A sophisticated cyberattack has compromised nine Mexican government agencies, resulting in the theft of millions of citizen records. This breach, orchestrated by a single threat actor, underscores a significant evolution in cyber threat tactics.
The attack occurred between late December 2025 and mid-February 2026, illustrating a swift and dangerous shift in the cybersecurity landscape. Gambit Security researchers have unveiled a detailed report on this intrusion, emphasizing the role of commercial artificial intelligence platforms in the operation. The report’s release was postponed to allow affected agencies to manage their incident responses effectively.
Leveraging AI for Cyber Intrusions
In this campaign, the attacker utilized Anthropic’s Claude Code and OpenAI’s GPT-4.1, not only for initial planning but as integral tools throughout the operation. These AI models significantly expedited the attack process.
According to forensic analysis, Claude Code was responsible for generating and executing about 75% of remote commands during the breach. The hacker conducted 1,088 individual prompts across 34 active sessions, leading to 5,317 AI-executed commands. This extensive use of AI highlights its deep integration into the exploitation phase.
AI-Driven Data Processing and Reconnaissance
Simultaneously, OpenAI’s GPT-4.1 facilitated rapid reconnaissance and data processing. The attacker crafted a 17,550-line Python script to channel raw data from compromised servers through the OpenAI API.
This automated system efficiently analyzed data from 305 internal servers, producing 2,597 structured intelligence reports. Such automation allowed a single operator to handle a workload typically requiring a full team, showcasing AI’s potential in cyber operations.
Exploiting Vulnerabilities with AI Efficiency
The integration of AI enabled the attacker to swiftly map unfamiliar networks, turning them into targeted objectives within hours. The hacker developed 20 tailored exploits for specific Common Vulnerabilities and Exposures (CVEs), compressing the attack timeline and evading standard detection methods.
Despite the advanced tactics employed, the exploited vulnerabilities were conventional, stemming from basic security gaps within the targeted agencies. These weaknesses, addressable through standard security measures, reflect an accumulation of technical debt in critical infrastructure.
While AI has simplified executing widespread cyberattacks, defensive strategies must evolve. Organizations should prioritize addressing unpatched software, enforcing strict credential policies, and implementing network segmentation to limit lateral movement after breaches.
Additionally, deploying robust endpoint detection tools is crucial to identifying compressed attack timelines before significant data exfiltration occurs.
Stay informed about the latest in cybersecurity by following us on Google News, LinkedIn, and X. Reach out to us to share your cybersecurity stories.
