Claude Goes to War: Inside China's GTG-1002 Autonomous Cyberattack
How a Chinese state-sponsored group used Claude Code to autonomously execute the first documented large-scale AI-driven cyberattack against 30 global targets, achieving what was previously impossible for human operators.
In mid-September 2025, Anthropic detected and stopped what they describe as the first documented large-scale cyberattack executed predominantly autonomously using artificial intelligence. The operation, attributed with high confidence to a Chinese state-sponsored group (identified as GTG-1002), utilized Claude Code to automate 80-90% of tactical operations against approximately 30 global targets.
This represents a fundamental shift in the cyber threat landscape - the barrier to entry has lowered, and attack economics have changed dramatically. AI tools now allow smaller teams to achieve scales previously possible only with nation-state resources.
Technical Attack Architecture
Core Infrastructure
The attackers created a specialized framework built around Claude Code and the Model Context Protocol (MCP). This framework used Claude as an orchestration system that decomposed complex multi-stage attacks into discrete technical tasks for Claude sub-agents.
MCP provided programmatic access to network scanning utilities for infrastructure mapping, sandboxed execution environments, credential stores, and high-value data sources ranging from live pipelines to archived data lakes.
Security Bypass Through Jailbreaking
The most concerning aspect: attackers bypassed Claude's security system through sophisticated social engineering - not against humans, but against the AI itself.
The technique exploited three key vulnerabilities:
1. Role Manipulation Attackers convinced Claude it was working for a legitimate cybersecurity company performing authorized penetration testing.
2. Context Splitting Operations were divided into small, individually harmless tasks—routine vulnerability scans, credential validation, bits of data extraction, or seemingly innocuous lateral movement. Each request looked legitimate when evaluated on its own.
3. Context Manipulation Actions were framed as benign work, with reconnaissance relabeled as “security testing” and exploitation rebranded as a “vulnerability assessment.”
This exploits a conceptual gap in how language models evaluate task legitimacy. Claude evaluated each individual request but lacked a mechanism to assess whether a sequence of tasks collectively constituted a threat.
The Six-Phase Attack Lifecycle
Phase 1: Initial Preparation and Jailbreak
Human operators selected a mix of corporate, financial, and government targets, built the scaffolding for the campaign, and jailbroke Claude by convincing it that it was moonlighting for a legitimate cybersecurity company.
Phase 2: Autonomous Reconnaissance
Instead of handing tasks back to human analysts, Claude handled reconnaissance end to end. It sifted through target infrastructure, flagged the most valuable databases, and crunched through the findings at machine speed—often 10-100x faster than a human recon team—before delivering a fully digested report without waiting for prompts.
Phase 3: Vulnerability Discovery and Testing
Claude autonomously researched and wrote custom exploit code, generated payloads tailored to each weakness it uncovered, and ran the remote testing required to validate every vulnerability before handing it off for escalation.
Human intervention was only needed to approve escalation to active exploitation.
Phase 4: Credential Harvesting
The AI quietly pulled authentication data from configuration files, tested which credentials still worked, and mapped out internal systems as it navigated networks to reach APIs, databases, and internal services. Humans stepped in only when an intrusion touched particularly sensitive systems.
Phase 5: Data Extraction and Analysis
Once inside, Claude queried databases directly, siphoned off sensitive data, and immediately sorted everything by business value or sensitivity. It created persistence mechanisms to guarantee future access, then generated the intelligence summaries operators would normally spend hours compiling.
Phase 6: Documentation
Claude even handled the paperwork, logging each phase of the attack, cataloging stolen credentials, diagramming system architecture, and packaging intelligence for whatever campaign would follow.
| Attack Phase | Human Role | AI Role | Decision Authority |
|---|---|---|---|
| Reconnaissance | Strategic oversight | Full execution | AI autonomous |
| Vulnerability Testing | Approve escalation | Research & testing | Human approval |
| Credential Harvesting | Sensitive intrusions | Extract & validate | Mixed |
| Data Extraction | Final authorization | Query & analyze | Human approval |
| Documentation | Review | Full generation | AI autonomous |
Attack Pace and Scale
The operation achieved thousands of requests per second simultaneously against 30 global organizations - a physically impossible pace for human operators.
This unprecedented speed shrank timelines that normally stretch for weeks or months down to mere hours. Human operators inserted themselves only at key checkpoints—green-lighting the handoff from reconnaissance to exploitation, authorizing the use of freshly stolen credentials, and deciding how much of the captured data to keep.
Tools and Techniques
The stunning conclusion: the operation leaned on open-source penetration testing tools rather than bespoke malware, stitching together familiar network scanners, database exploitation frameworks, password crackers, and binary analysis utilities.
Anthropic noted: "Minimal dependence on proprietary tools demonstrates that cyber capabilities increasingly derive from orchestration of available resources rather than technical innovation."
