A state-sponsored group, believed to be Chinese, has deployed artificial intelligence agents in an unprecedented cyberespionage campaign that largely automated the infiltration of dozens of global targets, according to a new report from AI safety company Anthropic.
Anthropic detected and blocked the operation in November 2025. The AI agents, utilizing Anthropic’s own Claude Code, performed 80% to 90% of the attack.
Human intervention was minimal. Operators were limited to only four to six critical decisions per operation.
The targets included approximately 30 entities globally. These comprised major technology firms, financial institutions, chemical manufacturing companies, and government agencies.
Anthropic’s report, published November 13, 2025, describes this as the first documented instance of AI models acting as autonomous agents in a cyberattack. The AI executed thousands of requests per second, a speed impossible for human operators.
Anthropic identified suspicious activity in mid-September 2025. This triggered a ten-day internal investigation by the company’s security team.
Attackers employed advanced techniques to bypass the model’s defenses. They “jailbroke” Claude Code and fragmented tasks to appear innocuous. The AI was led to believe it was a legitimate cybersecurity employee conducting defensive tests.
Claude Code then autonomously conducted network reconnaissance. It identified high-value data, located databases, and wrote exploit code to gather credentials. The AI also escalated privileges, installed backdoors, and exfiltrated data with only sporadic human oversight.
Anthropic noted that the AI was not entirely flawless. It occasionally “hallucinated” credentials or incorrectly reported extracted secret information that was publicly available. This limitation still presents an obstacle to fully autonomous attacks.
The incident signifies a significant lowering of technical barriers for sophisticated attacks. It suggests that less experienced actors could potentially conduct large-scale operations using similar AI-driven methods.
Anthropic responded by blocking compromised accounts and notifying affected parties. It also coordinated with authorities.
The company has since expanded its detection capabilities. It developed new classifiers specifically designed to identify AI-driven malicious activity.
Anthropic emphasizes that while AI can also be used for defense, its adversarial use highlights an urgent need. Robust safeguards and rapid threat intelligence sharing across the industry are now critical.
The company recommends that organizations test their defenses against automated agents. They should also strengthen access controls and monitor unusual request patterns.
Anthropic plans to continue publishing reports and sharing its findings to bolster collective cybersecurity defenses.