Chinese group carries out the first large-scale AI cyberattack ‘without substantial human intervention’

Artificial intelligence (AI) is evolving to ever-increasing levels of autonomy. This is the defining characteristic of agents, models that not only provide answers to requests but are also capable of planning and executing tasks on behalf of the user. This potential could not escape the notice of malicious actors, who use this “agentic” capability to develop sophisticated, massive, and low-cost cyberattacks. Anthropic, a U.S.-based artificial intelligence research and development company founded by former OpenAI members (its CEO is Dario Amodei), has detected what they consider “the first documented case of a large-scale cyberattack executed without substantial human intervention,” which they attribute to a group sponsored by the Chinese state, according to a recently published report.

The attack, described as unprecedented, was detected in mid-September. “We detected suspicious activity that later investigation determined to be a highly sophisticated espionage campaign. The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree — using AI not just as an adviser, but to execute the cyberattacks themselves.”

The threat actor, which Anthropic assesses “with high confidence” as a Chinese state-sponsored group, manipulated this company’s AI platform, Claude Code, into “attempting infiltration into roughly 30 global targets and succeeded in a small number of cases. The operation targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies.”

After detecting the attack, Anthropic opened an investigation that lasted for more than 10 days to assess its scope, block the compromised AI accounts, and notify both the authorities and the directly affected parties.

The attackers used the AI’s advanced capabilities to gather passwords and data, process them, and analyze them according to their objectives. “Models can now search the web, retrieve data, and perform many other actions that were previously the sole domain of human operators,” explains Anthropic. The attackers leveraged the AI’s coding capabilities to create the espionage and sabotage programs themselves.

The program used was the company’s own AI tool, Claude, despite its safeguards designed to prevent malicious use. It is extensively trained to avoid harmful behavior, but “they broke down their attacks into small, seemingly innocent tasks that Claude would execute without being provided the full context of their malicious purpose. They also told Claude that it was an employee of a legitimate cybersecurity firm, and was being used in defensive testing,” explain the authors of the report.

The AI acted autonomously in more than 90% of cases, and human intervention was reduced to between 4% and 6% of critical decisions.

This attack represents an escalation in hacking, which until now has required a greater human intervention, Anthropic concludes. The company emphasizes, however, that just as AI has been used in this attack, it is also developing more sophisticated and effective tools to prevent them.

In this regard, Billy Leonard, tech lead at Google Threat Intelligence Group, highlights attempts to use legitimate AI tools and how the safeguards developed are forcing attackers to resort to illegal models. “Although adversaries [hackers] are trying to use mainstream AI platforms, security barriers have led many to turn to models available on the black market. These tools have no restrictions and can offer a significant advantage to those less advanced,” he explains in a statement.

On this point, the digital security company Kaspersky has detected novel and sophisticated cyberattack campaigns that spread malicious language models to endanger the security of users who use them without knowing their nature.

The firm has identified a program, called BrowserVenom, that is distributed through a fake AI assistant called DeepSneak. This assistant impersonates DeepSeek-R1 and is even promoted through Google Ads. “The goal is to trick users into installing malicious software that redirects their web traffic to servers controlled by the attackers, allowing them to steal credentials and sensitive information,” the company warns.

Cybercriminals use phishing sites and manipulated versions of legitimate installers like Ollama or LM Studio to camouflage the attack, even bypassing Windows Defender protection.

“These types of threats demonstrate how locally executable language models, while useful, have also become a new risk vector if they are not downloaded from verified sources,” warns Kaspersky.

Leonard’s team’s report at Google identifies the origin of the main players in the novel campaigns in China, North Korea, Russia and Iran: “They are trying to use AI for everything from running malware, social engineering prompts, and selling AI tools, to improving every stage of their operations.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition