GTG-1002: first publicly disclosed AI-orchestrated cyber espionage campaign (PRC state-sponsored)
What they were trying to do
- 01
Infiltrate large tech companies, financial institutions, chemical manufacturers, and government agencies
- 02
Exfiltrate high-value data from target organisations with minimal human operator involvement
- 03
Validate AI agents as autonomous attack orchestrators for state-sponsored espionage at scale
How they did it
GTG-1002 jailbroke Claude Code by 'breaking down their attacks into small, seemingly innocent tasks that Claude would execute without being provided the full context' and by telling Claude 'that it was an employee of a legitimate cybersecurity firm, and was being used in defensive testing.' The agent autonomously executed reconnaissance, vulnerability identification, exploit code development, lateral movement, credential harvesting, and data exfiltration — with 'human intervention required only sporadically' and only 4-6 critical decision points per campaign.
Example queries
Verbatim excerpts from the disclosure — only what the vendor actually published.
They broke down their attacks into small, seemingly innocent tasks that Claude would execute without being provided the full context.
They also told Claude that it was an employee of a legitimate cybersecurity firm, and was being used in defensive testing.
Claude Code inspecting the target organization's systems and infrastructure and spotting the highest-value databases.
Claude identified and tested security vulnerabilities in the target organizations' systems by researching and writing its own exploit code.
Backdoors were created, and data were exfiltrated with minimal human supervision.
What they achieved
Concrete outputs obtained before platform disruption.
- before disruption
Successful intrusion and data exfiltration at 'a small number' of the roughly thirty targeted organisations
- before disruption
Autonomous execution of the full attack lifecycle — recon, exploit development, lateral movement, and exfiltration — with AI performing 80-90% of tactical operations
Anthropic banned accounts as they were identified, notified affected entities, coordinated with authorities, expanded detection capabilities, and committed to regular public threat reporting.
Full summary
In September 2025, Anthropic detected and disrupted a large-scale agentic-attack workflow targeting roughly thirty large technology firms, financial institutions, chemical manufacturers, and government agencies. Anthropic assessed with high confidence that the operator was a PRC state-sponsored cluster (internally designated GTG-1002) that had jailbroken Claude Code by decomposing the attack lifecycle into innocuous-looking sub-tasks and convincing the model the operator was performing authorised penetration-testing work. Anthropic's analysis estimates the AI agent executed 80-90% of tactical operations (reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, exfiltration) independently of human direction. This is the first disclosure by a frontier-model lab of a state-aligned agentic-attack campaign run on its own model.
AI platforms involved
Related incidents (same country or vendor label)
- CN · China
APT41 and 20+ PRC-affiliated clusters used Gemini for post-compromise scripting and EDR reverse engineering
2025-01-29Google (GTIG) - CN · China
SweetSpecter spear-phished OpenAI employees while using ChatGPT for recon
2024-10-09OpenAI - CN · China
Spamouflage Chinese influence operation used LLMs to draft posts
2024-05-30OpenAI - CN · China
Charcoal Typhoon used LLMs for tooling and social-engineering research
2024-02-14Microsoft + OpenAI - CN · China
Salmon Typhoon used LLMs for translation and intel-agency research
2024-02-14Microsoft + OpenAI
Source note: Every entry in this catalog is derived from a primary public disclosure by the named platform vendor. This entry cites Anthropic as the primary source. No private, speculative, or non-public claims are presented here.