelligence team relied heavily on Claude to parse the investigation’s data. On the practical side, they’ve tightened detection and classifiers, banned accounts, coordinated with authorities, and are pushing for industry sharing and stronger safeguards.

I’m not a cyber specialist, but it seems the sector has crossed an inflexion point. Agentic AI is here, and it changes both offence and defence.

Check the full Anthropic report Disrupting the first reported AI-orchestrated cyber espionage campaign \ Anthropic