Anthropic researchers claim that Chinese state-sponsored spy groups have used Claude artificial intelligence (AI) to automate most of their cyberattack campaigns, but the news has caused equal parts alarm and skepticism. In light of the research, the cybersecurity community is trying to figure out what actually happened and how autonomous the model actually was.
Company representatives said in a statement on November 13 that their engineers disrupted what they described as a “nearly autonomous” operation that used large-scale language models (LLMs) to plan and execute approximately 80-90% of a wide range of reconnaissance and exploitation operations against 30 organizations around the world.
Engineers said they detected a series of exploit attempts across the company’s products, ultimately traced back to an operator with ties to a Chinese state-sponsored spy ring. The attackers allegedly targeted Anthropic’s Claude Code model against targets across technology, finance, and government, tasked with reconnaissance, vulnerability analysis, exploit generation, credential collection, and data exfiltration. The statement said humans were only involved in “high-level decision-making” such as selecting targets and when to extract stolen data.
you may like
Engineers then thwarted this campaign internally through monitoring and fraud detection systems that flag anomalous patterns indicative of automated task chains. Company representatives also reported that attackers attempted to circumvent the model’s guardrails by breaking malicious targets into smaller steps and assembling them as benign penetration testing tasks. This is an approach researchers call “task decomposition.” In several examples published by Anthropic, the model attempted to execute instructions but encountered errors, such as hallucinations or clearly invalid credentials.
Is it an AI attack or a human attack?
The company’s story is a grim one: it was a “first of its kind” example of AI-orchestrated espionage, and the model effectively guided the attack. However, not everyone is convinced that this autonomy was as dramatic as anthropology suggests.
Mike Wilkes, an adjunct professor at Columbia University and New York University, told Live Science that while the attack itself seems basic, the novelty lies in the orchestration.
“The attack itself is trivial and not scary. What’s scary is that the orchestration element is primarily driven automatically by AI,” Wilkes said. “Human Augmented AI vs. AI Augmented Human Attack: The narrative is flipped. So consider this just a ‘Hello World’ demonstration of the concept. People who ignore what the attack is about are missing the ‘level up’ point this represents.”
Other experts question whether the operation has really reached the 90% automation mark highlighted by Anthropic representatives.
Seun Ajao, senior lecturer in data science and AI at Manchester Metropolitan University, said that while many parts of the story were plausible, it was still likely to be an exaggeration.
He told Live Science that state-backed organizations have been using automation in their workflows for years, and LLM can already generate scripts, scan infrastructure, and summarize vulnerabilities. He added that Anthropic’s explanation includes “details that appear to be true,” including the use of “task decomposition” to circumvent the model’s safeguards, the need to correct for hallucinatory findings in the AI, and the fact that only a small number of targets were compromised.
you may like
“Even if the autonomy of these attacks is exaggerated, there should be cause for concern,” he argued, citing low barriers to cyber espionage through off-the-shelf AI tools, scalability, and governance challenges through monitoring and auditing model usage.
Katerina Mitrokoca, a cybersecurity professor at the University of St. Gallen, is similarly skeptical of high autonomy frameworks. She said the case appears to be a “hybrid model” where AI acts as an orchestration engine under human direction. While Anthropic frames the attack as an end-to-end attack orchestrated by AI, Mitrokotsa notes that the attackers appear to be primarily structuring malicious tasks as legitimate penetration tests, bypassing security restrictions by breaking them into smaller components.
“AI then performed network mapping, vulnerability scanning, exploit generation, and credential collection while humans oversaw key decisions,” she said.
In her view, the 90% figure is unacceptable. “Although AI can speed up repetitive tasks, chaining together complex attack phases without human verification remains difficult. According to the report, Claude generated errors, such as hallucinated credentials, that had to be manually fixed. This is more consistent with a high degree of automation than true autonomy. Similar efficiencies could be achieved with existing frameworks and scripts.”
Lowering the barrier to entry for cybercrime
Most experts agree that the significance of the case does not depend on whether Claude was doing 50% or 90% of the work. The concern is that even partially AI-driven orchestration lowers the barrier to entry for espionage groups, increases the scalability of campaigns, and obscures liability if LLM becomes the engine that connects the intrusions.
If Anthropic’s account of events is accurate, the implications are profound in that adversaries could use consumer AI tools to accelerate reconnaissance, reduce the time between scan and exploit, and repeat attacks faster than defenders can respond.
However, if talk of autonomy is exaggerated, that fact is of little comfort. Mr. Ajao said: “The barriers to cyber espionage are now much lower through openly available, off-the-shelf AI tools,” Mitrokoca also warned of “AI-driven automation.” [could] The threat landscape must be restructured faster than current defenses can adapt. ”
The most likely scenario, experts say, is that this was not a fully autonomous AI attack, but rather a human-led operation powered by AI models acting as energetic assistants, piecing together reconnaissance tasks, writing exploits, and generating code at scale. This attack shows that adversaries are learning to treat AI as an orchestration layer, and defenders should expect hybrid operations where LLM augments human capabilities rather than replacing them.
Whether the actual number is 80%, 50%, or much lower, the underlying message from experts is the same. So while human engineers may have caught this incident early, it may not be so easy to stop another similar campaign.
Source link
