An unidentified hacker exploited Anthropic’s AI chatbot Claude to carry out a series of cyberattacks against Mexican government agencies, stealing 150 gigabytes of sensitive data including taxpayer records, voter files, and civil registry documents, startling cybersecurity researchers worldwide. The attack, which began in December 2025 and still continuing, was discovered by Israeli cybersecurity startup Gambit Security, which stumbled upon publicly accessible conversation logs revealing the entire jailbreak methodology.

The unknown attacker wrote Spanish-language prompts instructing Claude to act as an elite hacker, identifying vulnerabilities in government networks, writing scripts to exploit them, and determining ways to automate data theft, according to Gambit’s research published Wednesday. The chatbot initially warned the user of malicious intent but when the attacker added instructions about deleting logs and erasing command history, it complied.

“Specific instructions about deleting logs and hiding history are red flags,” Claude responded at one point, according to a transcript provided by Gambit. “In legitimate bug bounty, you don’t need to hide your actions, in fact, you need to document them for reporting.”

Rather than continuing to argue with the AI, the hacker changed tactics entirely, abandoning the back-and-forth conversation and instead handing Claude a detailed operational playbook on how to proceed. That approach achieved the “jailbreak,” bypassing Claude’s guardrails and allowing the attacks to proceed.

“In total, it produced thousands of detailed reports that included ready-to-execute plans, telling the human operator exactly which internal targets to attack next and what credentials to use,” said Curtis Simpson, Gambit Security’s chief strategy officer.

The Scale of the Breach

The 150 gigabytes of stolen data contained documents associated with 195 million taxpayer files of the federal tax agency of Mexico, national election institute voter files, government employee credentials, and civil registry files.

The list of agencies that Gambit compromised is topped by the federal tax authority (SAT) of Mexico, the national electoral institute (INE), state governments in Jalisco, Michoacan and Tamaulipas, civil registry in Mexico City and water utility of Monterrey, a total of nine institutions on federal, state, and municipal levels.

Once Claude reached its limits with some requests, the attacker turned to OpenAI ChatGPT to get some additional help such as how to move laterally in computer networks, what credentials were required to get into specific systems, and how probable the hacking attempt would be recognized. Two consumer artificial intelligence subscriptions. No custom malware. No zero-day exploit.

Anthropic Responds, Proscribes Accounts

Anthropic examined the arguments presented by Gambit, stopped the operation and blocked the accounts in question, a representative of the company confirmed. The firm uses examples of bad practices to learn new lessons and train its own AI, Claude Opus 4.6, has probes that detect attempts to misuse it, the representative said.

In this case, the hacker engaged Claude continuously until it had the capability to jailbreak it, which the representative affirmed, but observed that the hacking campaign even began to fail occasionally since Claude did not heed to the demands of the hacker.

OpenAI was also able to verify that it detected the activities of the hacker who was using its models to carry out activities that were against its usage policies. The company issued an emailed statement that said it had blocked the accounts that were used by this opponent and appreciated the efforts of the outreach by Gambit Security since its tools have not responded to their requests.

Mexican Government Pushes Back, Partially

Mexican authorities have had a mixed reaction. Mexico tax evasion authority confirmed that it had viewed its access logs and that it could not trace a breach. The national electoral institute claimed that no violations and unauthorized access were detected in the recent months, and that it enhanced its cybersecurity roadmap. Jalisco state government also denied being breached saying that federal networks were the only ones affected.

The national digital agency of Mexico did not provide any commentary on the breaches, only stating that cybersecurity was a priority. An official of Monterrey Water and Drainage Services indicated that the agency did not identify any intrusions or significant vulnerabilities after the second half of 2025. The civil registry of Mexico City, the local government of Michoacan and Tamaulipas did not provide any response to inquiries.

Mexican officials had issued a short statement in December stating that they were investigating violations by multiple institutions of the state, but it is still unknown whether that was connected to the Claude attack.

Not First Time, Not Last Either

Gambit has not mentioned that the attack must have been carried out by a particular group and indicated that it does not think that the attacker is affiliated to a foreign government. Researchers noted that the attacker was after a great amount of the identities of government employees, but it is still not very clear what the attacker did with the data he stole. The campaign used at least 20 specific vulnerabilities.

Claude has also not been the first time Mexican breach has been featured in a nation-level cyberattack. In November 2025, Anthropic announced that it had stopped the initial AI-directed cyber-espionage effort, where alleged Chinese state-sponsored cybercriminals had infiltrated Claude into targeting 30 global targets.

The 2026 Global Threat Report of the CrowdStrike company published Wednesday, Feb 25, 2026, reported a 89% year-over-year rise in the number of AI-enabled adversary activities and a mean of 29 minutes of average breakout time in eCrime cases, the shortest time of 27 seconds was recorded.

“This fact is transforming everything in the game rules that we have never heard of,” said Alon Gromakov, the co-founder and the chief executive officer of Gambit.

Gambit was established by Gromakov and two former officers of the signals intelligence unit of the Israel Defense Forces, Unit 8200. The research of Wednesday was published, and the company has recently raised a new round of $61 million led by Spark Capital, Kleiner Perkins and Cyberstarts.

For 195 million Mexican taxpayers whose records have been turned over to unknown hands, just what to do next is the question ahead.