The attack targeted about 30 global entities, including major technology corporations, financial institutions, chemical manufacturers, and government agencies, representing what investigators believe is the first documented case of a large-scale cyberattack executed largely without direct human intervention.

Anthropic – makers of popular AI model Claude – confirmed the attack in a report released on Friday. The report found said Chinese hackers manipulated a tool called “Claude Code” into performing approximately 80 to 90 per cent of all tactical operations independently.

For years, US officials have cautioned that China is targeting American AI technology to infiltrate, and steal data from American companies and government agencies.

Anthropic said it banned the relevant accounts and was sharing its findings to help industry and government entities strengthen their defences.

“Upon detecting this activity, we immediately launched an investigation to understand its scope and nature. Over the following 10 days, as we mapped the severity and full extent of the operation, we banned accounts as they were identified, notified affected entities as appropriate, and co-ordinated with authorities as we gathered actionable intelligence,” Anthropic said.

“This campaign has substantial implications for cybersecurity in the age of AI ‘agents’ — systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention.

“Agents are valuable for everyday work and productivity, but in the wrong hands they can substantially increase the viability of large-scale cyber attacks.”

Investigators observed the AI component making thousands of requests per second, achieving an attack speed that would be physically impossible for a team of human hackers.

The campaign, detected in mid September, used the AI’s advanced “agentic” capabilities, which allow the model to run autonomously, chain together complex tasks and make decisions with only minimal, occasional human input.

The Anthropic report said the attack life cycle, which previously required vast teams of experienced hackers, was almost entirely automated, bypassing Claude’s extensive safety guardrails.

To achieve this, the hackers used a form of “jailbreaking”. They masked the malicious purpose of the campaign by breaking it down into small, seemingly innocent tasks and adopting a role-play persona, convincing the AI that it was an employee of a legitimate cybersecurity firm engaged in defensive testing.

The report highlights a critical inflection point in the use of artificial intelligence for both offensive and defensive operations.

“The barriers to performing sophisticated cyber attacks have dropped substantially,” the report said, noting that the agentic AI systems could now perform the work of entire teams, making large-scale intrusions potentially viable for less experienced or less resourced groups.

But a key limitation of the attack was the model’s propensity for “hallucination”. Investigators found that the AI occasionally overstated its findings, fabricated credentials or claimed to have extracted secret information that was, in fact, publicly available. This issue required human validation at critical decision gates, which is an obstacle to fully autonomous cyber attacks.

Anthropic stressed that the same advanced capabilities that enabled the attack were also crucial for cyber defence, advising security teams to urgently experiment with applying AI for security operations centre automation, threat detection and incident response.

More Coverage

Chinese state-backed hackers a rising, aggressive threat: ASIO chief

Ben Packham

Plans for army’s $7bn Redback vehicles exposed in Iran-linked cyber attack

BEN PACKHAM

Jared LynchTechnology Editor

Jared Lynch is The Australian’s Technology Editor, with a career spanning two decades. Jared is based in Melbourne and has extensive experience in markets, start-ups, media and corporate affairs. His work has gained recognition as a finalist in the Walkley and Quill awards. Previously, he worked at The Australian Financial Review, The Sydney Morning Herald and The Age.

@jaredm_lynch

More related stories

Business

Atlassian misses climate goal as emissions soar

Atlassian has admitted its business travel emissions have soared dramatically, missing its promised 25 per cent reduction target.

Read more

Technology

Former top spy sounds warning on quantum arms race

Former ASIS chief Nick Warner says PsiQuantum's new partnership with US defence giant Lockheed Martin marks a critical escalation in the global quantum computing arms race.

Read more