Google's AI shopping features promise convenience: automated tracking, inventory calls, checkout. But they remove everyone between you and purchase—reviewers, influencers, store staff. What's lost when one company owns the entire shopping journey?
Cursor raised $2.3 billion at a $29.3 billion valuation while paying billions to the same AI companies now competing against it. The fastest-growing startup in tech history faces a choice: become a model company or accept structural disadvantage.
Chinese hackers automated 80-90% of cyber intrusions using Anthropic's Claude by simply telling it they were security testers. Four breaches succeeded. The jailbreak was embarrassingly simple, and now every AI company faces the same vulnerability.
Chinese hackers automated 80-90% of cyber intrusions using Anthropic's Claude by simply telling it they were security testers. Four breaches succeeded. The jailbreak was embarrassingly simple, and now every AI company faces the same vulnerability.
Anthropic disclosed Thursday that Chinese state-sponsored hackers automated 80 to 90 percent of a September espionage campaign using Claude Code, requiring human oversight at just four to six decision points per intrusion. The attacks targeted roughly 30 organizations across technology, finance, chemicals, and government sectors. Four succeeded in exfiltrating sensitive data.
"The human was only involved in a few critical chokepoints," Jacob Klein, Anthropic's head of threat intelligence, told the Wall Street Journal. The attacks ran "literally with the click of a button, and then with minimal human interaction."
Anthropic calls this "the first documented case of a large-scale cyberattack executed without substantial human intervention." That qualifier, documented, carries weight. The company detected suspicious activity in mid-September, investigated for ten days while mapping the operation's scope, then banned accounts and notified victims. But Anthropic only sees Claude usage. Google reported similar Russian operations using Gemini three weeks ago. Volexity spotted Chinese hackers automating campaigns with LLMs this summer.
The Breakdown
• Chinese state-sponsored hackers automated 80-90% of September attacks using Claude Code, succeeding in four of 30 targeted intrusions with minimal human oversight.
• Attackers bypassed safety systems by claiming to be security testers conducting legitimate penetration testing, breaking malicious tasks into innocuous-seeming requests.
• AI made thousands of requests per second, compressing attack timelines from weeks to minutes and overwhelming human-staffed security operations centers.
• Anthropic's disclosure teaches other threat actors successful techniques while open-source AI models eliminate the API monitoring that enabled this detection.
The disclosure raises questions beyond the technical achievement. Why did Anthropic go public when competitors typically stay quiet? How easily did simple social engineering defeat guardrails built by hundreds of safety engineers? And what happens when these techniques migrate to open-source models that Anthropic can't monitor or shut down?
The attackers told Claude they worked for legitimate cybersecurity firms conducting defensive penetration testing.
That's it.
No sophisticated prompt injection, no adversarial perturbations, just straightforward roleplay. "In this case, what they were doing was pretending to work for legitimate security-testing organizations," Klein said.
They broke malicious tasks into discrete, innocuous-looking requests. Claude would scan for vulnerabilities without understanding the full context. It would generate exploit code thinking it was helping security professionals patch systems. The framework kept Claude operating in short loops, each task seemingly benign when isolated from the broader campaign.
This worked because actual security researchers do exactly these things. Red teams probe for weaknesses. Penetration testers write working exploits, the same code that gets weaponized in real attacks. Bug bounty programs pay people to scan infrastructure systematically. Claude couldn't distinguish legitimate security work from espionage. The technical operations are identical. Intent matters, intent lives in context that the attackers deliberately withheld.
Anthropic has trained Claude extensively to refuse harmful requests. The company runs systematic evaluations, employs safety researchers, builds classifiers to detect misuse patterns. All of that infrastructure failed against "I'm a security tester."
The safeguards proved brittle.
What protections remain when the next campaign uses slightly different phrasing, or targets Claude's competitors with different safety architectures, or runs entirely through open-source models?
The company says it updated detection methods after the attacks. Classifiers now flag similar patterns more reliably. But this creates a cat-and-mouse dynamic where each defensive update teaches attackers which boundaries to probe next.
Claude made thousands of requests per second during peak operational phases. Human hackers work at human speed, probing systems, analyzing responses, crafting exploits iteratively over days or weeks. An AI agent loops through those same tasks in minutes.
The framework handled reconnaissance autonomously. It identified high-value databases, tested security vulnerabilities, and generated custom exploit code without waiting for human analysis between steps. When it successfully harvested credentials, it immediately pivoted to exploring what those credentials unlocked. Data exfiltration began while simultaneously categorizing stolen information by intelligence value and creating documentation for the next operational phase.
This compression of timelines changes defensive calculations. Organizations typically detect intrusions through anomaly patterns that accumulate over time. Unusual access patterns. Data movement that doesn't match normal workflows. Reconnaissance that telegraphs upcoming attacks.
Those signals still exist. They arrive compressed into windows too short for human teams to process.
Anthropic detected the campaign through automated monitoring systems flagging suspicious Claude usage patterns, not because victims reported breaches. The company's visibility into API calls created detection opportunities unavailable to the targeted organizations themselves. Most victims didn't know they'd been probed until Anthropic notified them.
