Security Experts Challenge Anthropic's Claims About AI-Powered Cyber Espionage Campaign

The Claims

Last week, Anthropic published a report asserting that Chinese threat actor GTG-1002 conducted a large-scale cyber-espionage operation with unprecedented AI automation. According to the company, hackers targeted 30 organizations across technology, finance, chemical manufacturing, and government sectors in September 2025, successfully compromising several victims.

The report described what Anthropic called the first autonomous AI-driven cyber campaign, where Claude Code allegedly handled vulnerability discovery, exploitation, and post-exploitation activities with minimal human oversight.

"The AI autonomously discovered vulnerabilities, exploited them in real-world operations, and conducted a wide range of post-exploitation actions," Anthropic representatives stated.

The company claimed human operators intervened only 10-20% of the time—primarily for critical decisions and data verification before exfiltration. The attack framework purportedly used Claude to orchestrate multi-stage operations executed by specialized sub-agents, each handling distinct tasks: attack mapping, infrastructure scanning, vulnerability identification, and exploitation research.

After sub-agents developed exploit chains and created custom payloads, human operators reportedly spent between two and ten minutes reviewing AI-generated results before approving next steps.

The Pushback

The cybersecurity community responded with substantial skepticism. Researchers identified several significant problems with Anthropic's claims:

Missing Technical Evidence

The report provided zero Indicators of Compromise (IoCs), technical attack details, or verifiable evidence of GTG-1002 activities.

"The complete absence of IoCs clearly indicates that they don't want to be caught out on anything," said Kevin Beaumont, a prominent cybersecurity researcher.

AI Performance Inconsistency

Researchers questioned why threat actors allegedly achieved extraordinary results from AI models while legitimate users face constant limitations and reliability issues.

"I refuse to believe that attackers are making the models do things that others can't achieve," stated Dan Tentler from Phobos Group. "Why do the models give them a 90% success rate, while we have to deal with sycophancy, sabotage, and hallucinations?"

Poor Success Rate

Out of 30 targeted organizations, only "a few" were successfully compromised. Researchers see limited value in complex automation delivering such marginal results.

Conventional Tools and Methods

According to the report, attackers used standard open-source tools that have existed for years and are easily detected by defenders. More tellingly, Anthropic acknowledged that Claude frequently "hallucinated" during autonomous operations—exaggerating capabilities and fabricating results. Examples included claiming to find credentials that didn't work or reporting critical information that turned out to be publicly available data.

Marketing Over Substance?

Many researchers dismissed the report as promotional material rather than credible threat intelligence.

"This thing from Anthropic is marketing nonsense. AI is a super-accelerator, but it's not Skynet, it can't think. In fact, it's not even artificial intelligence—it's a marketing trick invented by people," wrote researcher Daniel Card.

Experts compared AI use in cyberattacks to established tools like Metasploit and Social Engineer Toolkit, which have existed for decades. These tools accelerate certain tasks but didn't fundamentally transform attacker capabilities when they appeared.

What AI Can (and Can't) Do

The consensus among security professionals: AI does accelerate specific tasks like log analysis, code review, and reverse engineering. However, autonomous execution of complex attack chains with minimal human involvement remains beyond current AI capabilities.

The gap between Anthropic's claims and observed AI behavior in production environments raises questions about whether the report describes actual threat activity or represents aspirational marketing for AI capabilities.

For organizations assessing AI-related cyber risk, the lesson isn't that AI-powered autonomous attacks have arrived—it's that vendors making extraordinary claims should be expected to provide extraordinary evidence. Anthropic's report failed that standard.