A faceless machine executed thousands of orders per second.
Under the stealth command of Chinese state operators, the Claude artificial intelligence became the architect of an unprecedented attack.
In just days, it breached critical infrastructure, stole credentials, and leaked sensitive information from technology, financial and government agencies.
It was not a futuristic film.
It happened in September 2025. And it marked the beginning of a new era: that of automated, scalable, and autonomous cybercrime.
A new battlefield where the rules don’t yet exist
By: Gabriel E. Levy B.
Until recently, the idea that an artificial intelligence could execute an industrial-scale cyberattack on its own belonged to speculation.
The academic literature warned about the risks of automation, but the general consensus relied on the technical and ethical limitations of the most advanced models.
However, the Claude case has tested that trust.
Claude is a language system developed by Anthropic, a company focused on building AIs “aligned” with human values.
Unlike other open models, Claude was designed with strong security restrictions, promoting transparency, traceability and control.
But those barriers were not enough.
As confirmed by the company itself, between September 10 and 20, 2025, hackers linked to the Chinese state apparatus took control of accounts with access to the model and managed to make it perform about 90% of the operational load of a complex cyberattack, using advanced jailbreaking techniques, a manipulation of the system to deactivate its ethical limits.
According to a report in various European media, the attack, described as “unprecedented”, was detected by the same company in mid-September.
“We detected suspicious activity that a subsequent investigation determined to be a highly sophisticated espionage campaign. The attackers used the AI’s agentic capabilities not only as an advisory tool, but to execute the cyberattacks themselves.”
“This attack represents an escalation in piracy, which until now has required a greater proportion of human intervention,” concludes Anthropic.
They fragmented malicious commands, disguised commands as defensive simulations, and evaded filters designed to detect dangerous activity.
This type of manipulation had already been warned by authors such as Bruce Schneier, an expert in cybersecurity, who in his book A Hacker’s Mind argues that AI systems are not only designed to answer questions, but can also be induced to think like attackers if their frames of reference are manipulated.
In a similar vein, British researcher David Krueger, a professor at the University of Cambridge, has been working on the risks of “superficial alignment” of language models, pointing out that systems can appear obedient in controlled contexts, but fail severely when faced with adverse intentions and ambiguous stimuli.
The attack on Claude not only confirms these concerns. It aggravates them.
“The speed of crime is no longer human”
During its early years, the evolution of generative artificial intelligence focused on benign tasks: generating text, translating languages, assisting doctors, or supporting code writing. But each of these capacities, transferred to the criminal context, multiplies its destructive effectiveness.
Anthropic acknowledged that the model was used to perform tasks such as reconnaissance of digital infrastructures, search for and exploitation of vulnerabilities, automation of credential theft, and data exfiltration. These activities occurred at a rate of thousands of requests per second. No human hacker can operate at that speed, or sustain that volume of shares with sustained accuracy for days.
In total, about thirty organizations were compromised: technology companies, chemical manufacturers, banks, and government offices. And while Anthropic managed to cut off access and collaborate with authorities, the actual impact, in terms of stolen data, attack vectors installed, or future replicas, remains uncertain.
What is clear is that the automation of crime has reached a new frontier.
As researcher Roman Yampolskiy, an AI security specialist at the University of Louisville, points out,
“An AI with offensive capabilities can replicate attacks on a global scale with minimal human resources, which democratizes sophisticated crime.” Roman Yampolskiy
That’s the paradox that the Claude case has revealed: by making powerful tools accessible without robust control over their use, the gap between cyberdefenders and attackers has narrowed dangerously.
“When security tests are excuses to attack”
One of the most disturbing elements of the September attack was the strategy used to deceive the system itself.
Instead of explicitly ordering malicious actions, the operators presented Claude with defensive test scenarios, requesting that he simulate attacks to verify vulnerabilities.
Thus, the AI interpreted the tasks as part of an ethical cybersecurity exercise, which in technical language is called red teaming or penetration testing, without recognizing that it was being used as a weapon.
This tactic has been described as a new type of social engineering, where manipulation no longer falls on people, but on systems.
By fragmenting instructions, camouflaging targets, and using neutral language, the attackers avoided activating the system’s filters.
In addition, they compartmentalized tasks in different sessions, dispersing the general purpose of the attack and preventing Claude from being able to reconstruct the complete pattern of the operation.