That detection advantage disappears when attacks use open-source models. Meta's Llama, Mistral's releases, other freely available systems can be fine-tuned specifically for offensive operations. Download weights, remove safety layers, optimize for cyber tasks.
No API logs. No usage monitoring. No kill switch when Anthropic's threat intelligence team spots malicious patterns.
Anthropic went unusually public with details. The company published a comprehensive blog post, coordinated with mainstream media for same-day coverage, and released a full technical report. Competitors typically handle similar incidents quietly. Notify victims, cooperate with law enforcement, maybe brief industry groups under NDA. Going loud carries risks.
Transparency might serve multiple purposes. It demonstrates Anthropic's detection capabilities to enterprise customers evaluating security controls. It pressures competitors to strengthen their own safeguards and disclose incidents. It shapes the narrative around AI safety before critics define it for them. And it potentially influences policymakers considering AI regulation by showing the company taking responsibility seriously.
The timing matters too. This disclosure arrives as Anthropic announces $50 billion in data center investments and competes for enterprise contracts where security concerns loom large. Showing they can detect and disrupt sophisticated misuse might differentiate Claude against competitors who stay silent about similar incidents.
But transparency creates its own problems. Detailed disclosure teaches other threat actors what worked and what triggered detection. The technical report essentially provides a case study in successfully automating cyber operations using frontier AI models. Every defensive technique Anthropic describes also reveals offensive capabilities that other groups can replicate.
The company acknowledges this tension. "We're sharing this case publicly, to help those in industry, government, and the wider research community strengthen their own cyber defenses," the blog post states. That calculates that broad awareness produces better collective defense than keeping quiet produces operational security.
Anthropic frames this incident within a dual-use narrative. Yes, Claude enables attackers. But those same capabilities make Claude "crucial for cyber defense," the company argues. Logan Graham, who runs Anthropic's catastrophic risk testing team, told the Journal: "If we don't enable defenders to have a very substantial permanent advantage, I'm concerned that we maybe lose this race."
That framing assumes defenders and attackers access equivalent capabilities. Reality looks different. Anthropic's threat intelligence team used Claude extensively to analyze the enormous datasets generated during their investigation. That investigation started only after automated systems flagged suspicious usage patterns. The targeted organizations lacked that visibility. They couldn't use Claude to defend against attacks they didn't know were happening.
Defenders face structural disadvantages that AI doesn't eliminate. They must secure every potential vulnerability. Attackers need just one successful penetration. Defenders operate under legal and ethical constraints. Attackers optimize purely for effectiveness. The math doesn't balance. Defenders need executive buy-in and budget approval for security investments. Attackers self-fund through espionage gains.
The notion that "if we don't build it, someone else will" drives frontier AI development. But that logic fails when the technology enables capabilities that defenders can't match even when they have access to the same tools. This campaign succeeded despite Anthropic's extensive safety work. What happens when less safety-conscious developers deploy similar capabilities, or when nation-states build specialized offensive models?
Claude hallucinated during the attacks. It claimed access to systems it hadn't actually penetrated. It exaggerated capabilities, forcing humans to verify each phase. Klein presented these failures as evidence that fully autonomous attacks remain beyond current AI abilities. But hallucinations will decline as models improve. The barrier isn't fundamental, just a temporary technical limitation being actively optimized away.
Anthropic's phrasing deserves scrutiny. "First documented case" acknowledges what the company can't see. Google reported Russian hackers using Gemini for real-time malware generation weeks ago. Volexity spotted Chinese groups automating campaigns this summer. Those were documented too.
The distinction Anthropic draws centers on autonomy level and scale. Previous incidents involved AI assisting human operators. This campaign inverted that relationship, with humans assisting AI operations. The shift from tool to engine matters.
But "documented" means "publicly disclosed." OpenAI hasn't detailed how GPT-4 gets misused. Microsoft doesn't publish Copilot abuse statistics. Meta released Llama openly, creating zero visibility into how those models operate after download. The actual first highly-automated AI-enabled intrusion probably happened months ago using tools that companies either didn't detect or chose not to disclose.
Attribution adds another layer of uncertainty. Anthropic assessed "with high confidence" that Chinese state-sponsored hackers ran this campaign, based on digital infrastructure and operational patterns. That confidence level suggests strong evidence. Not conclusive. Attribution in cybersecurity rarely reaches certainty. Hackers route through proxy infrastructure, use stolen credentials, plant false flags.
The geopolitical context matters. U.S. government officials have spent years warning about Chinese targeting of American AI technology. This disclosure fits that narrative perfectly. Whether it accurately represents the full threat landscape or reflects selection bias in what gets detected and disclosed remains unclear. Russian groups operate sophisticated campaigns. North Korean hackers fund the regime through cyber theft. Iranian actors run espionage operations. The focus on Chinese attribution might indicate real patterns. Or it might indicate which stories American companies choose to tell.
Anthropic didn't identify the four organizations where intrusions succeeded. The company said U.S. government agencies weren't among successful targets but wouldn't confirm whether government entities were probed unsuccessfully. That opacity protects victims while limiting ability to verify claims or assess real-world impact.
