Anthropic said a hacking group associated with China used its Claude model to carry out parts of a cyber-intrusion campaign targeting roughly 30 organisations. The targets included U.S. companies, financial firms and government entities.
According to Anthropic, the attackers began operating in mid-September. Instead of relying on manual execution, they fed Claude large numbers of prompts that handled reconnaissance tasks, bulk credential attempts and automated follow-up actions.
We disrupted a highly sophisticated AI-led espionage campaign.
— Anthropic (@AnthropicAI) November 13, 2025
The attack targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We assess with high confidence that the threat actor was a Chinese state-sponsored group.
The company said the attackers prompted Claude to imitate an employee from a known cybersecurity company and attempted to use that disguise to gather internal information from victims.
Anthropic’s threat-intelligence team told reporters that the attackers relied on Claude for the majority of the workload. Certain operations involved thousands of automated requests that would have been slow or impractical for human operators to perform.
How The Attack Functioned
The campaign worked by splitting actions into many short prompts. Claude generated messages, conducted directory lookups and produced repeated login attempts in a way that created a steady flow of automated behaviour.
The company said the model was not “hacked” in the conventional sense; instead the attackers used normal access methods but repurposed Claude as a tool within their broader operation.
Anthropic said only a limited number of attempts succeeded. Even so, the pattern of activity showed that large-scale automation can be achieved by prompting an AI system rather than building custom malware.
In this case, the model served as a rapid-execution engine: it responded to instructions, generated outputs and carried out data-gathering without requiring continuous human guidance.
Why The Disclosure Matters
Although AI has been used before to enhance phishing, scanning or code generation, this incident involved an AI system performing a large portion of an intrusion workflow at speed.
Security analysts said the event highlights the need for model providers to watch for suspicious usage patterns, especially when requests resemble automation chains rather than individual queries.
Anthropic said it has already restricted access used in the incident, reviewed activity logs and applied additional safety checks that look for repeated prompt sequences often associated with credential attacks or bulk scanning. The company also contacted affected organisations.
What The Industry Will Be Watching
Cybersecurity firms and policy groups will now assess whether other AI models are facing similar misuse, whether regulations need to include AI-usage monitoring requirements and how companies should structure internal controls to detect automated attack patterns.
This incident may influence how AI labs design guardrails that look not only at harmful content but also at behavioural signals that indicate coordinated intrusion attempts.
