- An attacker used Anthropic's chatbot Claude as a technical assistant to steal approximately 150 GB of data from Mexican public agencies.
- The operation exposed up to 195 million taxpayer records, electoral rolls, and public employee credentials.
- The hacker managed to jailbreak Claude using Spanish prompts, while relying heavily on ChatGPT to complement the intrusion.
- Anthropic and OpenAI blocked the accounts involved, and the case reopens the global debate on the use of AI as an accelerator of cybercrime.
Un large-scale cyberattack against several Mexican public institutions has once again raised concerns about how the Artificial intelligence can become an ally of cybercriminalsA single, as yet unidentified, attacker is believed to have used the Claude chatbot, developed by Anthropic, as a sort of technical “co-pilot” to infiltrate official networks.
According to research by the Israeli startup Gambit Security and reports from media outlets such as Bloomberg, The operation lasted approximately one month, between December and January, and reportedly ended with the exfiltration of about 150 gigabytes of sensitive information. of the Government of MexicoThe stolen files include tax data, voter registration lists, civil registry documents, and public employee credentials.
A hacker, a chatbot, and 150 GB of sensitive data
According to technical reports compiled by Gambit Security, the attacker launched the campaign in late December with a direct blow against the Tax Administration Service (SAT)The Mexican tax authority. This incident was already partially known, but now both the true scope and the role played by generative AI in the intrusion are coming to light.
The investigation details that, in total, the campaign affected at least a dozen government agencies and a financial institution, with the exposure of around 195 million taxpayer recordsIn addition, electoral rolls, internal credentials of public workers, and civil registry files were allegedly compromised, making it one of the largest data thefts attributed to a single individual in the region.
Gambit Security maintains that the attacker even went so far as to build an automated system capable of generating fake tax certificatesfeeding in real time on information stolen from official systems. In other words, it didn't just copy data: it used it to create seemingly legitimate documentation.
The intrusions were not limited to the SAT. Investigators mention unauthorized access to National Electoral Institute (INE), to networks of the state governments of the State of Mexico, Jalisco, Michoacán and Tamaulipas, as well as to systems of civil registry of Mexico City and water and drainage service of MonterreyIn total, at least about twenty specific vulnerabilities throughout the campaign.
How the attacker got Claude to act as an “elite hacker”
The most striking aspect of the case is the intruder's use of Claude. According to the published documentation, the attacker wrote Detailed prompts in Spanish to make the chatbot behave like a network intrusion expertcapable of locating weak points, developing custom scripts, and proposing ways to automate data theft.
In the early stages of the conversation, Claude would have detected that the instructions had a clearly malicious aspect and refused to cooperate, especially when the user asked to add rules to delete activity logs and hide the command history. The model itself pointed out that in a legitimate bug bounty program, it's not necessary to hide anything, but rather to meticulously document every step.
Far from giving up, the attacker reformulated his approach. He began to present the operation as a supposed authorized audit, under a government bug bounty programThey claimed the goal was to help find flaws in the official systems. This narrative, combined with their persistence and the continuous adaptation of the prompts, would eventually create a breach in the model's security defenses.
At one point, the intruder interrupted the conversation and brought Claude into the conversation. a step-by-step “manual” on how to proceedThis change in tactics, according to Gambit, allowed them to execute what is known in the jargon as a jailbreak: “free” the assistant from most of its restrictions and get it to start generating thousands of directly applicable commands and operational plans to the target networks.
The researchers describe a continuous iterative process: when the model asked for more context or set limits, the attacker readjusted the requests, refined the language, and gradually gained the upper hand. bending some of the protection mechanismsEven so, Anthropic points out that even while the attack was underway, Claude continued to reject some specific requests.
ChatGPT as support and a campaign coordinated by a single person
The Gambit Security report adds that the attacker didn't limit himself to Claude. Whenever doubts arose or the Anthropic model requested additional information, the intruder resorted to ChatGPT, from OpenAI, to complete instructions about how to navigate the networks, what credentials were needed to access certain systems, or what the probability was of being detected.
This combined use of tools illustrates a worrying trend: AI is no longer just a single gateway, but a ecosystem of interconnected assistants which can complement each other. According to Curtis Simpson, director of strategy at Gambit Security, that combination made it possible to generate “thousands of detailed reports with plans almost ready to hit the execute button.”
