A months-long cyberattack on nine Mexican government agencies, documented by industrial cybersecurity firm Dragos in a report published this month, has put AI-assisted intrusions into sharp focus. The operation, attributed to an as-yet-unidentified threat group, ran from December 2025 through February 2026 and included a successful breach of a municipal water and drainage utility, the first publicly documented case of AI being used to gain access to industrial control systems. Anthropic's Claude was one of two AI tools the attackers used to accelerate nearly every stage of the campaign.
The report, which Dragos released in coordination with separate findings from threat intelligence firm Gambit Security, describes a campaign that began with standard intrusion tradecraft but quickly leaned on Claude Code and OpenAI's GPT-4.1 to handle tasks that would normally require a team of skilled analysts. The attackers used the AI tools for network reconnaissance, customizing publicly available exploits to fit specific target configurations, escalating privileges inside compromised environments, and harvesting credentials at scale. By the end of the campaign, the group had exfiltrated roughly 150 gigabytes of citizen records and accessed thousands of servers across the nine agencies.
Key Facts
- Campaign durationDecember 2025 – February 2026
- Government agencies compromised9 (federal, state, and municipal)
- Data exfiltrated~150 GB of citizen records
- AI tools used by attackersClaude Code, OpenAI GPT-4.1
- Infrastructure targetedMunicipal water and drainage utility (OT/ICS)
- Reporting firmsDragos, Gambit Security
How Claude Was Deployed in the Attack Chain
Dragos describes the use of Claude Code as central rather than incidental to the operation. The attackers did not simply ask the model for generic hacking advice; they fed it specific system configurations, error messages, and partial code and asked it to suggest next steps. That kind of interactive, context-aware assistance accelerated phases of the attack that ordinarily demand hours of manual work. Exploit customization, the process of adapting a known vulnerability to fit an unusual or patched target environment, was one task the report singles out as substantially faster because of the AI assistance. Credential harvesting scripts were similarly produced or modified on demand as the attackers encountered new authentication systems inside the agencies.
The use of two competing AI platforms, Claude and GPT-4.1, in the same campaign suggests the attackers were pragmatic rather than ideologically committed to either. The Dragos report does not specify how tasks were divided between the two tools, but notes that the AI-assisted portions of the campaign moved at a pace inconsistent with a small team working manually. Gambit Security's parallel investigation reached a similar conclusion: the scale of compromise across nine agencies, with distinct IT environments, in roughly 60 days would have required either a much larger team or significant AI acceleration.
An Industrial System in the Crosshairs
The water utility intrusion is the part of the Dragos report that has drawn the most attention from the operational technology security community. Industrial control systems, the hardware and software that manage physical infrastructure like water treatment, power generation, and manufacturing, have historically been difficult for attackers to target because they require specialized engineering knowledge that most intrusion teams lack. AI models fluent in industrial protocols and system documentation shrink that knowledge gap, though Dragos notes that in this case the attackers appear to have focused on IT systems within the utility rather than attempting to manipulate physical processes directly.
"This is the first intrusion campaign we have documented in which an adversary consistently used large language models as operational tools throughout the attack lifecycle, from initial reconnaissance to lateral movement inside OT-adjacent networks." Dragos Industrial Cybersecurity Report, May 2026
Anthropic's Response and the Broader Question
Anthropic acknowledged the misuse in a statement following the Dragos disclosure. The company said its usage policies prohibit using Claude for unauthorized access to systems and that its trust and safety team uses a combination of classifier models and human review to detect and terminate accounts engaged in malicious activity. It declined to comment on whether it had identified and suspended the accounts involved before the campaign ended. The timeline in the Dragos report, a 60-day operation that concluded in February, suggests the misuse went undetected for some portion of its duration.
The incident is one data point in a debate the AI industry has been navigating since frontier models became capable enough to be useful in technical security work. Anthropic's own Claude Mythos, deployed defensively under Project Glasswing, demonstrates that the same underlying capabilities that make AI dangerous in an attacker's hands can also find vulnerabilities faster than any human team. The question of how to widen access to those defensive benefits without simultaneously equipping attackers has no clean answer, and the Mexico campaign illustrates the cost of getting that balance wrong. For Anthropic's policy team, the episode adds urgency to the work of improving detection at the API layer before the next group of attackers reaches a comparable conclusion about AI's utility in an intrusion campaign.
