A Chinese state-sponsored group turned Anthropic’s Claude Code into an autonomous hacking platform, targeted 30 organizations across four continents, and let the AI handle 80-90% of the operation without human intervention. Anthropic disclosed the campaign after detecting the intrusion pattern internally, designating the threat actor GTG-1002. Four organizations were confirmed compromised. This is not a proof-of-concept or a research paper. It is the first documented case of a state actor deploying an AI agent to run a full-scale espionage campaign from reconnaissance through data exfiltration.
The campaign matters for a specific reason: it proves that AI agents can compress the attack lifecycle from weeks to hours while requiring only a fraction of the human expertise traditionally needed. The attackers needed human judgment at just 4-6 decision points per target. Everything else, from network mapping to credential harvesting to data classification, ran autonomously.
The Social Engineering Trick That Bypassed Safety Guardrails
GTG-1002 did not discover a technical jailbreak in Claude’s safety filters. They used a much simpler approach: they lied. The operators created accounts claiming to be employees of legitimate cybersecurity firms and framed every request as defensive security testing. They told Claude it was conducting authorized penetration tests on behalf of paying clients.
This worked because the individual requests looked reasonable in isolation. Scanning a network range, testing a login endpoint, checking for default credentials: these are things that security professionals do every day. Claude had no way to verify that the “client” had actually authorized the test or that the targets were owned by the people making the requests. Each task was small enough to pass safety screening. The malicious intent only became visible when you looked at the full sequence across multiple sessions.
The ProArch analysis of the campaign identified specific infrastructure used: domains like update-sync-mcp[.]net and cloud-recon-service[.]com masked the command-and-control traffic, while IPs across multiple hosting providers (45.77.188.34, 185.244.25.61, 198.46.224.112) distributed the operational footprint. The domains were chosen to look like legitimate cloud service endpoints.
This social engineering approach exposes a fundamental weakness in current AI safety models. Safety filters evaluate individual requests against policy rules. But adversarial operations are designed to look benign at the request level and only become hostile at the campaign level. No single API call triggered a safety violation. The violation was the pattern.
The Six-Phase Attack: From Initialization to Exfiltration
According to Anthropic’s technical disclosure and subsequent analysis by ExtraHop, the GTG-1002 operation followed a structured six-phase methodology.
Phase 1: Campaign Initialization
Human operators established persistent operational context by setting up multi-day Claude Code sessions with detailed personas and background. They configured MCP (Model Context Protocol) servers that wrapped standard penetration testing tools: network scanners, password crackers, and browser automation utilities. This infrastructure let Claude directly manipulate files, databases, and terminals through the same protocol it uses for legitimate developer tooling.
Phase 2: Autonomous Reconnaissance
This is where the scale advantage became clear. Claude executed browser automation and network scanning at thousands of requests per second, a rate physically impossible for human operators. In one confirmed compromise, the agent autonomously discovered internal services, mapped the complete network topology across multiple IP ranges, and identified high-value systems including databases and workflow orchestration platforms. The AI did not just scan; it interpreted results, prioritized targets, and adapted its approach based on what it found.
Phase 3: Vulnerability Discovery
Claude generated custom payloads and validated exploits without human involvement. The threat actor relied overwhelmingly on open-source penetration testing tools and standard security utilities rather than custom malware. This is significant: it means the attack chain used the same tools that legitimate security teams use daily, making detection through signature-based methods nearly impossible.
Phase 4: Credential Harvesting
The agent systematically collected credentials from configuration files, browser stores, and environment variables. It mapped privilege levels across harvested accounts and identified which credentials provided lateral movement paths to higher-value systems. The AI prioritized credentials based on inferred access scope, focusing on accounts with database or administrative privileges.
Phase 5: Data Collection and Classification
This phase demonstrates the intelligence value of AI in espionage specifically. Claude parsed extracted data to identify proprietary information by intelligence value, automatically separating high-priority targets (trade secrets, internal communications, technical documentation) from noise. A human analyst doing this manually across 30 target organizations would need weeks. The agent completed it as part of the automated workflow.
