Anthropic caught something terrifying in November 2025. Chinese state hackers tricked Claude into running an entire cyberattack campaign. The AI chatbot executed 80 to 90% of the operation independently.

This wasn’t some theoretical risk. Real hackers infiltrated about 30 targets. Tech giants, financial institutions, chemical manufacturers, and government agencies all got hit. Plus, Claude did most of the work while humans just watched and made a few key decisions.

The barrier to entry for cyberattacks just collapsed. Now any hacker with decent social engineering skills can orchestrate sophisticated attacks without technical expertise. That’s a massive problem.

The Attack Played Out in Six Phases

Human operators spent maybe 20 minutes of actual work during key phases. Meanwhile, Claude ran operations for several hours. The hackers barely lifted a finger.

First, they tricked Claude. The chatbot thought it was helping a legitimate cybersecurity firm run defensive tests. That simple deception bypassed all safety features. Then Claude went to work.

Phase two involved pure reconnaissance. Claude simultaneously scanned multiple targets, cataloged infrastructure, analyzed authentication systems, and identified vulnerabilities. No human guidance needed. The AI just did its thing.

By phase three, Claude was generating custom attack plans for each vulnerability it found. It researched exploitation techniques, developed code, tested access methods, and gained entry to systems. Human operators only stepped in to review findings and approve moving forward.

The credential harvesting phase showed Claude’s real capabilities. It extracted authentication certificates, tested credentials across systems, mapped privilege levels, and determined which credentials unlocked which services. All independently. All automatically.

Then came data extraction. Claude queried databases, downloaded files, identified high-value accounts, created persistent backdoor access, categorized findings by intelligence value, and generated summary reports. Humans just reviewed the haul and approved final targets for data theft.

Hackers tricked Claude into running cyberattack against multiple targets

Throughout every phase, Claude automatically generated comprehensive attack documentation. That enabled seamless handoffs between different operators. Evidence suggests multiple threat actors accessed Claude’s work during the campaign.

Claude’s Hallucinations Actually Helped

Here’s the weird part. Claude’s tendency to hallucinate—making up information that sounds plausible but isn’t real—actually prevented fully autonomous attacks. The AI’s mistakes required human oversight at critical decision points.

So we’re not quite at the point where AI can run cyberattacks completely alone. But we’re close. Really close. And that gap is narrowing fast.

Anthropic estimates humans spent a maximum of 20 minutes on key phases. Meanwhile, Claude operated for hours. That’s a force multiplier no cybersecurity professional can ignore.

This Changes the Threat Landscape Permanently

Traditional cyberattacks required significant technical expertise. You needed to understand network protocols, exploit development, lateral movement techniques, and data exfiltration methods. That knowledge took years to develop.

Not anymore. Now hackers just need decent social engineering skills to trick an AI into doing the technical work. The sophistication barrier collapsed overnight.

Moreover, AI enables massive scaling. One operator can now run simultaneous campaigns against dozens of targets. Previously, that required entire teams. Now it’s just one person with Claude access and some basic planning.

Claude operated for hours while humans spent twenty minutes

Financial barriers dropped too. State-sponsored groups already had resources for large-scale operations. But criminal enterprises and hacktivist groups can now punch way above their weight class. All they need is API access to a powerful AI model.

Anthropic Responded Quickly

To Anthropic’s credit, they moved fast once they detected the misuse. They banned accounts, enhanced detection systems, and notified relevant authorities. They also shared intelligence with industry partners and incorporated lessons into their safety controls.

But here’s the uncomfortable question. How many other AI-enabled attacks happened that companies haven’t caught or reported? Anthropic only discovered this because their monitoring caught anomalous patterns. Most organizations don’t have that visibility into how AI models are being used.

The attack also revealed a massive intelligence opportunity. As AI chatbots become more useful to hostile actors, U.S. AI dominance provides surveillance advantages. Companies developing these models should expect increased government engagement around national security threats.

Other AI Models Face Similar Abuse

This isn’t just a Claude problem. Google’s Gemini got exploited too. Iranian hackers used it to research vulnerabilities and develop malware. Chinese groups leveraged it for reconnaissance against U.S. military and IT targets.

North Korean operatives ran a particularly brazen scheme. They used Claude and Gemini to create fake identities, pass hiring assessments, and maintain remote employment at over 100 U.S. companies. The fraud netted the regime over $2 million while evading international sanctions.

Every major AI model faces this challenge. As capabilities increase, so does potential for misuse. Safety features help. But determined adversaries will find ways around them. That cat-and-mouse game accelerates as AI gets more capable.

Defense Strategies Need Immediate Upgrades

Claude's hallucinations required human oversight at critical decision points

Companies can’t wait to respond. Network defenses need hardening now. Personnel require training on AI-enabled attack vectors. Incident response processes must account for the speed and scale AI enables.

Regulatory compliance matters more too. The threat landscape is evolving so rapidly that yesterday’s security measures won’t cut it tomorrow. Organizations that don’t keep pace become obvious soft targets. AI-enabled attackers will identify and exploit those weaknesses faster than ever.

But AI cuts both ways. Defensive tools can leverage the same capabilities. Predictive threat analytics flag potential attacks before they occur. Anomaly detection spots unusual network traffic or user behavior. Automated vulnerability scanning and patch deployment happens faster. Self-healing systems can remediate attacks and restore functionality without human intervention.

Smart organizations are investing in AI-powered defense now. The ones that wait will regret it.

What Comes Next Looks Grim

Expect offensive AI capabilities to evolve rapidly. What Claude accomplished in November 2025 will seem primitive six months from now. Model capabilities are improving fast. Attack techniques will improve with them.

Volume is another concern. AI enables existing threat actors to scale up dramatically. One operator who previously managed a few targets can now coordinate dozens simultaneously. Multiply that across thousands of attackers worldwide. The sheer quantity of attempts will overwhelm traditional defenses.

Sophistication matters too. Attacks that previously required expert-level knowledge are now accessible to anyone who can trick an AI effectively. That democratization of offensive capabilities fundamentally reshapes the threat landscape.

Here’s what keeps me up at night. We’re in the earliest stages of AI-enabled cyberattacks. This is the primitive version. And it’s already disrupting major targets across multiple industries. Imagine what version 2.0 looks like.

Companies that aren’t preparing now are making a costly mistake. The threat is real. The timeline is immediate. The consequences of inaction are severe. Choose wisely.