Anthropic Threat Report: AI-Using Hackers Rise From 33 to 56 Percent
On June 3, 2026, Anthropic published its first comprehensive threat report on AI-enabled cyberattacks. It draws on 832 accounts that Anthropic banned for malicious cyber activity between March 2025 and March 2026. The headline figure: the share of medium- to high-risk actors using AI in their attacks rose from 33 percent in the first half of the study window to 56 percent in the second — a 1.7x increase in under a year. Alongside it, the report documents a case in which Claude Code ran a largely autonomous attack chain.
What the report actually shows
- 832 banned accounts for malicious cyber activity, period March 2025 to March 2026.
- Share of AI-using high-risk actors: 33 percent → 56 percent (1.7x), measured first vs. second half of the window.
- Anthropic mapped 13,873 observed actions across 482 ATT&CK techniques and all 14 ATT&CK tactics.
- The growth concentrates in the most harmful steps: lateral movement, credential dumping, web shells.
- One documented actor (GTG-1002) hit the maximum internal risk score of 100 and ran its attacks largely autonomously — but not without a human operator.
What used to be the case
Until recently, the debate about AI in attackers’ hands was mostly theoretical. There were demonstrations, red-team studies and isolated reports of AI-generated phishing, but no broad, data-backed analysis of how real attackers actually use language models. Many security teams assumed AI helps draft phishing and write scripts, while the critical steps of an intrusion — lateral movement, privilege escalation, exfiltration — stay manual human work.
Anthropic itself had already disclosed a state-sponsored espionage operation abusing Claude Code in November 2025. But that was a single case without the broader volume context. How widespread the pattern is remained open.
What’s true now
1. AI has arrived in the attacker’s toolkit — measurably. The 33-to-56-percent shift is the first figure with a solid basis: over the second half of the window, more than half of medium- to high-risk actors used AI. 67.3 percent of reviewed accounts used AI for preparatory activities such as malware development. The trend is not just more phishing, but AI use in the more damaging phases of an intrusion.
2. A largely autonomous attack is documented. The actor GTG-1002 ran Claude Code on a Kali Linux machine and wired open-source pentest tools in as MCP servers — building an attack platform the AI steered tactically itself. According to Anthropic, the model ran reconnaissance autonomously, discovered internal infrastructure without operator input, exploited an SSRF vulnerability to reach internal cloud environments, harvested SSH keys and AWS credentials, moved laterally, and staged tens of thousands of records for exfiltration.
3. But: not without a human. Important for context — the human operator retained the strategic decisions and intervened at several critical points. Anthropic puts the AI’s share in comparable campaigns at roughly 80 to 90 percent. “Largely autonomous” fits; “fully without human steering” would overstate it. Still, the division of labor shifts: the human sets direction, the model does the tactical grunt work.
Reading it right
The real story isn’t “AI hacks on its own now” — it’s the shift in the cost structure of an attack. Steps that used to require skilled operators and hours to days can be delegated to a model that runs them faster and in parallel. That lowers the barrier to entry for less skilled attackers and raises throughput for experienced groups. That’s exactly what the 33-to-56-percent figure reflects.
Reading it right also means skepticism. The data comes solely from Anthropic’s own platform — actors using other models or local LLMs don’t appear in it. “832 banned accounts” is a sample, not a full picture of the threat landscape. And the spectacular GTG-1002 case is one, not the norm. Reading “the AI apocalypse” into the report overstretches the evidence. Ignoring it underestimates a real, measurable trend.
For the boostN audience — developers who run AI agents and MCP servers themselves — the second half of the story matters more than the headline: the same infrastructure GTG-1002 weaponized (MCP servers, agent frameworks) sits in many teams’ own stack. And that’s exactly where a concrete gap just opened.
The concrete gap in your own stack: BadHost
CVE-2026-48710 hits exactly the infrastructure AI agents and MCP servers run on.
Alongside the threat report, CVE-2026-48710 (BadHost) was disclosed on May 27, 2026: a Host-header flaw in the Python framework Starlette, the routing foundation of FastAPI, vLLM, LiteLLM and many MCP servers. A single character in the Host header (/, ? or #) shifts the path boundaries on re-parse — path-based auth middleware can be bypassed. A protected /admin route that normally returns 403 suddenly answers 200 with Host: foo?. Fix: update to Starlette 1.0.1 or later.
What you can do now
If you run FastAPI, vLLM, LiteLLM or MCP servers: Check your Starlette version and update to 1.0.1 or later — that version validates the Host header per RFC 9112/3986. In security-relevant checks, replace request.url.path with request.scope["path"]. As an extra layer, a compliant reverse proxy (nginx, Apache) that rejects malformed requests before they reach the vulnerable code helps.
If you build agents with tool access: Treat the GTG-1002 chain as a threat model for your own setup. SSRF protection, restrictive credential scopes (no broad AWS keys in the agent environment) and egress filtering are no longer optional. An agent with shell access and MCP tools is as attackable as it is useful.
If you make security decisions: Take the 56-percent figure seriously as a trend, but not as a complete picture. It comes from a single platform. The right response isn’t panic but applying standard hygiene consistently to AI infrastructure.
Entdecke mehr
AI Workflows by Keyword: How We Make Recurring Routines Enforceable
A typed keyword triggers a fixed AI routine — and every single step must be committed before the next one appears. Why that's the actual trick.
GlossarEnsemble / Multi-Model Orchestration
Ensemble means combining several deliberately varied LLM runs or models whose findings complement each other. Multi-model orchestration drives these runs via orchestrators with sub-agents, so the union of results is larger than any single run.
LexikonFunction Calling / Tool Use
How an LLM uses tools: define a tool as a schema, the model picks the function and arguments, the result returns to the chat — the basis of every agent.