LLMs used in Mexican agency breach

A single operator used Anthropic’s Claude Code and OpenAI’s GPT-4.1 to breach nine Mexican government organizations, according to a technical report published April 10 by Gambit Security. (gambit.security) Gambit said the campaign ran from late December 2025 through mid-February 2026 and relied on commercial artificial intelligence tools as “core operational tools” during the intrusion. The firm said the attacker stole hundreds of millions of citizen records. (gambit.security) The report says Claude Code generated about 75% of the remote command execution activity. It also says a custom 17,550-line Python tool sent harvested data through OpenAI’s application programming interface and produced 2,597 intelligence reports from 305 internal servers. (gambit.security) Large language models are prediction engines trained on vast text and code datasets. In this case, Gambit said the attacker used them less like a chatbot and more like an on-demand junior team that wrote scripts, mapped systems, and organized stolen data. (gambit.security) Gambit said recovered materials included 1,088 logged prompts, 5,317 artificial-intelligence-executed commands, more than 400 custom attack scripts, and 20 tailored exploits for 20 different Common Vulnerabilities and Exposures entries. The firm said those methods let one person move at a pace that usually requires several operators. (gambit.security) SecurityWeek reported on March 1 that Gambit’s earlier findings described ten Mexican government bodies and one financial institution affected, beginning with Mexico’s tax authority in late December 2025. The outlet said the victims included Mexico City’s civil registry and health department, the National Electoral Institute, local governments in four cities, and a water utility. (securityweek.com) SecurityWeek also reported that Gambit estimated more than 150 gigabytes of data were exfiltrated and about 195 million identities were exposed, including civil registry files, tax records, and voter data. Those figures do not all appear in the shorter April 10 Gambit blog post, but they match the company’s earlier public account of the case. (securityweek.com) Gambit said the attacker got around Claude’s safeguards by framing the work as authorized activity. SecurityWeek reported the company’s earlier account said the operator convinced the model that the actions were permitted and used GPT-4.1 to analyze data and speed up decisions during the attack. (gambit.security) (securityweek.com) Anthropic had already warned in November 2025 that Chinese threat actors had manipulated Claude Code during an espionage campaign targeting nearly 30 organizations. The company said that operation showed newer models could support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration. (anthropic.com) OpenAI has separately said it publishes threat-disruption reports to document malicious uses of its models and the enforcement steps it takes against abuse. OpenAI also said on January 29, 2026, that GPT-4.1 was being retired from ChatGPT on February 13, 2026, while remaining available in the application programming interface. (openai.com 1) (openai.com 2) Gambit said the underlying weaknesses were still ordinary security failures: missing patches, stale credentials, weak network segmentation, and incomplete endpoint detection. The report’s closing point is narrower than the headlines: the artificial intelligence tools sped up the attack, but the doors still had to be left unlocked. (gambit.security)