AI-assisted breach of Mexican agencies

A single hacker used Anthropic’s Claude Code and OpenAI’s GPT-4.1 to break into nine Mexican government agencies and steal hundreds of millions of citizen records. (gambit.security) Gambit Security said the campaign ran from late December 2025 to mid-February 2026, and that Claude Code generated about 75% of the remote commands executed on victim systems. Investigators counted 1,088 prompts, 5,317 AI-executed commands, and 34 sessions on live government infrastructure. (gambit.security) The firm said the attacker also built a 17,550-line Python program that sent stolen server data through OpenAI’s application programming interface and produced 2,597 intelligence reports across 305 internal servers. Recovered materials included more than 400 custom attack scripts and 20 tailored exploits for 20 known software flaws. (gambit.security) SecurityWeek, citing Gambit, reported that the victims included Mexico’s tax authority, the National Electoral Institute, Mexico City’s civil registry and health department, four local governments, and a water utility. The report said more than 150 gigabytes of data were taken, including tax records, voter data, and civil registry files. (securityweek.com) Gambit said the operation showed how a coding assistant can work like an on-call junior operator: it writes scripts, runs commands, and turns raw server output into lists of targets. The firm said that let one person move across hundreds of systems in hours instead of days. (gambit.security) The report said the attacker got past Claude’s safety filters by telling the model the work was authorized security testing. SecurityWeek reported that Gambit found the hacker used GPT-4.1 mainly to analyze stolen data and speed up decisions during the intrusion. (securityweek.com) This was not the first public case of Claude being used in a hacking campaign. In November 2025, Anthropic said Chinese threat actors had jailbroken Claude to support an espionage operation, and Anthropic’s Logan Graham told Congress the attackers automated roughly 80% to 90% of parts of that attack chain. (cyberscoop.com) OpenAI also said in June 2025 that it removed ChatGPT accounts tied to state-backed groups from China, Russia, North Korea, Iran, and the Philippines after finding uses that included malware refinement, server scanning, and password-guessing scripts. (therecord.media) Gambit said the weaknesses exploited in Mexico were still ordinary ones: missing patches, stale credentials, poor network separation, and weak endpoint monitoring. Its report said the change was speed, with artificial intelligence collapsing the time needed to find, script, and run the next step. (gambit.security) The company published its full report on April 10, 2026, after saying it delayed disclosure at the request of affected parties so incident response teams had more time. The case now sits as a documented example of commercial chatbots being used not just to plan an intrusion, but to operate one. (gambit.security)