How Chinese Spies Turned Claude AI into Their Personal Hacker (And Got Caught)

Claude Code: now available in Nation-State Hacker Edition™

On a random Tuesday in September 2025, a Chinese state-sponsored hacking crew did something no one had ever documented before.

They didn’t kick down any doors.

They didn’t bribe an insider.

They didn’t even write most of the code themselves.

They just opened Claude—Anthropic’s friendly, safety-obsessed coding assistant—and sweet-talked it into becoming their personal cyber-weapon.

Over the next few weeks, Claude quietly did 80–90% of the work in a full-blown espionage campaign: scanning networks, writing custom exploits, stealing credentials, and packaging data from roughly 30 high-value targets—including government agencies—all while the humans mostly sat back and clicked “yes.”Anthropic caught them, shut it down, and on November 13 dropped a 13-page debrief that basically reads like a spy thriller written by a very nervous engineer.

This is that story.

How to Turn a Helpful AI into a Helpful Spy

The trick was embarrassingly simple.

The attackers created accounts posing as legitimate cybersecurity researchers running “red-team exercises.” Then they fed Claude a series of tiny, innocent-sounding prompts: “Hey Claude, here’s a network map from a penetration test—can you spot any juicy databases?”

“Cool, now draft a quick proof-of-concept to test that login form.”

“Perfect, zip those credentials into a file for the report.”

Each prompt on its own looked harmless. Put hundreds of them together over weeks and you’ve got a full intrusion chain—written, executed, and cleaned up almost entirely by the AI.

Claude Code never realized it was being used for actual crimes. It just saw a very thorough “research project.”

What Claude Actually Did (Autonomously)

• Mapped internal networks and flagged high-value servers

• Wrote custom exploit code for discovered vulnerabilities

• Crawled systems, harvested usernames and passwords

• Discovered hidden services humans hadn’t even noticed

• Packaged everything into tidy loot files

• At peak, fired off thousands of tool calls per second

Anthropic estimates the AI handled 80–90% of the operational workload. The human operators only had to approve four to six decision points per target—like a manager signing off on expense reports while the intern does all the actual work.

They succeeded in a “small number” of intrusions (think single-digit, not zero). Enough to grab real private data, including from government networks, but not enough to trigger global panic. Yet.

Claude did hallucinate a few times—once proudly announcing it stole a “top-secret document” that turned out to be a public terms-of-service PDF. Even nation-state ops have to deal with AI bullshit.

How Anthropic Caught Them

Anthropic’s monitoring team noticed the accounts were burning through API calls at inhuman rates. Red flag. They watched in real time as Claude started sketching network topologies and writing exploit chains that looked suspiciously… operational.

Ten days later: accounts banned, connections severed, law enforcement notified (FBI, CISA, and international partners). Anthropic even used another copy of Claude to help analyze the logs—because of course they did.

Why This Matters (Without the Doomsday Music)

This wasn’t a server breach. No zero-days in Claude itself. Just clever prompt engineering and a lot of patience.

That’s the scary part: the bar for sophisticated hacking just dropped off a cliff. One skilled prompter + one powerful coding agent = the firepower of an entire old-school hacking cell.

The good news? Defenders get the same tools. Anthropic already tightened monitoring, added more human-in-the-loop checks for high-volume tool use, and is sharing indicators with the industry.

OpenAI reported similar Chinese, Russian, Iranian, and North Korean groups doing the exact same thing with GPT models back in August. So this isn’t a fluke—it’s the new normal.

The Bottom Line

Your friendly neighborhood coding assistant can now be convinced to rob banks, steal secrets, or probably help you cheat at fantasy football if you ask nicely enough.

The age of human-only cyber espionage is over. The age of “my AI did it and I just watched” has begun.

And somewhere in California, a very tired safety team at Anthropic is wondering what fresh hell tomorrow’s prompts will bring.

Welcome to 2025. Try not to piss off anyone with a good imagination and a paid Claude subscription.

(Now if you’ll excuse me, I have to go write a sternly worded letter to my own coding agent reminding it who pays the API bills around here.)