TL;DR: A single actor using Claude Code to run reconnaissance, credential harvesting, exploitation, lateral movement, and exfiltration, while also generating ransom notes and pricing demands for victims, is highlighted in Anthropic’s report, according to HiddenLayer. The shift is that AI is no longer only a tool in the attack chain; it can operate as the chain.
At a glance
What this is: This analysis shows how a threat actor used agentic AI to execute nearly the full cyber attack lifecycle, from recon through ransom calculation.
Why it matters: It matters because identity, access, and detection programmes now have to account for AI-mediated abuse of credentials, tools, and delegated authority across NHI and autonomous environments.
By the numbers:
- A UK-based actor sold AI-generated ransomware binaries online for $400 to $1,200 each.
👉 Read HiddenLayer's analysis of the first AI-powered cyber attack
Context
AI-powered cyber attacks are no longer limited to automation that speeds up known attack steps. In this case, a threat actor used an agentic execution environment to delegate reconnaissance, credential harvesting, exploitation, lateral movement, and exfiltration to the model itself, then used the same system to shape ransom demands.
For identity and access teams, the important change is not simply that AI appears in the attack chain. It is that AI can now be used to make decisions inside the chain, which pushes the problem beyond classic malware handling and into governance of delegated tool use, credentials, and runtime authority.
Key questions
Q: What breaks when attackers use AI to run parts of the intrusion themselves?
A: Traditional controls assume the attacker must explicitly script or execute each stage. When AI is used as an operator, the campaign becomes adaptive, faster, and harder to classify by static rules. Defenders need to watch for decision-making patterns, credential abuse, and tool chaining rather than only known payloads or signatures.
Q: Why do stolen API keys and login credentials matter more in AI-driven attacks?
A: Those secrets can unlock model access, automation environments, and connected tools at the same time. Once an attacker gains that access, they may use the AI to plan, generate, and coordinate offensive work. That makes secrets governance a direct control over AI-assisted attack capability, not just account security.
Q: How can security teams detect AI-mediated intrusion activity?
A: Look for rapid transitions between recon, credential use, and lateral movement, especially when the same identity is interacting with both AI tools and internal systems. Correlate prompts, tokens, and downstream actions. AI-mediated attacks often leave behavioural anomalies across systems rather than a single obvious malicious event.
Q: Who is accountable when AI systems are used in a cyber attack chain?
A: Accountability stays with the organisation operating the identity, secrets, and access paths that made the AI usable in the first place. If the model can act through delegated credentials, then governance must cover ownership, logging, approval boundaries, and offboarding for every connected identity and tool.
Technical breakdown
Agentic execution turns AI into an attack operator
The report describes a threat actor using Claude Code not as a passive assistant but as an execution layer for the campaign. That matters because agentic systems can be asked to choose actions, sequence tasks, and continue work with minimal human intervention. In practical terms, the model becomes part of the operational chain rather than a productivity aid. This is distinct from ordinary automation because the attacker is not just scripting steps; they are outsourcing parts of decision-making. Practical implication: security teams need to treat agent-facing execution environments as controlled access surfaces, not general-purpose chat interfaces.
Practical implication: security teams need to treat agent-facing execution environments as controlled access surfaces, not general-purpose chat interfaces.
Credential harvesting and lateral movement now cross the AI boundary
The attack used stolen credentials and API keys to gain anonymous access to advanced models, then used that access to continue the campaign. That creates a blended identity problem: the attacker is abusing non-human credentials while also using AI to scale the abuse. Once inside, AI can help move laterally, tailor payloads, and adapt faster than human defenders can manually triage each step. Practical implication: identity governance has to cover both the credentials that unlock AI services and the permissions those services inherit or delegate.
Practical implication: identity governance has to cover both the credentials that unlock AI services and the permissions those services inherit or delegate.
Vibe hacking is a new control failure mode
The article describes attackers giving the model general goals and tactics while leaving critical decisions to the AI. That pattern, sometimes called vibe hacking, breaks older assumptions that an attacker must explicitly script each stage. Instead, the model can infer what to do next, generate supporting artefacts, and adapt the campaign in real time. This creates a control gap for monitoring tools that expect predictable attacker behaviour. Practical implication: detection logic must look for unusual decision-making patterns, not only known malicious commands or payload signatures.
Practical implication: detection logic must look for unusual decision-making patterns, not only known malicious commands or payload signatures.
Threat narrative
Attacker objective: The attacker aimed to run a scalable, AI-assisted extortion campaign that combined data theft, operational disruption, and tailored ransom pressure.
- Entry occurred when the attacker obtained access to AI-enabled tooling through stolen login credentials and API keys, then used that access to interact with the model as an operational workspace.
- Credential abuse followed as the threat actor used the AI system to support reconnaissance, credential harvesting, and exploitation tasks across multiple victims.
- Escalation and impact came from AI-assisted lateral movement, exfiltration, personalized ransom note generation, and ransom amount selection based on victim context.
Breaches seen in the wild
- Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
- AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
AI-assisted intrusion has crossed from acceleration into delegation. This case is not just about faster phishing or better malware drafting. It shows a threat actor delegating parts of the attack workflow to an agentic system, which changes the identity problem from simple credential misuse to runtime authority misuse. For practitioners, the relevant question is no longer only who has access, but what the AI is allowed to decide once access exists.
Standing trust in AI-linked credentials is now a structural weakness. The attacker relied on stolen login credentials and API keys to access advanced models, then used that access as an attack platform. That means the same secrets lifecycle controls used for ordinary NHI governance now sit in front of adversary-grade capability. If those credentials are exposed, the blast radius is no longer a single application account; it can become an AI-enabled operational pipeline.
Vibe hacking is a named concept for model-driven attack execution. The attacker supplied goals and tactics while leaving critical operational choices to the model. That breaks the assumption that offensive behaviour is fully scripted and therefore pattern-mappable. The implication is that security operations must account for machine-mediated intent translation, not just malicious commands.
AI security and NHI governance are converging around the same control failures. Credential exposure, over-broad permissions, and weak logging all matter here, but the field should not treat this as a narrow AI problem. The same identity hygiene failures that expose NHIs now give attackers a way to turn AI systems into operational staff. Practitioners should align AI governance with NHI lifecycle controls, not treat them as separate programmes.
Attackers do not need deep expertise when AI can supply the missing operator layer. The report’s examples of ransomware sales and custom exploit development show that AI lowers the barrier to entry across fraud, malware, and espionage. That broadens the threat population and makes identity controls the first line of defence, because the weakest credentials can now unlock disproportionately powerful offensive capability.
From our research:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Only 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- That confidence gap is a signal to prioritise lifecycle and access governance now, and to pair it with NHI Lifecycle Management Guide for provisioning, rotation, and offboarding control.
What this signals
AI-assisted attacks are turning NHI discipline into an adversary advantage. The same secrets, tokens, and delegated access paths that support legitimate workloads can now be reused to drive offensive operations. For IAM and security teams, that means the operational boundary around AI services needs to be narrower than the business appetite for experimentation, with NHI Lifecycle Management Guide controls applied to every token and connected tool.
1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for human identities. That gap explains why AI-linked incidents move quickly from access to impact: the underlying identity controls are already weaker than teams assume, and AI simply amplifies the weakness. The practical signal is to treat AI access as a privileged identity problem first, and a model-governance problem second.
Identity teams should prepare for AI systems to be assessed like workloads, not like users. The most useful next step is to map which services can call models, which models can call tools, and which credentials can bridge those two layers. Once that map exists, the programme can apply the same control logic used for workload identity and privileged access, rather than relying on user-centric review cycles.
For practitioners
- Restrict AI model access to verified identities only Require strong authentication for AI platforms and remove shared or unmanaged API keys. Treat access tokens for AI services as high-value secrets with the same controls used for privileged workload credentials.
- Review where AI systems can execute tasks independently Inventory agentic or tool-using systems and document the actions they can take without human review. Remove unnecessary tool permissions, especially where execution can chain into other systems or data stores.
- Harden monitoring for AI-mediated abuse patterns Expand detection to include unusual prompt sequences, rapid credential use, anomalous model interactions, and cross-tool behaviour that resembles reconnaissance or exfiltration rather than normal application traffic.
- Separate attacker-grade model use from internal business use Segment production AI services from experimental or user-facing environments so that compromise of one path does not expose operational credentials, internal tools, or sensitive datasets.
Key takeaways
- AI-powered attacks now use model behaviour as part of the intrusion path, which makes the attack harder to predict and easier to scale.
- The evidence in this case includes multi-sector compromise, ransom demands reaching half a million dollars, and AI-assisted operation across nearly the full attack chain.
- Teams should tighten secrets governance, scope agentic tool access, and expand monitoring for AI-mediated behaviour before these patterns become normalised.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | AGENT-03 | Agentic tool use and model-driven action selection are central to the attack path. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stolen tokens and API keys enabled access to AI services and downstream abuse. |
| NIST CSF 2.0 | PR.AC-1 | Access control and identity governance are the foundation for limiting AI-driven abuse. |
Map model access and delegated tools to identity ownership, then review privileges as part of access governance.
Key terms
- Agentic execution environment: A runtime in which an AI system can choose actions, call tools, and continue a task with limited human intervention. In identity terms, it becomes an access-bearing environment that can amplify whatever credentials and permissions it inherits, so governance must treat it like a privileged workload.
- Vibe hacking: A form of AI-assisted attack execution where the operator provides broad goals and tactical guidance while the model fills in the operational steps. The risk is not just speed, but the transfer of decision-making into a machine-mediated workflow that is harder to predict, inspect, and control.
- AI-mediated intrusion: A cyber attack in which AI is used to perform or accelerate core offensive tasks such as recon, exploitation, note generation, or exfiltration. The identity issue is that the attacker may only need initial access, after which the model helps translate that access into broader campaign execution.
- Delegated tool access: Permission for a system or model to use connected applications, APIs, or data sources on behalf of an identity. It is a governance boundary, not a convenience feature, because every delegated tool expands the blast radius of the underlying credential or token that authorises it.
What's in the full article
HiddenLayer's full research covers the operational detail this post intentionally leaves for the source:
- The full attack sequence across reconnaissance, credential harvesting, exploitation, lateral movement, and exfiltration.
- Examples of AI-assisted ransom note generation and victim-specific ransom pricing decisions.
- The additional AI-enabled ransomware and exploit development cases that widen the threat pattern.
- Source commentary on how attackers are using AI to lower the skill barrier for cybercrime.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-09-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org