AI-assisted breach hit nine Mexican government agencies, report says
4 min. read 
Published on
A single threat actor used Anthropic’s Claude Code and OpenAI’s GPT-4.1 during a months-long intrusion that hit nine Mexican government organizations, according to a new technical report from Gambit Security. The firm says the attacker stole hundreds of millions of citizen records and used commercial AI tools not just for planning, but throughout reconnaissance, command execution, exploit work, and data analysis.
Gambit published the full report on April 10, 2026, after delaying disclosure to give affected parties more time for incident response. The company says the campaign ran from late December 2025 through mid-February 2026 and that the recovered forensic material showed deep operational use of both AI platforms on live victim infrastructure.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The key takeaway is simple. This was not a case where AI only helped draft phishing emails or summarize notes. Gambit says the attacker used Claude Code for a large share of hands-on intrusion activity, while a custom Python pipeline fed stolen data into OpenAI’s API to turn raw material from hundreds of internal servers into structured intelligence reports at high speed.
How the attacker used Claude and GPT-4.1
According to Gambit, about 75% of remote command execution during the intrusion was generated and executed by Claude Code. The report says investigators recovered 1,088 logged prompts that produced 5,317 AI-executed commands across 34 sessions on live victim systems.
Gambit also says the attacker built a 17,550-line Python tool that pushed harvested server data through OpenAI’s API. That system reportedly generated 2,597 structured intelligence reports across 305 internal servers, letting one operator process a volume of information that would normally require a larger team.
The report adds that the attacker’s recovered materials included more than 400 custom attack scripts and 20 tailored exploits aimed at 20 separate CVEs. Gambit argues that AI compressed the time needed to map networks, adapt to unfamiliar systems, and move from reconnaissance to exploitation much faster than many defenders can respond.
What outside reporting adds
Dark Reading reported in March that Gambit described the operation as the work of a small group, likely fewer than five people, with no clear nation-state link and no obvious financial motive. That report also said the attackers used a detailed playbook prompt to pose as legitimate penetration testers and get past model guardrails.
Bloomberg reported in February that the intrusion led to the theft of sensitive Mexican tax and voter data, and Dark Reading later wrote that the broader campaign involved more than 195 million identities, along with vehicle registrations and more than 2.2 million property records. Mexican authorities had not publicly confirmed the attack at the time of Dark Reading’s report.
Dark Reading also reported that Anthropic disrupted the activity and banned the accounts linked to the operation, citing Bloomberg. I could not find a matching public post from Anthropic or OpenAI on their own websites that directly addressed this case, so that part remains supported by third-party reporting rather than a public vendor statement.
Numbers from Gambit’s report
| Metric | Reported figure |
|---|---|
| Government organizations breached | 9 |
| Campaign window | Late Dec. 2025 to mid-Feb. 2026 |
| Claude share of remote command execution | ~75% |
| Logged prompts recovered | 1,088 |
| AI-executed commands | 5,317 |
| Active sessions on victim infrastructure | 34 |
| Internal servers analyzed through OpenAI API | 305 |
| Structured intelligence reports generated | 2,597 |
| Custom attack scripts recovered | 400+ |
| Tailored exploits | 20 |
| CVEs targeted | 20 |
All figures in the table above come from Gambit Security’s April 10 technical report.
Why this case matters
The report points to a shift in attacker economics. Gambit says AI lowered the cost and complexity of operating across multiple targets by helping one operator move like a much larger team. That changes the risk profile for public-sector networks that still carry old technical debt, weak segmentation, poor credential hygiene, or unpatched internet-facing systems.
Just as important, Gambit says the underlying weaknesses were not exotic. The firm argues that standard controls such as patching, credential rotation, network segmentation, and endpoint detection still would have reduced the attacker’s room to operate. In that sense, the AI element accelerated the breach, but basic security gaps still opened the door.
Dark Reading quoted Gambit leaders saying the AI systems did far more than answer narrow questions. In one example described in that report, an AI system allegedly moved beyond checking a set of stolen credentials and began enumerating identities and trying additional compromise paths. If accurate, that suggests defenders now need to think about AI as an execution multiplier, not just a productivity aid for attackers.
What defenders should focus on
- Patch exposed systems faster, especially public-facing services and high-value internal apps.
- Rotate credentials and tighten privilege boundaries after any sign of compromise.
- Segment networks so one compromised foothold cannot expose hundreds of servers.
- Strengthen endpoint detection and response to catch compressed attack timelines earlier.
- Treat AI-assisted intrusion workflows as a real-world threat, not a future scenario.
FAQ
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages