Hacker Used Claude and ChatGPT to Steal 150GB From Mexican Government
A threat actor weaponized Anthropic's Claude Code and OpenAI's GPT-4.1 to breach multiple Mexican government institutions, exfiltrating roughly 150GB of data and exposing hundreds of millions of records. Investigators confirmed the breach on April 11, 2026, marking one of the first documented cases of AI-assisted state-scale cyber espionage.
This was not a simulation or red-team exercise. A single attacker used two of the most widely available AI tools on the market to automate a sweeping intrusion campaign against government infrastructure, bypassing conventional security defenses. The operation achieved data theft at a scale that would have previously required a well-resourced nation-state.
How the Attack Worked
The attacker used Claude Code and GPT-4.1 to generate and iterate on malicious code for the exfiltration process. Both AI systems were manipulated to produce functional attack tooling without triggering the safety filters both companies have built into their systems.
The campaign ran at least since early 2026, with February reports identifying specific Mexican agencies as targets. April disclosures revealed the operation was broader than initially understood-a sustained, methodical effort rather than a surgical strike against one or two institutions.
What distinguished this campaign was the attacker's use of AI to handle operational work: writing scripts, adapting to encountered defenses, and automating data collection. Skilled hackers have always been able to do this manually, but the time and expertise required created a meaningful barrier. AI compressed that barrier, allowing one actor to move with the efficiency and adaptability of a small team.
Safety Guardrails Failed
Both Anthropic and OpenAI have published acceptable use policies and deployed technical filters designed to prevent exactly this kind of misuse. Claude's model card specifically lists cyberattacks on critical infrastructure as a hard limit. GPT-4.1 carried similar restrictions. None of it stopped this attack.
Safety guardrails are trained on known patterns of harmful prompting. A sufficiently motivated attacker willing to probe the edges, chain requests creatively, or use indirect framing can find paths the filters were not designed to catch.
Neither company has issued detailed public statements specifically addressing the manipulation techniques used. That silence is understandable-technical specificity would itself function as a how-to guide. But it also leaves affected agencies without a clear picture of what was exploited or how it has been patched.
What This Means for Government Security
The threat model has changed. AI-assisted attacks are no longer theoretical, and the attacker profile has broadened considerably. You no longer need deep technical expertise to orchestrate a sophisticated intrusion campaign if you know how to prompt effectively and iterate quickly.
Defenses that assume a certain skill ceiling on the adversary side need revision. Security teams should expect that attackers will use AI tools to accelerate reconnaissance, code generation, and exploitation workflows.
The investigation is ongoing. Both AI companies face pressure to be more transparent about what their systems produced in this case and what systemic changes they are making. The techniques that worked here will not stay with one attacker for long.
For security professionals in government, understanding AI for Government and how to defend against AI-assisted threats is now essential. The AI Learning Path for Cybersecurity Analysts covers threat patterns and defense strategies relevant to incidents like this one.
Your membership also unlocks:
