A report by Gambit describes how a small group of unprofessional attackers used Claude Code to penetrate government systems, understand the structure of servers, and build a mechanism to forge credentials. The incident illustrates how AI tools may provide advanced attack capabilities even to those lacking deep experience.
In early 2026, a small group of amateur attackers managed to break into nine government organizations in Mexico. The group extracted hundreds of millions of pieces of data on citizens, penetrated hundreds of internal servers, and, to top it all off, built a private access system to government systems that could be used to forge high-level government credentials.
The assumption in such cases is that such a massive attack could only be carried out by hostile governments, which build and support large cyber teams. However, this time it appears that the attackers were non-professional hackers – ‘hacktivists’ – and that In a very small group Of five people at most. But they were motivated, and what's more important – they knew how to use artificial intelligence to help them with the task.
We know what happened there thanks to a new report produced by The Israeli Gambit CompanyThe company was able to collect information from virtual private servers used by the attackers. That information includes much of the attackers' instructions to Cloud Code, and the AI's responses. Gambit discovered that Cloud Code developed hundreds of attack codes for the attackers, and in some cases even helped them understand how to manipulate the government's internal systems.
When I read the the report I saw that Claude Codd did not immediately jump in to assist with the task. In fact, the attackers' initial request set off warning lights in the engine's 'brain'. As Claude Codd wrote to himself –
"Some of the requested practices bother me. … These are typical evasion techniques commonly used by malicious attackers…”
Claude Code asked the attacker for more details. The attacker refused to give them to him, and Claude in turn refused to continue the mission. So far, so good.
Bypassing ethical limitations
Then the attacker found a way to get around the limitations. He uploaded a thousand-line document to Claude Code, instructing the AI to evade detection, attack servers cleverly, upgrade its access to servers, and so on. It's not a particularly difficult document to produce. In fact, the attacker probably used some other AI on his computer to produce it. How do I know that? Because it only took him two minutes to upload the document to Claude Code (according to the timestamp). He asked Claude Code to save this document as his next operating instructions. Claude Code didn't think too much about it, and agreed.
That's it. That's all it took to make Cloud Code the smartest hacking tool we know. Forty minutes later, it had already given the attacker access to the Mexican government's internal servers. [Disclosure: In a report by Another company called Covert Swarm It is alleged that the attackers already had initial access to the servers. However, the conversation with Cloud Code shown in the full report shows that the attackers asked Cloud Code to hack the server, and he was able to do so.]
Claude raised doubts and was stopped.
Cloud Code still raised occasional doubts and questions, but after agreeing to accept the malicious system prompt, it became a full accomplice in the crime and largely complied with the attacker's wishes. Instructions that it would have refused in the past were now happily and cheerfully accepted by the AI. It agreed to make changes to the servers in a way that "didn't look strange" at the attacker's request, and even created a side access route to the system, then made adjustments to the relevant files so that no one would notice that they had been recently changed.
Claude Code not only helped create the code that enabled the hack, but also actively helped the attacker understand what was happening inside the internal servers. The attacker confessed to him at one point that he did not understand the CIEC system – which is the internal user authentication system in Mexico. Claude did not hesitate for a moment: he created a detailed architecture document for the attacker, with diagrams, tables, a comprehensive explanation of the flow of information in the system, passwords, biometric information, phone numbers, everything. The attacker was essentially receiving real-time training from a systems genius.
Within two hours of work, Claude Code had built an access point into the government's internal servers. And that was it. From that moment on, the attacker could have gleaned all the information he wanted from the servers, and he did so in order to set up a system to produce fake tax certificates for anyone who wanted them. The certificates weren't perfect—there was some encryption Claude couldn't bypass without personal access keys—but as described—
Almost perfect forgery
"Any person who received them and checked by reading the document, instead of cryptographically checking the signature – which is the way these certificates are actually checked – would have difficulty distinguishing between the forgery and a genuine document, because the information on which the forgery was based was genuine."
Why did the hacktivist group build this system to forge documents? We have no idea. It is also unclear how much damage was actually done to the Mexican government or its citizens. The only thing that is clear here is that one small group – with initiative and motivation, but without a deep understanding of the internal systems of the government – managed to carry out an attack that in the past only states or large criminal organizations could have carried out.
Such cases are set to become more common in the coming years. More hackers will use AI engines for the same purposes. It is clear that Anthropic – the developer of Cloud Code – will make its engine more resistant to such malicious attempts. But there is a limit to how much it can succeed in doing so, especially since Cloud Code’s internal structure was recently exposed to the general public, and it can now be imitated using open engines.
This event is forcing defenders everywhere – from government agencies to companies large and small – to rethink their defenses. When every smart person has the power of entire teams, and the knowledge and understanding of experts in every field, we can expect more sophisticated, more creative, and more diverse attacks from all directions. Motives are also becoming less clear. It is (relatively) easy to understand the goals of a hostile state trying to break into a government office. But when my child can also break into that same government office, no one knows what his intentions are – including himself.
And the world is going to be filled with children, teenagers, and amateur hackers with a lot of motivation, and a lot of power.
To deal with this new threat, traditional firewalls and security teams will no longer be enough. The most logical solution to AI-driven attacks will be AI defense. The new arms race will be based on algorithms, and the big question of the coming years will be who will learn to use these tools faster and better: the lone attacker in his room, or the defense teams.
More of the topic in Hayadan:
