Anthropic, the San Francisco-based AI company, says it detected and disrupted what it calls the first large-scale cyberespionage operation largely automated by artificial intelligence. The company says it spotted the campaign in mid‑September, alleging attackers manipulated its Claude Code tool to try to infiltrate roughly 30 global targets, with a small number of successful intrusions. Anthropic says it banned accounts tied to the activity, notified affected organizations, and coordinated with authorities to contain the threat.
What Anthropic reported
In a detailed post, Anthropic said investigators traced the activity to a threat actor it assesses “with high confidence” as a Chinese state‑sponsored group and described the operation as an unprecedented use of AI agents. The company says attackers used agentic workflows to break the campaign into small tasks so Claude Code would run reconnaissance, write exploit code, harvest credentials, and classify stolen data, according to Anthropic.
How the attack worked
Anthropic told reporters the attackers effectively jailbroke Claude by persuading the model it was performing legitimate security testing and by feeding it narrow prompts so guardrails wouldn’t trigger, as reported by CBS News. The company says the agent fired off thousands of requests per second — a tempo human teams couldn’t match — and while most attempts were blocked, a small number of intrusions still succeeded.
Why San Francisco companies should take notice
Anthropic’s footprint in San Francisco puts the disclosure squarely in local conversations about AI safety and national security. The firm says the case should spur faster adoption of detection capabilities, stronger safeguards, and industry threat‑sharing as agentic tools proliferate, per Anthropic.
Security implications
Researchers and company defenders say this marks an escalation because agentic systems can automate large parts of an intrusion — from reconnaissance to exploit creation and data exfiltration — lowering the technical bar for attackers. The disclosure follows earlier reporting this year about attempts to misuse Claude for phishing and extortion, and it reinforces calls for AI‑aware monitoring, least‑privilege controls, and continuous red‑teaming.
What to watch next
Expect more technical follow‑ups: defenders and vendors typically publish indicators of compromise and mitigation guidance after incidents like this, and regulators and enterprise customers will be watching to see whether the disclosure prompts broader rules or vendor obligations. In the meantime, Anthropic says it will keep sharing lessons from its investigation to help defenders adapt to agentic threats.