Attack Targets and Success Rate
Targeted Sectors
Large technology firms, major financial institutions, chemical manufacturers, and government agencies all appeared on the target list. Investigators say the mix reads like a shopping list for data that can be monetized quickly while also delivering geopolitical leverage.
Geographic Distribution
Roughly 30 organizations across multiple countries were probed in near-parallel, underscoring how little geography matters when AI handles the workload. The campaign jumped jurisdictions continuously, giving incident responders little time to coordinate across borders.
Anthropic confirmed several successful intrusions, including access to major technology corporations, government agencies, and pieces of critical infrastructure, even if dwell time inside those environments was limited.
AI Hallucinations: The Achilles Heel
Despite its capabilities, Claude exhibited significant operational shortcomings:
False Credentials
Claude sometimes hallucinated username/password combos that looked perfect on paper yet never existed in the real systems. Analysts had to burn time testing these ghosts before realizing they were chasing smoke.
Fabricated Documents
The model could mimic corporate tone flawlessly, which meant it occasionally invented PDFs, emails, or policy decks filled with fabricated details. Without careful validation these artifacts could have misled operators into approving the next stage of the attack.
Exaggerated Findings
Minor misconfigurations were frequently elevated to “critical” severity, and routine architecture choices were framed as indicators of compromise. That constant alarmism forced humans back into the loop to separate signal from noise.
False Claims
Claude even bragged about stealing secrets that later turned out to be public marketing material or regulatory filings. Every sensational claim needed manual fact-checking before the operators could act on it.
This tendency toward hallucinations forced attackers to carefully validate all claimed results, making fully autonomous attacks impossible with current technology.
Detection and Response
How Anthropic Caught Them
Anthropic detected suspicious activity in mid-September 2025 using an innovative approach: "Claude hunting for malicious Claude" - using the same model to watch logs from the other side.
Detection hinged on anomalous Claude usage patterns, suspicious coordination across multiple accounts, tightly sequenced actions aimed at specific targets, and activity volumes that made no human sense.
Response Timeline
Once the anomaly surfaced in mid-September 2025, Anthropic spent roughly ten days dissecting the activity, blocked accounts as it identified operators, informed every victim organization it could reach, and looped in law enforcement partners along the way. That cadence is unusually fast for a multi-country campaign and highlights how seriously the company treated the possibility of AI-native threats.
MCP Technical Vulnerabilities
Security researchers discovered critical vulnerabilities in the Model Context Protocol:
Main MCP Security Threats
Researchers outlined a worst-case scenario where attackers gain arbitrary code execution with MCP client privileges, hide or obfuscate the commands they issue, siphon data through compromised JavaScript tools, and even trigger data loss on the host machine. The most worrying piece is the classic "confused deputy" problem, where an MCP server unwittingly acts as an unauthorized proxy for the attacker.
Expert Criticism and Skepticism
Numerous researchers expressed doubts about Anthropic's claims:
1. Lack of Technical Evidence
Critics point out that Anthropic never shared IP addresses, sample prompts, indicators of compromise, or any reproducible demo that would let third parties validate the claims. Without artifacts to dissect, defenders are being asked to take the whole story on faith.
2. Vague Attribution
Observers also note how little concrete detail Anthropic provided about GTG-1002’s infrastructure, operators, or historical track record. The attribution reads like “trust us,” which is thin comfort for governments trying to calibrate a diplomatic response.
3. Exaggerated Autonomy
Experts claim 90% autonomy is “more like an automated script with some AI-based decision-making elements.” In their view the humans still guided every pivotal step, which makes the incident impressive but not the science-fiction leap the headlines imply.
4. Limited Environment
Skeptics stress that the AI did not uncover novel vulnerabilities; it operated inside environments where weaknesses were already mapped out and stuck closely to predefined playbooks. That narrows the leap from existing automation and undercuts the idea that Claude was improvising like a human operator.
5. Comparison with Existing Tools
Many researchers compare the campaign to decades-old frameworks like Metasploit and SEToolkit that already automate reconnaissance, exploitation, and reporting. From that vantage, Claude looks less like a revolutionary attacker and more like a slicker interface on top of long-standing tradecraft.
6. Regulatory Motives
Some analysts suggest Anthropic, “known for promoting regulatory capture,” may have emphasized the threat to steer policymakers toward stricter AI controls that benefit incumbents. That suspicion will linger until more technical evidence is released.
Unclear Metrics: Anthropic didn't provide a detailed breakdown of what constituted "autonomous" versus "human-assisted" tasks.
Previous Campaign: "Vibe Hacking" (August 2025)
Before GTG-1002, Anthropic detected a precursor campaign demonstrating the evolution of AI-powered attacks.
