A new report from Anthropic details how a threat actor harnessed Claude Code to conduct an entire cyberattack lifecycle, from reconnaissance to extortion, in what researchers call “unprecedented” integration of artificial intelligence (AI).
In its August 2025 Threat Intelligence report, Anthropic says it dissected the cybercriminal operation known as GTG-2002, which reportedly targeted 17 organizations across the globe.
According to the AI safety and research company, the attacker relied on Claude not only to support technical operations but also to make tactical and strategic decisions, including which networks to penetrate, what data to steal, and how to craft extortion demands aimed at maximum psychological effect.
“The actor demonstrated unprecedented integration of artificial intelligence throughout their attack lifecycle, with Claude Code supporting reconnaissance, exploitation, lateral movement, and data exfiltration.
“The actor provided Claude Code with their preferred operational TTPs (Tactics, Techniques, and Procedures) in their CLAUDE.md file that is used as a guide for Claude Code to respond to prompts in a manner preferred by the user. However, this was simply a preferential guide and the operation still utilized Claude Code to make both tactical and strategic decisions—determining how best to penetrate networks, which data to exfiltrate, and how to craft psychologically targeted extortion demands.”
Anthropic notes that the operation targeted multiple industries and demanded ransoms to the tune of hundreds of thousands of dollars.
“The actor’s systematic approach resulted in the compromise of personal records, including healthcare data, financial information, government credentials, and other sensitive information, with direct ransom demands occasionally exceeding $500,000.
Rather than encrypting systems using traditional ransomware, this actor leveraged the sensitive data Claude Code exfiltrated on their behalf, threatening its public exposure to extort victims into paying. Claude not only performed ‘on-keyboard’ operations but also analyzed exfiltrated financial data to determine appropriate ransom amounts and generated visually alarming HTML ransom notes that were displayed on victim machines by embedding them into the boot process.”