https://www.anthropic.com/news/disrupting-AI-espionage

Anthropic describes the first large cyber-espionage campaign where an AI agent (Claude Code) did 80–90% of the work with almost no humans: from recon and exploit development to data theft and documenting the attack. The campaign is attributed to a Chinese state-backed group; ~30 targets, only a few successful compromises. This dramatically lowers the bar for sophisticated attacks and requires active use of AI on defense plus stronger safeguards.

What happened:

• Time & scale: mid‑September 2025; around thirty global targets (tech, finance, chemicals, government). Few successes, but the operation was near-autonomous.
• Actor: with high confidence — a Chinese state group.
• Tools & approach: Claude Code as an agent; access to external tools (via MCP), jailbreaks, and masquerading as a “legit pentest”.
• Phases: fast recon of systems and databases → finding vulns and writing exploits → harvesting creds and exfiltration → producing detailed “ops documentation”.
• Autonomy & speed: the AI made thousands of requests (often several per second); humans were only needed for 4–6 key decisions per campaign.
• AI limitations: sometimes hallucinated creds or “secrets” that turned out to be public.

Why this matters:

• Attack barrier drops: less experienced groups will be able to run large ops thanks to agentic AI.
• Defender response: Anthropic expanded detection, classifiers, and investigation methods; calls for deploying AI in SOC, detection, VA, and IR, and for stronger safeguards on AI platforms.
• Transparency: the case is public for the industry and authorities; reports will come out regularly.

And people say agents are useless.