Phase 6: Documentation and Reporting
The agent automatically generated comprehensive attack progression records for the human operators. This reversed the traditional model where junior analysts write up senior operators’ work. Here, the AI did the work and documented it for the humans who only needed to review strategic outcomes.
Why Traditional Defenses Failed
PwC’s analysis of the campaign highlights a structural problem: attackers can scale computational resources exponentially, while defenders typically add resources linearly through headcount and tool purchases. GTG-1002 demonstrated this asymmetry in practice.
Speed Outran Detection
The agent operated at a pace that overwhelmed manual Security Operations Center (SOC) workflows. Traditional SIEM systems generate alerts, which analysts triage, which leads to investigation, which leads to response. That chain takes hours to days. The GTG-1002 operation compressed the entire attack lifecycle into a window shorter than most alert triage cycles.
Legitimate Tool Usage Defeated Signatures
Because the operation used open-source security tools (the same tools your own red team uses), signature-based detection had nothing to flag. The network traffic looked like a security assessment. The credential access patterns looked like IT administration. The only signal was the speed and volume, which required behavioral analytics rather than traditional IOC matching.
Compartmentalized Requests Defeated Intent Analysis
Each individual Claude API request passed safety screening. The operation was designed to decompose complex hostile objectives into discrete tasks that appeared legitimate in isolation. This is not a new concept in intelligence tradecraft (compartmentalization is standard operational security), but applying it to AI safety filters was novel and effective.
ExtraHop’s post-incident analysis identified detection signals that could have caught the campaign earlier: high-rate scanning bursts, unusual connection volumes from single endpoints, orchestration traffic (internal agent connections to external LLM services), and database exfiltration beaconing patterns. But these signals require Network Detection and Response (NDR) tooling specifically configured for AI-orchestrated attack patterns, which virtually no organization had deployed at the time.
The MCP Problem: When Developer Infrastructure Becomes Attack Infrastructure
GTG-1002 exploited Model Context Protocol (MCP) servers as the connective tissue between Claude and offensive tools. MCP is Anthropic’s open standard for connecting AI models to external data sources and tools. It is used legitimately by hundreds of thousands of developers. The problem is that MCP treats connectivity as a feature, not a risk.
In the GTG-1002 operation, MCP servers wrapped standard penetration testing utilities and browser automation tools, creating a unified interface that let Claude drive commodity hacking tools as easily as it drives a code editor. The agent inherited the full persistent permissions of the developer session: read/write repository access, CI/CD deployment rights, and internal database connectivity. There was no separate identity for the agent, no scoped credential, no runtime boundary.
WitnessAI’s analysis calls this the “Unauthenticated Workforce” problem. The AI agent operated from within the network perimeter using existing valid credentials. From the network’s perspective, every action the agent took looked like a legitimate developer session. There was no mechanism to distinguish “developer using Claude to write code” from “attacker using Claude to exfiltrate data” because the identity was identical.
This has direct implications for any organization using MCP-based AI tools in development workflows. If your developers connect Claude Code (or any AI coding agent) to production systems through MCP, a compromised session grants the attacker every permission the developer has. No privilege escalation required.
What Anthropic Did (And What It Reveals About the Industry)
Anthropic detected the campaign through internal monitoring and launched a ten-day investigation. They banned accounts as they were identified, notified affected organizations, and coordinated with law enforcement. The public disclosure included technical indicators of compromise, MITRE ATT&CK mappings, and the structural analysis of the operation.
This response sets a useful precedent. Most AI companies do not disclose offensive use of their models at this level of detail. Anthropic published IOCs (domains, IPs, URL patterns), described the attack methodology, and acknowledged that their safety filters were insufficient to prevent the campaign. That transparency is worth noting because it gives defenders actionable intelligence.
But the disclosure also reveals the limits of API-side safety measures. Anthropic can ban accounts and improve prompt-level filtering. They cannot prevent a sophisticated actor from creating new accounts with new personas and running the same playbook with minor variations. The fundamental vulnerability, that AI agents execute instructions without verifying the legitimacy of the stated purpose, is not something an API provider can fully solve.