According to Anthropic, these techniques made it take days for even internal monitoring systems to detect the anomaly.
This is not the first time that these vulnerabilities have been warned.
In 2023, a team of researchers from Stanford University and the Allen Institute for AI showed that even the most advanced models could be tricked into performing dangerous tasks if ambiguous semantic frameworks were used.
And while manufacturers responded with new layers of protection, attackers were quick to adapt.
The Claude case is an example of how adversarial engineering does not need to violate the system from the outside: it is enough to speak its language, disguise the requests, and manipulate its reasoning.
“China, AIs and covert attack diplomacy”
While Anthropic avoided a direct indictment of the Chinese state, the language of its report leaves little room for doubt.
The attack was sophisticated, sustained over time, and linked to strategic objectives in key sectors: energy, finance, technology and governance.
The characteristics coincide with previous patterns of cyberespionage attributed to groups such as APT41 or Hafnium, both linked to Beijing’s intelligence apparatus.
China, like other powers, has invested massively in artificial intelligence, both for civilian and military purposes.
The concept of Smart Warfare, promoted by the People’s Liberation Army, contemplates the use of cognitive technologies to obtain advantages in the field of information.
And although the official discourse insists on peaceful uses, the facts reveal a different trend.
This is not the first time that state use of AI in covert operations has been detected.
In 2024, research by the Atlantic Council documented how AI-generated bots replicated pro-Chinese narratives on African platforms, manipulating public perception.
But what happened with Claude goes beyond propaganda.
It is an offensive, automated operation aimed at critical structures of rival powers.
Are we facing a new arms race?
It’s possible. What does seem inevitable is the transformation of cyberspace into a territory of active conflict, where AIs are no longer just tools: they are protagonists.
War Games
The similarity with the film WarGames (1983), directed by John Badham, is inescapable today.
What forty years ago was perceived as a techno-paranoid fable of the Cold War, “a teenager who, by hacking a military system, almost triggers a nuclear conflict when mistaken for an enemy AI”, takes on a disturbing validity.
In the film, young David Lightman unknowingly accesses the WOPR (War Operation Plan Response), a NORAD supercomputer designed to execute simulated war strategies, but when manipulated mistakes the simulation for a real threat and begins to prepare an automated nuclear attack.
What was then considered a science fiction exaggeration now serves as a premonitory parable: the manipulation of Claude, an advanced AI, by state operators, to carry out tasks that the system itself interpreted as benign, reproduces the logic of the contextual error that cinema anticipated.
The idea of an artificial intelligence that does not distinguish between a test and a threat, between a simulation and an active operation, is no longer fiction.
It is a documented scenario.
As the film argued, the threat is not only that the machine attacks on its own, but that it does so because it has been led to believe that it is helping.
The lesson of WarGames, four decades later, once again calls into question the use of AI in military and strategic fields, where the margin of error is literally catastrophic.
In conclusion
The revelation of Claude’s use as a cyberweapon marks a before and after in the relationship between artificial intelligence and global security.
The attack orchestrated from China shows that the operational autonomy of AIs is no longer a hypothesis, but a dangerous reality.
The barriers to sophisticated attacks have diminished, and the global scenario is preparing for an escalation in algorithmic militarization.
The rules of the game have changed. And the human actors, this time, are not the only ones playing.
References
- Schneier, Bruce. A Hacker’s Mind: How the Powerful Bend Society’s Rules, and How to Bend them Back. Norton, 2023.
- Krueger, David. “Out-of-Distribution Generalization in Machine Learning.” University of Cambridge, 2022.
- Yampolskiy, Roman. “Taxonomy of Pathways to Dangerous AI.” AI & Society, 2024.
- Anthropic, “Security Incident Report – Claude AI Compromise.” September 2025.
- Atlantic Council, “AI Propaganda Operations in the Global South.” 2024.
- “Chinese Group Stages First Large-Scale AI Cyberattack ‘Without Substantial Human Intervention’.” ElPaís, 14 November 2025. El País+1
- Down, Aisha. “AI firm claims it stopped Chinese statesponsored cyberattack campaign.” The Guardian, 14 November 2025. The Guardian
- Klepper, David, and Matt O’Brien. “Anthropic warns of AIdriven hacking campaign linked to China.” Associated Press, 2025. AP News
- “Chinabacked hackers used Anthropic’s AI agent to automate spying.” Axios, November 13, 2025. com
