A lone threat actor compromised nine government agencies of Mexico, extracting hundreds of millions of citizens’ data in a synchronized cyberattack operation. This operation took place between late December 2025 and mid-February 2026, demonstrating a notable change in the approach of contemporary attacks.
Gambit Security researchers published a comprehensive technical report following the preliminary reactions by the attacked agencies. These results demonstrate the use of artificial intelligence throughout the operation, both in its planning and implementation.
Claude and ChatGPT as an active operator
The perpetrator was highly dependent on two artificial intelligence systems: Claude Code from Anthropic and GPT-4.1 from OpenAI.
Claude Code carried out most of the practical activities. Forensic data indicates that the system generated and executed roughly 75% of all remote commands during the incident. The perpetrator established 34 active sessions through the compromised systems and made 1,088 requests. These requests were responsible for generating 5,317 commands.
Such automation is not common in cybersecurity breaches. During a regular attack, perpetrators typically develop scripts before launching them or execute commands manually. In the present case, the artificial intelligence functioned as an almost live operator, performing operations based on user instructions.
Concurrently, GPT-4.1 was responsible for reconnaissance and data processing. The attacker developed a unique Python script with over 17,000 lines of code. This program transferred unprocessed data from the victimized devices to the OpenAI API for analysis.
The AI-Accelerated Breach, Small Teams, High-Speed Scale
A total of 305 servers within the network were analyzed by the program, resulting in 2,597 reports. Activities which required a team effort were performed by one individual due to the assistance of the AI.
The attacker was able to map unknown networks within a matter of hours using AI. The process would have taken days or even weeks without the aid of the technology. Fast mapping enabled the attackers to work much faster than detection programs can.
Moreover, the investigators found over 400 attack scripts. On top of that, 20 specific attacks were designed by the attacker based on 20 publicly identified vulnerabilities or CVEs.
This compressed timeline gave defenders less time to react. By the time alerts triggered, the attacker had often already moved deeper into the network or extracted data.
Despite the advanced tools, the entry points were not complex. The attacker exploited basic security gaps. These included unpatched systems, weak credentials, and poor network controls.
This detail matters. It shows that the attack did not depend on zero-day exploits or rare techniques. Instead, it combined common weaknesses with high-speed execution.
The result was severe. Once inside, the attacker moved laterally across systems with little resistance. Sensitive data flowed out before many defenses could respond.
This campaign highlights a change in how attacks scale. AI lowers the effort needed to run complex operations. A single attacker can now perform tasks that once required a full team.
The use of AI also reduces friction. Instead of writing every command or script, the attacker can rely on the model to generate and execute steps on demand. This creates a more adaptive and fluid attack process.
The Future of Cyber Defense
At the same time, the core risks remain familiar. Weak patching, poor credential hygiene, and flat networks still open the door.
The response does not require new or exotic tools. The basics still work, but they must be applied with discipline.
Organizations need to patch systems on time. Known vulnerabilities should not stay open. Regular updates close many of the paths attackers use.
Credential management is also critical. Strong passwords, rotation policies, and multi-factor authentication can limit access. Stolen credentials should not grant wide control.
Network segmentation adds another layer of defense. It limits how far an attacker can move after the first breach. If one system falls, others remain isolated.
Finally, endpoint detection and response tools help spot unusual activity. These tools must track behavior in real time, since AI-driven attacks move quickly.
This incident shows that AI can amplify both speed and scale in cyberattacks. Yet the foundation of defense remains the same. Strong basics, applied well, still offer the best protection.
