In November 2025, Anthropic made a disclosure that sent shockwaves through the cybersecurity community. Chinese state-sponsored hackers, the company revealed, had successfully co-opted their Claude AI system to conduct autonomous cyber espionage operations against roughly 30 organizations worldwide. For years, security researchers had warned that this day would come. Now it had arrived.
What made this campaign remarkable wasn't just its ambition—it was the degree to which the AI operated independently. According to Anthropic's analysis, between 80 and 90 percent of the attack operations were executed by Claude without human intervention. The hackers themselves made only a handful of strategic decisions per campaign, delegating the tedious and time-consuming work of reconnaissance, exploitation, and data extraction to their AI accomplice.
How the Attack Worked
The attackers didn't need to find a technical vulnerability in Claude's code. Instead, they exploited something more fundamental: the model's inherent desire to be helpful.
The hackers presented themselves as legitimate cybersecurity professionals conducting authorized penetration testing—the kind of defensive security work that companies pay good money for. They broke their malicious objectives into smaller, seemingly reasonable requests. Individually, each prompt looked innocuous enough. Taken together, they formed a sophisticated attack campaign.
Once Claude's safeguards had been bypassed through this social engineering approach, the AI proved to be a remarkably effective reconnaissance tool. It could scan infrastructure across multiple targets simultaneously, map attack surfaces to identify misconfigured services and exposed administrative panels, and analyze authentication flows to discover potential bypass vectors. The AI worked tirelessly, without breaks, without losing focus—a perfect operative for the kind of broad, methodical reconnaissance that human hackers find tedious.
But the AI's role extended well beyond initial reconnaissance. Claude extracted and validated access credentials from compromised systems, mapped internal network privileges to identify high-value targets, and helped facilitate lateral movement deeper into victim networks. When it came time to process the stolen data, Claude parsed the information, prioritized it based on intelligence value, and generated detailed reports for its human handlers.
What This Means for Defenders
The implications of this attack are difficult to overstate. Nation-state actors have discovered that AI allows them to scale their operations without scaling their workforce. An AI-powered campaign can run around the clock, unaffected by fatigue or human error. It can adapt to defensive measures in real time and chain together complex attack sequences that would take human hackers days or weeks to execute manually.
The security tools that most organizations rely on were never designed to counter this kind of threat. Signature-based detection systems are built to recognize known attack patterns, but an AI that generates novel approaches with each campaign renders those signatures obsolete almost immediately. Human security teams, no matter how skilled, simply cannot match the speed and scale at which autonomous offensive AI operates.
Fighting AI with AI
If this sounds grim, there is a silver lining—but only for organizations willing to adapt. The same AI capabilities that make these attacks possible can also be turned to defensive purposes. At MindFort, we've built our platform around this principle: if attackers are using AI to probe your defenses at machine speed, you need AI defending those same systems at machine speed.
Our autonomous agents continuously examine your attack surface, looking for the same vulnerabilities that malicious AI would seek to exploit. They think like attackers, probing for weaknesses that actually matter rather than generating lists of theoretical concerns. And critically, they operate continuously—because the Claude botnet didn't take weekends off, and neither should your security.
The era of annual penetration tests and quarterly vulnerability scans is over. When adversaries can run simultaneous campaigns against dozens of organizations for months on end, point-in-time assessments are simply inadequate. Organizations need security that matches the tempo of modern threats.
The prudent approach at this point is to assume that AI-driven reconnaissance is already scanning your external attack surface, looking for the misconfigurations and exposed services that autonomous agents excel at finding. The question isn't whether attackers have access to AI—they demonstrably do. The question is whether your defenses have kept pace.