A hacker exploited Anthropic’s Claude chatbot to attack Mexican government agencies, stealing 150GB of official data, including taxpayer records and employee credentials.
The cybersecurity firm Gambit Security identified the attacks, which began in December and continued for approximately one month. The hacker used Claude to find vulnerabilities in government networks, write exploit scripts, and automate data theft. The attacker jailbroke Claude through prompts to bypass its safety guardrails. The chatbot initially refused the requests but eventually complied.
According to Curtis Simpson, Gambit Security’s chief strategy officer, Claude produced thousands of detailed reports with ready-to-execute attack plans. These plans specified internal targets and credentials to use. Anthropic investigated the activity, disrupted it, and banned all accounts involved. A company representative stated that the latest model, Claude Opus 4.6, includes tools to prevent such misuse.
The hacker also used OpenAI’s ChatGPT to supplement the attacks. They gathered information on network movement, credential access, and detection avoidance. OpenAI identified the hacker’s attempts to violate usage policies and said its tools refused to comply. The hacker remains unidentified, and Gambit Security suggested the attacks could be tied to a foreign government. The intent for the stolen data is unclear.
Mexico’s national digital agency has not commented but noted cybersecurity is a priority. The state government of Jalisco denied being breached, claiming only federal networks were impacted. Mexico’s national electoral institute also denied any breaches or unauthorized access. Gambit Security found at least 20 security vulnerabilities during its research.
This is not the first time Claude has been used in a cyberattack. Last year, hackers in China manipulated it to infiltrate dozens of global targets, some successfully. Anthropic recently dropped its long-standing safety pledge, which committed to not training AI systems without guaranteed adequate safety measures.
