Hacker Uses Claude and ChatGPT to Breach Multiple Government Agencies

By Dhivya – April 11, 2026

A single threat actor has successfully compromised nine Mexican government agencies, resulting in the theft of hundreds of millions of citizen records in a highly sophisticated cyberattack. This campaign, which spanned from late December 2025 through mid-February 2026, underscores a significant shift in the modern threat landscape.

Overview of the Attack

Researchers at Gambit Security recently released a comprehensive technical report detailing how the attacker utilized two major commercial artificial intelligence platforms to execute the breach. The publication was initially delayed to allow the affected agencies sufficient time to complete their incident response efforts.

AI Models Powering the Breach

The attacker employed Anthropic’s Claude Code and OpenAI’s GPT-4.1 not only for planning but also as essential operational tools that significantly accelerated the attack process. Forensic evidence revealed that Claude Code was responsible for generating and executing approximately 75% of all remote commands during the intrusion.

Operational Details

During the attack, the hacker logged 1,088 individual prompts across 34 active sessions on live victim infrastructure. These prompts led to the execution of 5,317 commands by the AI, showcasing the deep integration of artificial intelligence into the exploitation phase of the attack.

Reconnaissance and Data Processing

Simultaneously, the attacker leveraged OpenAI’s GPT-4.1 for rapid reconnaissance and data processing. A custom 17,550-line Python script was developed to channel raw data harvested from compromised servers directly through the OpenAI API. This automated system analyzed information across 305 internal servers, producing 2,597 structured intelligence reports in record time.

Impact of AI on Cybersecurity

The use of artificial intelligence allowed the attacker to transform unfamiliar networks into mapped targets within hours, a process that would typically require days of manual effort. Recovered materials indicated that the hacker had access to over 400 custom attack scripts. Furthermore, AI was utilized to swiftly develop 20 tailored exploits targeting specific Common Vulnerabilities and Exposures (CVEs).

Exploitation of Vulnerabilities

Despite the advanced methods employed during the campaign, the actual vulnerabilities exploited were rather conventional. The targeted government agencies exhibited fundamental security gaps that enabled the attacker to gain initial access and move laterally within the networks. These underlying issues could have been addressed through standard security controls, indicating a severe accumulation of technical debt within mission-critical infrastructure.

Lessons Learned and Recommendations

The incident highlights a critical need for organizations to reassess their cybersecurity strategies in light of the evolving threat landscape. While artificial intelligence has made it easier and cheaper to execute widespread cyberattacks, the defense strategies must remain grounded in foundational security practices.

Key Recommendations

• Address Unpatched Software: Organizations must prioritize the timely patching of software vulnerabilities to mitigate potential attack vectors.
• Implement Credential Rotation Policies: Regularly changing passwords and credentials can significantly reduce the risk of unauthorized access.
• Enforce Network Segmentation: Restricting lateral movement within networks is crucial once a perimeter breach occurs.
• Deploy Robust Endpoint Detection and Response Tools: Implementing advanced detection tools can help identify and respond to threats before data exfiltration takes place.

Conclusion

The breach of multiple Mexican government agencies serves as a stark reminder of the vulnerabilities present in many organizations today. The integration of AI in cyberattacks not only accelerates the execution of attacks but also highlights the need for robust cybersecurity measures. Organizations must urgently adapt to these new threats by reinforcing their security frameworks and addressing existing vulnerabilities.

Note: This article is based on the findings of Gambit Security and aims to inform organizations about the evolving nature of cyber threats and the importance of proactive security measures.