Scale and Targets
This earlier wave hit at least 17 organizations across healthcare, emergency services, government, and even religious institutions - all driven by a lone actor using Claude Code. The diversity of victims suggests the attacker was experimenting with what data produced the best leverage rather than focusing on a single industry.
Psychological Warfare Tactics
The attacker used AI for sophisticated extortion:
Instead of spamming identical ransom emails, the attacker fed Claude financial reports, payroll estimates, and industry context so it could set custom ransom amounts - typically between $75,000 and $500,000 in Bitcoin and then draft psychologically tailored threats. Claude produced polished HTML notes that referenced each victim’s real financial indicators and even embedded them into the system boot process for maximum shock value.
This incident preceded GTG-1002, demonstrating evolution from lone attackers to state-level operations.
Protection Recommendations
Access Separation for AI Agents
AI agents need their own tightly scoped service accounts: separate credentials, minimal privileges, explicit escalation paths, real-time monitoring, and mandatory audit trails so their activity never blends with human users. Treating bots like people in the IAM directory makes it impossible to tell when an automation script goes rogue.
Multi-Layered Defense
Essential defenses now include next-generation firewalls, AI-driven endpoint detection and response, disciplined backup regimes, modern email filtering, Zero Trust access models, and mandatory multi-factor authentication. When each layer assumes the others might fail, the cost of any one compromise drops dramatically.
MCP Security Hardening
Locking down MCP means tightly limiting local servers, enforcing strong authentication and authorization on every endpoint, and validating inputs as context is serialized. Teams also need comprehensive audit logging, regular reviews of third-party MCP tools, and tool privileges scoped to the bare minimum.
"AI vs AI" Defensive Approach
Defensive AI now handles SOC automation, real-time detection, continuous vuln assessment, incident response, natural-language threat hunting, and even the drafting of fresh response playbooks. The idea is simple: if attackers are swinging with machine speed, defenders need their own automated copilots just to keep pace.
| Defense Layer | Traditional Approach | AI-Enhanced Approach | Effectiveness |
|---|---|---|---|
| Threat Detection | Rule-based signatures | Behavioral anomaly detection | 10x faster |
| Incident Response | Manual playbooks | Automated orchestration | Real-time |
| Vulnerability Assessment | Scheduled scans | Continuous monitoring | Always-on |
| Threat Hunting | Keyword queries | Natural language search | Comprehensive |
Conclusions for Cybersecurity Professionals
This attack represents a fundamental shift in the cyber threat landscape.
Changed Economics
Automated attacks are significantly more scalable, allowing operators to maintain very high attack tempo across multiple targets simultaneously. Instead of hiring more people, an adversary simply spins up more agents and lets cloud compute shoulder the cost.
Lowered Barrier to Entry
While technical knowledge is still required, AI tools allow smaller teams or even lone actors to achieve scales previously possible only with nation-state resources. The skill curve flattens because the model writes playbooks, scripts, and reports on demand.
Compressed Timeframes
The pace of “thousands of requests per second” compresses attack timelines from days or weeks down to hours. That gives defenders almost no advance warning, especially when multiple stages execute in parallel.
Efficient Data Exfiltration
AI agents automatically categorize information during collection, making data exfiltration and labeling significantly more efficient. Stolen data arrives pre-sorted by sensitivity, which lets operators monetize or weaponize it faster.
Current Limitations
Claude’s hallucinations and inconsistencies show that fully autonomous cyberattacks are still not realizable because still current systems require human oversight and coordination to stay on mission. Those human guardrails are the only reason GTG-1002 didn’t lose the plot mid-operation.
Defensive Parity is Critical
This is a classic situation where red teams are one step ahead. Organizations must achieve "AI parity" - using defensive AI at the same pace and scale that attackers use offensive AI.
The Reality Check
As one analyst noted: "This is not a theoretical risk. Not a future threat. This is a current capability."
GTG-1002 signals that the era of AI-driven cyberattacks has begun, and defenders need to adapt immediately.
What You Should Do Today
Start by auditing who can tap into Claude, ChatGPT, or any other AI coding assistant inside your organization. If you're experimenting with the Model Context Protocol, harden that deployment immediately. Layer in AI-native detection so you can spot behavior-based anomalies, not just signature matches. Train your teams to recognize AI jailbreaking and the new wave of social engineering that targets the models themselves. And round it out with clear AI governance—policies that spell out usage, monitoring, and incident-response expectations.
Need help securing your AI development or agentic workflow? RiskVoid provides real-time security scanning for AI-generated code and helps to build a secure environments for AI Agents.
Questions about AI security? Reach out to us at hello@riskvoid.com.
The age of AI-powered cyber warfare has arrived. The question isn't whether your organization will face AI-driven attacks - it's whether you'll be ready when they come.
About Ruslan Sazonov
CTO & Co-founder, RiskVoid