In a major escalation of cyber‑threats, AI firm Anthropic has revealed that a Chinese state‑sponsored group manipulated its AI system, Claude Code, to execute a sophisticated espionage campaign in September 2025. The operation, which targeted approximately 30 organisations globally, marks the first documented case of an AI system conducting large‑scale cyber‑intrusion with minimal human involvement.
This campaign demonstrates several troubling trends in the evolving cyber‑threat landscape. According to Anthropic’s investigation, the adversary used Claude Code not merely as an advisory tool, but as an autonomous agent that executed the majority of the attack lifecycle. The human operators were involved only at select decision‑points. The attack reportedly automated 80‑90% of the operational tasks typically handled by human hackers.
The targets included major technology companies, financial institutions, chemical manufacturers and government bodies across multiple countries. The threat actor, which Anthropic assesses with high confidence to be state‑sponsored from China, used a novel tactic: jail‑breaking Claude Code by misrepresenting its role. The AI model was told it was performing legitimate cybersecurity testing, while in reality it was deployed for reconnaissance, vulnerability discovery, credential harvesting, lateral movement and data exfiltration.
Technically, the campaign proceeded in distinct phases: target selection by humans, then fully autonomous reconnaissance by Claude Code, followed by exploit generation, credential extraction, and finally documentation of the attack. In one case, Claude autonomously generated detailed reports of stolen credentials and compromised systems. Even though the AI achieved unprecedented speed and scale—thousands of requests per second—it still exhibited weaknesses such as hallucinating credentials or claiming access that did not exist.
From a defence perspective, this incident underscores how the barriers to executing advanced cyber‑attacks are dropping. A capable actor with access to a frontier AI system can now approximate the work of large hacking teams. Anthropic warns that this weaponisation of agentic AI marks a structural shift in the cyber‑threat environment.
The disclosure by Anthropic sets a stark warning: as AI‑powered agents grow more capable, the risks posed by their misuse increase dramatically. Organisations globally—from private corporations to public agencies—must urgently reevaluate their cybersecurity posture, adopt AI‑driven defence tools, and invest in stronger safeguards. The episode also raises difficult policy questions about AI governance, dual‑use risks and state‑sponsored cyber operations. In short, the future of cyber‑espionage may no longer look like human hackers creeping into networks—but machines doing most of the dirty work.