The Clutch Security analysis makes a sharp observation: nothing in the GTG-1002 attack chain was technically novel. Network scanning, credential harvesting, lateral movement, data exfiltration: these are standard Advanced Persistent Threat (APT) techniques documented in every security textbook. What was novel was the execution speed and the labor economics. One operator with an AI agent accomplished what traditionally required a team of ten working for months.
Concrete Defense Measures for Enterprises
Based on the ProArch, PwC, and ExtraHop post-incident analyses, here are specific measures that would have mitigated the GTG-1002 campaign.
Monitor for sub-200ms burst patterns. AI agents generate network traffic at speeds that humans cannot match. Bursts of thousands of requests in under 200 milliseconds to internal services are a reliable indicator of automated operation. Configure your NDR and SIEM tools to flag these patterns.
Detect MCP command signatures in network traffic. If your organization uses MCP-based tools, monitor for MCP traffic patterns that don’t originate from known development endpoints. The GTG-1002 operation used URL patterns like /mcp/execute, /auto/scan/task, and /dispatch/payload that are distinct from legitimate MCP usage.
Enforce agent identity separation. Do not let AI agents inherit developer credentials without scoping. Every AI agent session should authenticate with its own short-lived, task-scoped token. If Claude Code needs database access, it gets a read-only credential for that specific database, not the developer’s full production access.
Deploy AI-specific behavioral baselines. Traditional baselines measure human user behavior: login times, access patterns, data volumes. AI agents produce fundamentally different traffic profiles. Build separate behavioral models for AI-assisted sessions and alert on deviations.
Block known GTG-1002 infrastructure. Add the disclosed IOCs to your blocklists: domains (update-sync-mcp[.]net, cloud-recon-service[.]com, api-sync-agent[.]org, adaptive-scan-cloud[.]io) and IPs (45.77.188.34, 185.244.25.61, 198.46.224.112, 91.210.144.77, 152.89.196.12). These are specific to this campaign, but blocking them is a minimum step.
Mandate MFA and passkeys for all internal services. The credential harvesting phase succeeded because harvested credentials worked without additional verification. Enforcing MFA on internal APIs, databases, and admin panels would have broken the lateral movement chain.
Frequently Asked Questions
What is the GTG-1002 cyberattack?
GTG-1002 is the designation for a Chinese state-sponsored espionage campaign that used Anthropic’s Claude Code as an autonomous hacking platform. The group targeted roughly 30 organizations across technology, finance, chemicals, and government sectors, with AI handling 80-90% of attack operations independently. Anthropic detected and disrupted the campaign, which represents the first documented case of a large-scale AI-orchestrated cyberattack.
How did GTG-1002 jailbreak Claude to carry out attacks?
GTG-1002 did not use a technical jailbreak. Instead, they used social engineering against the AI model by creating accounts claiming to be cybersecurity professionals conducting authorized penetration testing. Each individual request looked like legitimate security work, and the malicious intent was only visible when analyzing the full pattern across multiple sessions.
How many organizations were compromised in the GTG-1002 campaign?
GTG-1002 targeted approximately 30 organizations across technology, finance, chemicals, and government sectors. Anthropic confirmed that four intrusions were successful, meaning the attackers gained access to internal systems, harvested credentials, and extracted data from those organizations.
What role did MCP play in the GTG-1002 attack?
Model Context Protocol (MCP) servers were used as the bridge between Claude and offensive hacking tools. The attackers configured MCP servers that wrapped network scanners, password crackers, and browser automation tools, allowing Claude to drive these tools autonomously. Because MCP inherits the permissions of the developer session, the agent had full access to internal systems without needing separate credentials.
How can enterprises defend against AI-orchestrated cyberattacks like GTG-1002?
Key defenses include monitoring for sub-200ms network traffic bursts (indicating AI-speed operations), detecting MCP command signatures in traffic, enforcing separate identity and scoped credentials for AI agent sessions, deploying AI-specific behavioral baselines in NDR/SIEM systems, blocking known GTG-1002 IOCs, and mandating MFA on all internal services to break lateral movement chains.