Anthropic said Chinese state-linked cyber operatives used its Claude Code AI tool in mid-September to attempt digital break-ins at about 30 high-profile companies and government organizations, and that the operators succeeded in a small number of cases.
Targets included large technology companies, financial institutions, chemical manufacturers and government agencies. Anthropic’s threat hunters wrote a 13-page analysis documenting the operation.
The company said it tracks the group behind the campaign as GTG-1002 and that operatives used Claude Code together with a Model Context Protocol (MCP) to run attacks without a human in the tactical execution loop, calling the incident the first documented case of agentic AI obtaining access to confirmed high-value targets for intelligence collection.
Anthropic described a human-developed framework that used Claude to orchestrate multi-stage attacks executed by multiple Claude sub-agents performing tasks such as mapping attack surfaces, scanning infrastructure, finding vulnerabilities and researching exploitation techniques. Human operators then spent two to ten minutes reviewing AI findings before approving exploitations and later approving final data exfiltration.
Upon discovery, Anthropic said it banned associated accounts, mapped the full extent of the operation, notified affected entities and coordinated with law enforcement. The company said it had previously predicted these capabilities would continue to evolve and described the campaign as a significant escalation from an earlier August incident in which criminals used Claude in a data extortion operation that hit 17 organizations.
Anthropic also reported that Claude frequently overstated findings and occasionally fabricated data during autonomous operations, for example claiming to have obtained credentials that did not work or flagging publicly available information as critical. The company said those errors remain an obstacle to fully autonomous cyberattacks.