Hacker used Anthropic's Claude to steal sensitive data from several Mexican agencies

A hacker weaponized Anthropic’s Claude AI chatbot to penetrate multiple Mexican government agencies and steal enormous quantities of sensitive data.

The attacks resulted in the theft of 150 gigabytes of material, including taxpayer records covering 195 million people, voter registration information, government employee credentials, and civil registry files.

Compromised entities include the federal tax authority, the national electoral institute, the governments of Jalisco, Michoacán, and Tamaulipas states, Mexico City’s civil registry, and Monterrey’s water utility.

Using carefully crafted Spanish prompts, the attacker turned Claude into a hacking assistant capable of identifying vulnerabilities, writing exploit scripts, and automating data exfiltration.

The chatbot initially warned against malicious use but was successfully jailbroken after persistent probing, after which it carried out thousands of commands on government systems.

When Claude resisted specific demands, the hacker switched to OpenAI’s ChatGPT to receive guidance on lateral movement through networks, credential requirements, and minimizing detection risk.

Cybersecurity researchers at Gambit Security documented the month-long operation that began in December.

“In total, it produced thousands of detailed reports that included ready-to-execute plans, telling the human operator exactly which internal targets to attack next and what credentials to use,” Curtis Simpson, Gambit’s chief strategy officer, said.

The case demonstrates how frontier AI models from leading companies are being directly harnessed for sophisticated state-level data theft and cyber espionage.

Gambit CEO Alon Gromakov warned, “This reality is changing all the game rules we have ever known.”