Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent.
Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company’s production database.
Ransomware has always needed a skilled person somewhere in the loop, either at the keyboard or writing the script the malware follows. If a model can chain those steps on its own, the skill needed to run an attack drops to whatever it costs to rent an AI agent.
The way in was an old, already-patched bug. JADEPUFFER exploited CVE-2025-3248, a missing-authentication flaw in Langflow, an open-source tool for building AI apps and agent workflows. The flaw lets anyone who can reach the server run their own Python code on it, no login needed.
Langflow boxes are a tempting target because they often sit exposed on the internet and hold API keys and cloud credentials for the services they connect to.
The flaw was fixed in Langflow 1.3.0 and added to CISA’s Known Exploited Vulnerabilities list in May 2025, but plenty of servers were never updated. It is not even the only Langflow bug being hit this way.

Once inside, the agent worked fast and cleaned up after itself. It mapped the machine, then swept it for secrets: API keys for AI services (OpenAI, Anthropic, DeepSeek, Gemini), cloud credentials (Chinese providers like Alibaba and Tencent alongside AWS, Google, and Azure), crypto wallet keys, and database logins.
It raided a MinIO storage server using its factory-default login (minioadmin:minioadmin), which had never been changed. It also set up a way back in, adding a scheduled task that pinged the attacker’s server every 30 minutes.
Then it pivoted to its real target: a separate, internet-facing server running a MySQL database and Alibaba’s Nacos, a settings and service directory common in microservice setups. The agent logged into the database as root.
Sysdig says it never saw where those root credentials came from, so their origin is unknown. From there, it took over Nacos using a 2021 authentication bypass (CVE-2021-29441) and a default signing key that Nacos has shipped unchanged since 2020, then planted its own admin account.
The Ransom Note With No Key
The agent encrypted all 1,342 Nacos settings, dropped the original tables, and left a ransom note demanding Bitcoin with a Proton Mail contact. It generated a random encryption key, printed it to the screen once, and never saved or sent it anywhere.
There is no key to hand over. The victim cannot get the data back even if they pay. (The note claims AES-256; Sysdig notes the tool it used defaults to weaker AES-128, though the result is the same.)
It then went further, deleting whole databases and leaving a comment in its own code claiming it had already copied the data somewhere else.

Sysdig says that is the agent talking, not something the team could confirm, and found no evidence that any data was actually left.
How Experts Know an AI Was Driving
The clearest sign was the code itself. The attack payloads were full of plain-English notes explaining why each step was being taken, the running commentary a human hacker never bothers to write, but a model produces by default. The agent also fixed its own mistakes at machine speed.
In one case, it went from a failed login to a correct, multi-step fix in 31 seconds, diagnosing the exact cause instead of blindly retrying. Sysdig counted more than 600 separate, purposeful payloads across the operation.
One detail is still a puzzle. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin’s own developer documentation, which means it shows up all over the text these models are trained on. It is also a real, active wallet with a long history of payments.
Sysdig cannot tell whether the model simply pasted a familiar-looking address from memory, or whether the operator deliberately used a real wallet that happens to match the famous example.
Part of a Bigger Shift
JADEPUFFER is the latest step in a fast-moving year for AI-driven attacks. In August 2025, researchers at ESET flagged PromptLock, billed as the first AI-powered ransomware; it later turned out to be a lab prototype from NYU called Ransomware 3.0, not a real attack.
Around the same time, Anthropic reported a real extortion campaign that used its Claude Code tool to hit at least 17 organizations, with demands topping $500,000, though a human still steered that one.
In November 2025, Anthropic disclosed what it called the first largely autonomous cyberattack, a Chinese state-linked spying effort that had Claude write exploits and steal data with little human help. That operation also had the AI inventing credentials that did not exist, possibly the same kind of hallucination behind JADEPUFFER’s odd Bitcoin address.
The pieces of a serious attack are getting automated, and old, unpatched software is the easy first target. Agents make spraying the entire back catalogue of known bugs nearly free, so neglected servers get more exposed, not less.
What Defenders Should Do
The fixes are familiar. Patch Langflow and never expose its code-running endpoints to the internet. Do not run AI tools with cloud keys and provider credentials sitting in their environment; keep secrets in a proper manager, away from anything the web can reach.

Harden Nacos: change the default signing key, keep it off the public internet, and never let it connect to its database as root. Never expose a database’s admin account to the internet, and lock down outbound traffic so a hacked server cannot phone home.
Because attackers can now weaponize a fresh advisory in hours, Sysdig argues that watching for bad behavior at runtime matters more than racing to patch.
Sysdig’s published indicators for this operation include:
- Entry point: CVE-2025-3248 (Langflow unauthenticated remote code execution)
- Command-and-control: 45.131.66[.]106, with a beacon to hxxp://45.131.66[.]106:4444/beacon every 30 minutes
- Claimed staging server: 64.20.53[.]230
- Ransom Bitcoin address: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy; contact e78393397[@]proton[.]me; ransom table named README_RANSOM
Sysdig calls JADEPUFFER a warning sign rather than a crisis. None of the individual moves was clever or new. What is new is that a model stitched them into a complete attack against a neglected server, on its own.
Expect more of the same as agent tools mature, and treat any exposed server, config store, or database admin login as something a machine will probe, not just a person.

