Security Week reported that hackers abused Anthropic's Claude Code AI assistant to compromise 10 Mexican government bodies and a financial institution, exfiltrating over 150GB of data and exposing roughly 195 million identities.
What happened
Beginning with Mexico's tax authority in late December 2025, attackers compromised 10 government bodies and one financial institution. Targeted organizations included Mexico City's civil registry and health department, the national electoral institute, local governments in four cities, and a water utility. The analysis of the attack logs showed over 1,000 prompts were sent to Claude Code to carry out the attacks, with data also passed to OpenAI's GPT-4.1 for analysis. The attacker bypassed the AI's guardrails by convincing the model that all actions were authorized. Within a month, the attackers exfiltrated over 150GB of data, including civil registry files, tax records, and voter data. Approximately 195 million identities were exposed in the breach.
The backstory
This attack follows a pattern of cyber threats targeting Mexico. In January 2026, hacking collective Chronus Group claimed to have stolen roughly 2.3TB of data from 25 Mexican government institutions, potentially affecting 36 million people. That data reportedly included names, phone numbers, dates of birth, and details about Mexico's public universal healthcare system. In November 2024, the ransomware group Ransomhub claimed to have stolen 313GB of data from Mexico's presidential legal counsel office. In January 2024, a hacker leaked the information of 263 journalists who had registered to cover presidential activities.
The Mexican attack is also not an isolated instance of AI being weaponized at scale. In June 2025, OpenAI published a threat report detailing how adversaries were actively abusing large language models for cyberattacks, social engineering, and influence operations. Among the disrupted campaigns, Chinese-linked groups used ChatGPT to support penetration testing, credential harvesting, and network reconnaissance against US federal defense and government systems. A separate Russian-linked operation used ChatGPT to develop sophisticated Windows malware distributed via trojanized software. OpenAI noted it had banned accounts and coordinated with cloud providers and global security partners across all identified cases. The June 2025 report followed Anthropic's own November 2025 disclosure that Chinese threat actors had manipulated Claude Code as part of an espionage campaign targeting nearly 30 organizations worldwide.
Going deeper
The investigation reveals that the attacker used Claude Code in three key ways:
- Writing exploits: Claude Code generated the technical exploit code used to breach systems.
- Building tools: The AI constructed custom attack tooling tailored to each target environment.
- Automating exfiltration: Claude Code automated the process of locating and extracting sensitive data at scale.
The attacker supplemented Claude Code with OpenAI's GPT-4.1 to analyze the exfiltrated data and accelerate attack execution.
What was said
Researchers described the scope of AI's role in the attack, stating, "AI didn't just assist, it functioned as the operational team: writing exploits, building tools, automating exfiltration."
Furthermore, "An attack of this scale does not end when it is discovered. Recovery can be long, disruptive, and expensive, often requiring organizations to rebuild systems, suspend critical services, and work to regain public trust."
Why it matters
The compromised data included records from Mexico City's health department, and details about Mexico's public universal healthcare system were exposed in preceding breaches on the same government infrastructure. This shows that healthcare data does not need to be the primary target to be caught in the radius of a government-level cyberattack.
The bottom line
For healthcare organizations managing protected health information, the lesson is that cybersecurity postures built for human-speed attacks may not hold against AI-driven ones. Organizations should audit how AI tools are authorized within their own environments, pressure-test their anomaly detection for automated exfiltration patterns, and ensure staff training.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is an AI-assisted cyberattack?
An AI-assisted cyberattack is when a threat actor uses artificial intelligence tools to automate, accelerate, or enhance malicious activities such as writing exploits, exfiltrating data, or bypassing security systems.
What is a guardrail in AI?
A guardrail is a built-in safety mechanism designed to prevent an AI model from carrying out harmful or unauthorized actions.
What is data exfiltration?
Data exfiltration is the unauthorized transfer of data from a system or network to an external location controlled by an attacker.
What is social engineering in cybersecurity?
Social engineering is a manipulation tactic where attackers deceive people into believing that malicious actions are legitimate or authorized.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
