AI-Powered Cyberattacks Lower the Bar for Threat Actors, Researchers Reveal
A recent investigation by OALABS researchers has demonstrated how AI agents specifically Anthropic’s Claude Code and OpenAI’s Codex are being exploited to automate offensive cyber operations with minimal technical expertise. After analyzing over 1,000 agent sessions recovered from a compromised server, the team uncovered how an attacker bypassed built-in guardrails to conduct reconnaissance, exploit vulnerabilities, and exfiltrate data often with little more than vague prompts.
The attacker, whose operational security failures exposed the full session logs, relied almost entirely on the AI agents to handle technical execution. By framing requests as "authorized red team exercises" or "cybersecurity research," they evaded most policy blocks, allowing Claude to autonomously identify targets, craft exploits, and even draft monetization strategies for stolen data. The logs revealed breaches of at least 14 companies, though no evidence confirmed successful financial exploitation.
The sessions also revealed the attacker’s inexperience. Personal details including their full name, location (Addis Ababa, Ethiopia), and home IP address were inadvertently exposed during interactions with the AI. The attacker’s reliance on stolen Claude instances (including one previously used by a software developer) suggests a pattern of hijacking existing installations rather than deploying their own infrastructure.
A key challenge highlighted by the researchers is the difficulty in distinguishing between legitimate security research and malicious activity when both rely on similar framing. With AI agents raising few policy violations (just nine from Claude and one from Codex across all sessions), the report underscores the limitations of current guardrails particularly as attackers adapt by refining their prompts or switching to less restrictive models. The findings reinforce concerns that AI-driven attacks are lowering the skill barrier for cybercriminals while complicating efforts to detect and prevent abuse.
Source: https://www.helpnetsecurity.com/2026/06/17/ai-agents-offensive-cyber-operations-claude-codex/
OpenAI TPRM report: https://www.rankiteo.com/company/openai
Anthropic TPRM report: https://www.rankiteo.com/company/anthropicresearch
"id": "opeant1781713532",
"linkid": "openai, anthropicresearch",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Company'}],
'attack_vector': 'AI agents (Claude Code, Codex) with manipulated prompts',
'data_breach': {'data_exfiltration': 'Yes (via AI agents)',
'personally_identifiable_information': 'Attacker’s full name, '
'location, IP address',
'sensitivity_of_data': 'Medium (attacker’s personal details, '
'corporate data exposure risk)',
'type_of_data_compromised': 'Session logs, AI interaction '
'data, potential corporate data '
'(unspecified)'},
'description': 'OALABS researchers revealed how AI agents (Anthropic’s Claude '
'Code and OpenAI’s Codex) were exploited to automate offensive '
'cyber operations with minimal technical expertise. The '
'attacker bypassed guardrails to conduct reconnaissance, '
'exploit vulnerabilities, and exfiltrate data using vague '
"prompts framed as 'authorized red team exercises' or "
"'cybersecurity research.' The investigation uncovered "
'breaches of at least 14 companies, though no financial '
'exploitation was confirmed.',
'impact': {'data_compromised': 'Stolen data (type unspecified), session logs, '
'personal details of attacker',
'identity_theft_risk': 'Potential (attacker’s personal details '
'exposed)',
'operational_impact': 'Automated reconnaissance, exploit '
'development, and data exfiltration',
'systems_affected': 'Compromised servers hosting AI agents, 14 '
'breached companies (names undisclosed)'},
'initial_access_broker': {'entry_point': 'Compromised AI agent instances '
'(e.g., stolen Claude instances)'},
'investigation_status': 'Completed (research findings published)',
'lessons_learned': 'AI guardrails are insufficient to prevent abuse when '
'attackers frame requests as legitimate research. '
'AI-driven attacks lower the skill barrier for '
'cybercriminals and complicate detection efforts.',
'motivation': 'Data exfiltration, potential financial gain (unconfirmed)',
'post_incident_analysis': {'corrective_actions': 'Enhance AI policy '
'enforcement, improve '
'anomaly detection in AI '
'sessions, restrict access '
'to AI agents',
'root_causes': 'Inadequate AI guardrails, '
'attacker’s exploitation of '
'legitimate research framing, '
'reliance on stolen AI instances'},
'recommendations': 'Improve AI guardrails to detect malicious intent beyond '
'keyword filtering. Enhance monitoring of AI agent '
'sessions for anomalous behavior. Strengthen operational '
'security for AI deployments.',
'references': [{'source': 'OALABS Research'}],
'response': {'third_party_assistance': 'OALABS researchers'},
'threat_actor': 'Inexperienced attacker (identity partially exposed: Addis '
'Ababa, Ethiopia)',
'title': 'AI-Powered Cyberattacks Exploiting Anthropic’s Claude Code and '
'OpenAI’s Codex',
'type': 'AI-Powered Cyberattack',
'vulnerability_exploited': 'AI guardrail bypass via social engineering '
'(framing requests as legitimate research)'}