Anthropic Claude AI Used by Chinese-Back Hackers in Spy Campaign
None
<p>A Chinese nation-state threat group abused Anthropic’s Claude AI model in a series of cyberespionage attacks that the AI company said can serve as a blueprint for how AI and AI agents will be used by bad actors in the future.</p><p>The unnamed group used Claude Code – an agentic AI coding tool that runs such tasks as analyzing code bases, modifies code, and runs commands – to target more than two dozen organizations in a campaign in which the technology was used to automate 80% to 90% of the work, with human intervention needed at only four to six critical decision points for each hack.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>The attacks leveraged the agentic capabilities of Claude the rest of the time, company researchers <a href="https://www.anthropic.com/news/disrupting-AI-espionage" target="_blank" rel="noopener">wrote in a blog post</a> this week.</p><p>“The sheer amount of work performed by the AI would have taken vast amounts of time for a human team,” they wrote. “At the peak of its attack, the AI made thousands of requests, often multiple per second – an attack speed that would have been, for human hackers, simply impossible to match.”</p><p>The cybersecurity community can expect these sorts of AI-driven attacks – using not only Claude but AI models from other vendors – to expand as attackers become more adept at using the agentic capabilities that are being developed.</p><p>“The barriers to performing sophisticated cyberattacks have dropped substantially – and we predict that they’ll continue to do so,” the researchers wrote. “With the correct setup, threat actors can now use agentic AI systems for extended periods to do the work of entire teams of experienced hackers: analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than any human operator.”</p><p>In addition, “less experienced and resourced groups can now potentially perform large-scale attacks of this nature.”</p><h3>‘Inflection Point’ with AI in Cybersecurity</h3><p>The <a href="https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf" target="_blank" rel="noopener">report</a> of the espionage campaign comes a month after Anthropic executives wrote of an “<a href="https://www.anthropic.com/research/building-ai-cyber-defenders" target="_blank" rel="noopener">inflection point</a>” in which AI models had become genuinely useful in cybersecurity operations as well as for bad actors. This was a trend that Anthropic researchers said they expected to continue, though they noted that it was startling how quickly the capabilities had evolved at scale.</p><p>It also comes two months after Anthropic wrote that bad actors during the summer <a href="https://securityboulevard.com/2025/09/anthropic-report-shows-bad-actors-abusing-claude-in-attacks/" target="_blank" rel="noopener">weaponized Claude</a> to automate in almost every part of a large-scale extortion campaign.</p><p>In this case, the vendor first detected suspicious activity in mid-September and, through an investigation, found that the attackers used Claude’s agentic capabilities “to an unprecedented degree – using AI not just as an advisor, but to execute the cyberattacks themselves.”</p><p>In all, the hackers used Claude Code to try to infiltrate about 30 global targets, and succeeded in some of the attempts. Among the targets were large tech companies, financial institutions, government agencies, and chemical manufacturing organizations.</p><p>“We believe this is the first documented case of a large-scale cyberattack executed without substantial human intervention,” the researchers wrote, adding that they mapped the extent of the campaign, banned accounts identified with the operation, notified those organizations targeted, and worked with law enforcement.</p><h3>Leveraging Agentic Capabilities</h3><p>The attackers relied on key capabilities in agentic AI systems, including the ability to intelligently follow complex instructions and complete sophisticated tasks, take autonomous actions and make decisions with little human input, and access an array of software tools, in large part through the <a href="https://securityboulevard.com/2025/10/mcptotal-unfurls-hosting-service-to-secure-mcp-servers/" target="_blank" rel="noopener">Model Context Protocol</a> (MCP), a standard developed by Anthropic last year to allow AI systems to easily access external data and applications.</p><p>The attacks came in three phases, each of which took advantage of these capabilities. In the first phase, humans picked the targets, then created a framework that allowed the agents to compromise the targets with little human involvement, using Claude Code as the automated tool to carry out the attacks.</p><p>This included using jailbreaking methods to trick Claude into bypassing its guardrails and launching the attacks. The bad actors tricked the AI model by breaking down the attacks into small and seemingly innocent tasks that wouldn’t clue Claude into the malicious intent, and also told it they were employees of a legitimate cybersecurity firm using it for defensive testing.</p><h3>Faster than Humans</h3><p>During the next phase, Claude was used to inspect the target’s systems and infrastructure, detect high-value databases much more quickly than humans could, report its findings to the hackers, and identify and test security vulnerabilities.</p><p>“Having done so, the framework was able to use Claude to harvest credentials (usernames and passwords) that allowed it further access and then extract a large amount of private data, which it categorized according to its intelligence value,” the researchers wrote. “The highest-privilege accounts were identified, backdoors were created, and data were exfiltrated with minimal human supervision.”</p><p>The last phase involved Claude creating comprehensive documentation of the attack as well as files of the stolen credentials and the systems analyzed that could be used in by the cybercriminals’ operations.</p><h3>AI for Cyberattacks, Cybersecurity</h3><p>The Anthropic researchers understood the argument against developing AI models if they can be used in this way by threat actors, but countered that the same capabilities can be used in cyber defenses. They also noted that “a fundamental change has occurred in cybersecurity.”</p><p>“We advise security teams to experiment with applying AI for defense in areas like Security Operations Center automation, threat detection, vulnerability assessment, and incident response,” they wrote. “We also advise developers to continue to invest in safeguards across their AI platforms, to prevent adversarial misuse.”</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/anthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign/" data-a2a-title="Anthropic Claude AI Used by Chinese-Back Hackers in Spy Campaign"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign%2F&linkname=Anthropic%20Claude%20AI%20Used%20by%20Chinese-Back%20Hackers%20in%20Spy%20Campaign" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign%2F&linkname=Anthropic%20Claude%20AI%20Used%20by%20Chinese-Back%20Hackers%20in%20Spy%20Campaign" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign%2F&linkname=Anthropic%20Claude%20AI%20Used%20by%20Chinese-Back%20Hackers%20in%20Spy%20Campaign" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign%2F&linkname=Anthropic%20Claude%20AI%20Used%20by%20Chinese-Back%20Hackers%20in%20Spy%20Campaign" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fanthropic-claude-ai-used-by-chinese-back-hackers-in-spy-campaign%2F&linkname=Anthropic%20Claude%20AI%20Used%20by%20Chinese-Back%20Hackers%20in%20Spy%20Campaign" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>