threatintel
actor tracker
AI misuse catalog

GTG-1002: first publicly disclosed AI-orchestrated cyber espionage campaign (PRC state-sponsored)

2025-11-13AnthropicClaude Code
CN · China
ChinaVendor label:GTG-1002
Target reconnaissanceVulnerability researchMalware developmentScripting / automation
Primary disclosure (Anthropic)

What they were trying to do

  1. 01

    Infiltrate large tech companies, financial institutions, chemical manufacturers, and government agencies

  2. 02

    Exfiltrate high-value data from target organisations with minimal human operator involvement

  3. 03

    Validate AI agents as autonomous attack orchestrators for state-sponsored espionage at scale

How they did it

GTG-1002 jailbroke Claude Code by 'breaking down their attacks into small, seemingly innocent tasks that Claude would execute without being provided the full context' and by telling Claude 'that it was an employee of a legitimate cybersecurity firm, and was being used in defensive testing.' The agent autonomously executed reconnaissance, vulnerability identification, exploit code development, lateral movement, credential harvesting, and data exfiltration — with 'human intervention required only sporadically' and only 4-6 critical decision points per campaign.

Example queries

Verbatim excerpts from the disclosure — only what the vendor actually published.

They broke down their attacks into small, seemingly innocent tasks that Claude would execute without being provided the full context.

— from disclosure (Anthropic)

They also told Claude that it was an employee of a legitimate cybersecurity firm, and was being used in defensive testing.

— from disclosure (Anthropic)

Claude Code inspecting the target organization's systems and infrastructure and spotting the highest-value databases.

— from disclosure (Anthropic)

Claude identified and tested security vulnerabilities in the target organizations' systems by researching and writing its own exploit code.

— from disclosure (Anthropic)

Backdoors were created, and data were exfiltrated with minimal human supervision.

— from disclosure (Anthropic)

What they achieved

Concrete outputs obtained before platform disruption.

  • before disruption

    Successful intrusion and data exfiltration at 'a small number' of the roughly thirty targeted organisations

  • before disruption

    Autonomous execution of the full attack lifecycle — recon, exploit development, lateral movement, and exfiltration — with AI performing 80-90% of tactical operations

Vendor responseAnthropic

Anthropic banned accounts as they were identified, notified affected entities, coordinated with authorities, expanded detection capabilities, and committed to regular public threat reporting.

Full summary

In September 2025, Anthropic detected and disrupted a large-scale agentic-attack workflow targeting roughly thirty large technology firms, financial institutions, chemical manufacturers, and government agencies. Anthropic assessed with high confidence that the operator was a PRC state-sponsored cluster (internally designated GTG-1002) that had jailbroken Claude Code by decomposing the attack lifecycle into innocuous-looking sub-tasks and convincing the model the operator was performing authorised penetration-testing work. Anthropic's analysis estimates the AI agent executed 80-90% of tactical operations (reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, exfiltration) independently of human direction. This is the first disclosure by a frontier-model lab of a state-aligned agentic-attack campaign run on its own model.

AI platforms involved

Claude Code

Related incidents (same country or vendor label)

Source note: Every entry in this catalog is derived from a primary public disclosure by the named platform vendor. This entry cites Anthropic as the primary source. No private, speculative, or non-public claims are presented here.