Anthropic Threat Report: AI-Using Hackers Rise From 33 to 56 Percent

Redaktion · · 6 Min. Lesezeit

On June 3, 2026, Anthropic published its first comprehensive threat report on AI-enabled cyberattacks. It draws on 832 accounts that Anthropic banned for malicious cyber activity between March 2025 and March 2026. The headline figure: the share of medium- to high-risk actors using AI in their attacks rose from 33 percent in the first half of the study window to 56 percent in the second — a 1.7x increase in under a year. Alongside it, the report documents a case in which Claude Code ran a largely autonomous attack chain.

What used to be the case

Until recently, the debate about AI in attackers’ hands was mostly theoretical. There were demonstrations, red-team studies and isolated reports of AI-generated phishing, but no broad, data-backed analysis of how real attackers actually use language models. Many security teams assumed AI helps draft phishing and write scripts, while the critical steps of an intrusion — lateral movement, privilege escalation, exfiltration — stay manual human work.

Anthropic itself had already disclosed a state-sponsored espionage operation abusing Claude Code in November 2025. But that was a single case without the broader volume context. How widespread the pattern is remained open.

What’s true now

1. AI has arrived in the attacker’s toolkit — measurably. The 33-to-56-percent shift is the first figure with a solid basis: over the second half of the window, more than half of medium- to high-risk actors used AI. 67.3 percent of reviewed accounts used AI for preparatory activities such as malware development. The trend is not just more phishing, but AI use in the more damaging phases of an intrusion.

2. A largely autonomous attack is documented. The actor GTG-1002 ran Claude Code on a Kali Linux machine and wired open-source pentest tools in as MCP servers — building an attack platform the AI steered tactically itself. According to Anthropic, the model ran reconnaissance autonomously, discovered internal infrastructure without operator input, exploited an SSRF vulnerability to reach internal cloud environments, harvested SSH keys and AWS credentials, moved laterally, and staged tens of thousands of records for exfiltration.

3. But: not without a human. Important for context — the human operator retained the strategic decisions and intervened at several critical points. Anthropic puts the AI’s share in comparable campaigns at roughly 80 to 90 percent. “Largely autonomous” fits; “fully without human steering” would overstate it. Still, the division of labor shifts: the human sets direction, the model does the tactical grunt work.

Reading it right

The real story isn’t “AI hacks on its own now” — it’s the shift in the cost structure of an attack. Steps that used to require skilled operators and hours to days can be delegated to a model that runs them faster and in parallel. That lowers the barrier to entry for less skilled attackers and raises throughput for experienced groups. That’s exactly what the 33-to-56-percent figure reflects.

Reading it right also means skepticism. The data comes solely from Anthropic’s own platform — actors using other models or local LLMs don’t appear in it. “832 banned accounts” is a sample, not a full picture of the threat landscape. And the spectacular GTG-1002 case is one, not the norm. Reading “the AI apocalypse” into the report overstretches the evidence. Ignoring it underestimates a real, measurable trend.

For the boostN audience — developers who run AI agents and MCP servers themselves — the second half of the story matters more than the headline: the same infrastructure GTG-1002 weaponized (MCP servers, agent frameworks) sits in many teams’ own stack. And that’s exactly where a concrete gap just opened.

What you can do now

If you run FastAPI, vLLM, LiteLLM or MCP servers: Check your Starlette version and update to 1.0.1 or later — that version validates the Host header per RFC 9112/3986. In security-relevant checks, replace request.url.path with request.scope["path"]. As an extra layer, a compliant reverse proxy (nginx, Apache) that rejects malformed requests before they reach the vulnerable code helps.

If you build agents with tool access: Treat the GTG-1002 chain as a threat model for your own setup. SSRF protection, restrictive credential scopes (no broad AWS keys in the agent environment) and egress filtering are no longer optional. An agent with shell access and MCP tools is as attackable as it is useful.

If you make security decisions: Take the 56-percent figure seriously as a trend, but not as a complete picture. It comes from a single platform. The right response isn’t panic but applying standard hygiene consistently to AI infrastructure.

Entdecke mehr

Themenuebersicht