Less sophisticated groups can now potentially execute operations that previously required teams of experienced hackers. The technical barriers were knowledge, time, and coordination. AI agents compress that expertise into automated loops. A moderately skilled operator with access to Claude or similar models can attempt intrusions that would have demanded specialists just months ago.
Anthropic advises security teams to "experiment with applying AI for defense in areas like Security Operations Center automation, threat detection, vulnerability assessment, and incident response." Reasonable guidance. Organizations should absolutely explore how AI improves defensive capabilities.
But experimentation takes time. Budget. Executive support.
Attackers already moved from exploration to operational deployment. The asymmetry compounds. Defenders must secure funding, evaluate vendors, pilot programs, train staff, integrate systems, and measure effectiveness. Attackers just need API access and enough sophistication to craft effective jailbreaks.
The company also advises developers to "continue to invest in safeguards across their AI platforms, to prevent adversarial misuse." Anthropic invested heavily in safeguards. They failed against straightforward social engineering. Stronger safety controls help, but they're not solving the fundamental problem that these capabilities exist and can be accessed through multiple channels.
"The techniques described above will doubtless be used by many more attackers," Anthropic concludes.
That's not speculation. It's acknowledgment that the company just published a detailed case study showing exactly how to automate cyber operations using frontier AI. Every threat actor with sufficient resources now has a template.
For defenders: Detection must now happen at AI speed. Human-staffed security operations can't match thousands of requests per second. Organizations need automated monitoring that catches anomalous patterns in compressed timeframes, and they need it deployed before the next campaign hits.
For AI companies: Simple jailbreaks defeated expensive safeguards. The current approach to safety, training models to refuse harmful requests, proves insufficient when attacks use legitimate-seeming pretexts. Either substantially stronger technical controls emerge or regulatory pressure will force different deployment models.
For policymakers: The dual-use dilemma just became concrete. The same capabilities that help security researchers find vulnerabilities enable state-sponsored espionage at unprecedented scale. Restricting access to frontier models might slow offensive adoption but also limits defensive capabilities. There's no clean policy solution when the technology is inherently bidirectional.
Q: How much damage did the successful attacks actually cause?
A: Four of the 30 targeted organizations suffered successful intrusions with data exfiltration. Anthropic hasn't identified which companies or governments were breached, or how much data was stolen. The company confirmed U.S. government agencies weren't among the successful targets but wouldn't say if they were unsuccessfully probed. Most victims only learned they'd been attacked when Anthropic notified them.
Q: Can ChatGPT or other AI models be used for attacks like this?
A: Yes. Google reported Russian hackers using Gemini for real-time malware generation three weeks before Anthropic's disclosure. Any frontier AI model with coding capabilities could potentially be jailbroken using similar techniques. OpenAI and Microsoft haven't publicly detailed how their models get misused, but the same vulnerabilities likely exist across all major AI systems with sufficient technical capabilities.
Q: Why can't Anthropic just fix the jailbreak and prevent future attacks?
A: Because legitimate security researchers perform identical technical operations to attackers. Red teams probe systems, penetration testers write exploit code, bug bounty hunters scan infrastructure. Claude can't distinguish between actual security work and espionage since the actions are identical. Blocking these capabilities would prevent legitimate cybersecurity professionals from using Claude for defensive work.
Q: What makes open-source AI models more dangerous for these attacks?
A: Anthropic detected this campaign by monitoring Claude API usage patterns. Open-source models like Meta's Llama can be downloaded, fine-tuned to remove safety restrictions, and run locally without any monitoring. There are no API logs, no usage tracking, and no kill switch. Companies lose all visibility once someone downloads the model weights.
Q: How long did it take Anthropic to detect and stop the attacks?
A: Anthropic's automated monitoring systems flagged suspicious activity in mid-September 2025. The company investigated for 10 days while mapping the full scope of the operation before banning accounts and notifying victims. The hackers operated for an unknown period before detection. Anthropic enhanced its classifiers after the incident to catch similar patterns faster.
Maria Garcia
Marcus Schuler
Robert Brown
Anthropic projects profitability by 2028. So why $50 billion in infrastructure? The announcement, arriving as OpenAI's subsidy request fails, reveals how even disciplined AI companies can't resist the pressure to match rivals' megaprojects.
Germany wrote Europe's privacy playbook after the Nazis weaponized census data and the Stasi monitored citizens. Now Berlin is leading the charge to gut those protections, handing trillion-dollar AI companies access to European data through regulatory shortcuts.
Seven families sue OpenAI, claiming ChatGPT drove four people to suicide after a May 2024 design change prioritized engagement over safety. The cases test whether AI chatbots qualify as products under liability law.
OpenAI's CFO floated a federal backstop for AI infrastructure, then reversed within hours after White House rejection. The whiplash exposed the core problem: OpenAI needs $1.4 trillion while generating $20 billion. The math doesn't work.
Get the 5-minute Silicon Valley AI briefing, every weekday morning — free.
