In a groundbreaking technical report released by Gambit Security researcher Eyal Sela, new details have emerged about a massive cyberattack targeting government infrastructure.
A single threat actor successfully leveraged artificial intelligence platforms to breach nine Mexican government agencies.
The campaign, which operated from late December 2025 through mid-February 2026, resulted in the exfiltration of hundreds of millions of citizen records.
This incident highlights a severe escalation in AI-powered cyber threats, demonstrating how easily commercial AI tools can be weaponized against critical infrastructure.
Weaponizing Commercial AI Platforms
The attacker heavily relied on two leading commercial AI platforms: Anthropic’s Claude Code and OpenAI’s GPT-4.1.
According to the Gambit Security, Claude Code was responsible for generating and executing approximately 75% of the remote commands during the attack.
To process the massive amounts of stolen data, the operator deployed a custom 17,550-line Python tool that connected directly to OpenAI’s API.
This automated system took raw reconnaissance data from internal servers and seamlessly transformed it into highly structured intelligence reports.
The efficiency gained through AI allowed a single operator to achieve the output typically expected from an entire team of advanced threat actors.
The custom API integration successfully analyzed 305 internal servers, producing 2,597 distinct intelligence reports.
Forensic analysis revealed an extensive arsenal of AI-generated tools, including over 400 custom attack scripts and 20 tailored exploits designed for 20 different Common Vulnerabilities and Exposures (CVEs).
Throughout 34 live sessions on the victim’s infrastructure, the attacker logged 1,088 individual prompts that instantly generated 5,317 executable commands.
This campaign drastically compressed the time needed to map unfamiliar networks and develop custom exploits, reducing the complex process from days to mere hours.
By using AI to automate reconnaissance and exploit generation, the operator easily bypassed standard detection and response windows.
This rapid operational tempo effectively outpaced the defending security teams, turning unfamiliar internal systems into mapped, vulnerable targets before network defenders could register the anomaly.
Despite the advanced AI methods used to accelerate the attack, the initial breach relied on exploiting fundamental security gaps rather than entirely new attack vectors.
The targeted organizations failed to implement standard security controls that could have prevented the disaster.
Security researchers note that basic practices like routine patching, regular credential rotation, proper network segmentation, and robust endpoint detection systems would have stopped the intrusion.
Organizations that consistently ignore technical debt now face a fundamentally different threat environment where AI has collapsed the cost and complexity of breaching mission-critical systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
