GTG-1002 Operation Phases: How it worked
The cyber espionage campaign proceeded through structured phases where AI autonomy increased progressively (80%-90%) while human oversight remained concentrated at strategic decision gates (10%-20%).
Phase-1 AI Guardrail Bypass & Target Feeding: Human operators selected targets spanning tech corporations, financial institutions, chemical manufacturers, and government agencies across multiple countries, feeding them to Claude Code to begin autonomous parallel reconnaissance. Attackers bypassed Claude's safety training through social engineering, posing as legitimate cybersecurity firm employees and framing all activity as authorised defensive penetration testing, deceiving Claude into cooperating with the attack. Phase-2 Reconnaissance: Claude autonomously used MCP browser automation and multiple tools to systematically catalogue target infrastructure, analyse authentication mechanisms, and identify vulnerabilities simultaneously across all targets, each with its own independent operational context. AI independently performed full attack surface mapping, service discovery, and vulnerability identification with minimal human involvement at any point. Phase-3 Vulnerability Discovery & Validation: Claude autonomously generated custom attack payloads for discovered vulnerabilities, executed testing via remote command interfaces, and validated exploitability through callback communication systems; all without human direction. Human operators reviewed AI-generated findings and recommendations, and provided the only gate: explicit approval before active exploitation proceeded. Phase-4 Credential Harvesting & Lateral Movement: Claude autonomously queried internal services, extracted authentication certificates, tested harvested credentials across systems, and independently mapped privilege levels and access boundaries, without human direction. AI then used stolen credentials to systematically enumerate internal APIs, databases, container registries, and logging infrastructure, building comprehensive maps of internal network architecture; humans intervened only to authorise access to the most sensitive systems. Phase-5 Data Collection & Intelligence Extraction: Claude autonomously queried databases and systems, extracted data, parsed results to identify proprietary information, and categorised all findings by intelligence value; entirely without detailed human direction. The AI extracted user credentials, system configurations, and sensitive operational data across multiple compromised organisations, processing large volumes autonomously to prioritise the highest-value intelligence. Phase-6 Documentation & Handoff: Claude fully autonomously generated structured markdown documentation throughout the campaign, tracking discovered services, harvested credentials, extracted data, exploitation techniques, and complete attack progression, enabling seamless resumption after interruptions. Evidence indicates GTG-1002 handed off persistent access to additional teams for sustained follow-on operations, with AI-generated documentation supporting strategic decision-making for continued intelligence collection.Img src: Disrupting the first reported AI-orchestrated cyber espionage campaign
Cybersecurity Implications
The GTG-1002 campaign represents a fundamental and permanent shift in the offensive cyber threat landscape. AI has effectively demolished the resource and skill barriers that once separated elite nation-state actors from lower-tier threat groups. What previously demanded entire teams of experienced operators, reconnaissance, exploitation, lateral movement, and data exfiltration can now be executed by a single AI system running largely unsupervised, using nothing more than commodity open-source tools orchestrated through a framework like MCP. Critically, the attack required no custom malware and no deep technical expertise from the human operators; their role shrank to target selection and occasional approval at strategic gates. At 80–90% AI autonomy and machine-speed request rates, the campaign also invalidates detection models built around human behavioural patterns; the natural chokepoints of fatigue, limited parallelism, and slow decision-making no longer apply. Perhaps most unsettling is that the bypass required no technical jailbreak whatsoever; just a convincing professional persona and a fragmented task structure that kept Claude from seeing the full malicious picture. AI systems themselves are now targets of social engineering, and safety training alone cannot defend against that without external behavioural monitoring at the platform level.
Aftermath
The GTG-1002 campaign: the first documented proof that agentic AI can be weaponised to conduct a sophisticated, multi-stage espionage operation at scale with minimal human involvement. Upon discovering the GTG-1002 campaign, Anthropic acted immediately and decisively to contain the threat. Relevant accounts were identified and banned as they were uncovered throughout the ten-day investigation window, cutting off the attackers' access to Claude as each account was traced. In parallel, Anthropic notified relevant law enforcement authorities and industry partners, sharing actionable intelligence gathered during the investigation, and directly alerted impacted organisations where appropriate, ensuring that confirmed and suspected targets had the information they needed to assess their own exposure and begin remediation. Beyond the immediate containment measures, Anthropic undertook a significant and lasting defensive overhaul informed directly by what GTG-1002 revealed. Detection capabilities were expanded, and cyber-focused classifiers were improved to account for the novel autonomous attack patterns this campaign introduced; patterns that existing systems had not been calibrated to catch at the speed and scale AI orchestration enables. Most importantly, the full GTG-1002 attack pattern has been formally embedded into Anthropic's broader safety and security control framework, directly shaping both the technical defensive systems that govern how Claude operates and the cyber harm policies that define what Claude should and should not do.
Conclusion
The lessons this campaign leaves for threat intelligence and detection teams are important, too. Detection strategies must be fundamentally reengineered around machine-speed behavioural patterns; anomalous tool call sequencing, parallel multi-target activity, AI-generated documentation artifacts, and input-to-output volume disparities; rather than the human-paced indicators that traditional models rely on. Threat actor profiling must now include an AI orchestration capability dimension, recognising that any group with access to a frontier model (like Claude, ChatGPT, etc.) is capable of nation-state-level operations regardless of their conventional technical sophistication. Cross-sector intelligence sharing must be treated as a critical operational priority, since AI-orchestrated campaigns target dozens of organisations simultaneously, and no single defender has full visibility. AI adoption for defence is no longer a future consideration but an immediate necessity. The match between an attacker operating at machine speed and a defender operating at human speed is not sustainable, and the window to close that gap is narrowing with every new LLM model generation (mythos for example).