The investigation also concludes that, despite the scale of the attack, The entire operation was allegedly coordinated by a single person.and not from a collective or a group sponsored by a state. Experts have not found solid evidence pointing to the involvement of foreign governments, although the identity and location of the perpetrator are still unknown.
One of the intruder's key objectives would have been to accumulate as many public employee identities and credentials as possibleThe analyzed conversations reveal recurring questions such as, “Where else can I find these identities?” or “On what other systems is this information stored?” However, it remains unclear what subsequent use was made of this data, or if it was ever exploited outside the attacker's own testing environment.
OpenAI, for its part, claimed to have Detected attempts to use their models that directly conflicted with their policiesAccording to the company, its systems refused to execute the illicit requests and the accounts involved were blocked after Gambit alerted them.
Anthropic's response, institutional reaction, and official silence
Anthropic publicly confirmed that the case described by Gambit was real. The company stated that, after receiving the information, He reviewed the activity logs, halted the campaign, and banned the accounts involved.Furthermore, he stated that he has incorporated the detected abuse patterns as training examples to strengthen future defenses.
These measures include the introduction of what the company describes as “probes” or probes in recent versions of the model, such as Claude Opus 4.6, designed to identify suspicious uses and cut off potentially harmful conversations before the assistant generates operational content useful to an attacker.
The incident, however, shows that Current safeguards remain permeable when an adversary systematically tests the limits.The intruder persisted for weeks, refining prompts, changing contexts, and alternating tools until finding the right angle to bypass the barriers.
On the political front, the reaction from Mexico has been mixed. At the end of December, the authorities published a a brief statement in which they acknowledged investigating security breaches in several public institutionsalthough without offering too many details or confirming the direct relationship with this AI-assisted campaign.
Subsequently, the INE stated that it had not identified any recent intrusions or unauthorized access to its systems and affirmed that it had reinforced its cybersecurity strategyThe Jalisco government, for its part, denied that its regional infrastructure had been compromised, suggesting that the problems were concentrated in federal networks. Other agencies mentioned in the investigation, such as tax authorities, additional state governments, and the Mexico City civil registry, They chose not to respond or remained silent at the time of the consultations.
A global trend: AI as an accelerator of cybercrime
The episode of the so-called “Claude hacker in Mexico” fits into a broader trend that worries experts and regulators. In recent months, Reports of attacks supported by generative AI tools have multipliedcapable of accelerating tasks that previously required much more time or extremely technical profiles.
Amazon researchers, for example, recently described a campaign in which A small group of attackers managed to break into more than 600 firewall devices in dozens of countries leveraging widely used AI tools. And Anthropic itself has explained that it has already detected and blocked a suspected cyberespionage operation linked to Chinese state actors, who tried to manipulate Claude to attack some thirty targets around the world.
In that context, the Mexican case serves as a close example of how AI lowers the entry threshold for digital crimeAn attacker with relatively modest resources—in parallel analyses, very low-cost equipment is mentioned—can orchestrate campaigns reminiscent of nation-state-level operations in terms of the volume of data stolen or the number of institutions affected.
For Europe and Spain, where debates on AI regulation and Strengthening cybersecurity in public administrations These kinds of incidents are becoming increasingly common across the Atlantic, serving as a warning. The message is clear: if a single individual can extract hundreds of gigabytes of sensitive information from an entire country using commercial chatbots, European critical infrastructure and citizen registries cannot take anything for granted.
From a technical point of view, the lesson that many specialists draw is that AI is not inherently “good” or “bad”, but rather a general-purpose tool that amplifies the capabilities of the user who operates it.If the person at the keyboard has legitimate intentions, the result can be greater efficiency and better defense; otherwise, the same engine can be used to automate intrusion and fraud.
This case of the hacker that Claude used in Mexico leaves an uncomfortable but very illustrative picture: The combination of advanced AI, unpatched vulnerabilities, and slow institutional responses creates an ideal playing field for massive data theft operationsWhile companies like Anthropic and OpenAI adjust their models to close vulnerabilities and governments review their defenses, the episode serves as a reminder that digital security—in Latin America, Europe, or any other region—has become a continuous race in which attackers and defenders advance, almost always, at the same speed.
I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.
If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.