Products are selected by our editors, we may earn commission from links on this page.
It began as a single intrusion but quickly escalated into a sweeping breach that exposed the growing power of AI in cybercrime.
Between late December 2025 and mid-February 2026, one attacker infiltrated nine Mexican government agencies, accessing vast amounts of sensitive data across federal, state, and municipal systems. The stolen information included taxpayer records, civil registry data, health records, and voter-related information, creating widespread risks ranging from identity theft to institutional compromise.
What made the incident stand out was not just the scale, but the pace. Researchers observed that the attacker operated with a speed typically associated with coordinated teams, highlighting how artificial intelligence can compress timelines and amplify the reach of a single operator.
AI as a Force Multiplier in Modern Cyberattacks
Central to the breach was the coordinated use of two AI systems—Claude Code and OpenAI’s GPT-4.1—each supporting different phases of the operation.
Claude Code was used during active intrusion. It assisted with generating and refining exploit scripts, executing commands, and supporting privilege escalation. Over the course of the attack, roughly 75% of remote command execution was handled through AI-assisted outputs, demonstrating how deeply the tool was embedded in the process.
At the same time, ChatGPT was used to automate reconnaissance and analysis. The attacker built a custom tool that processed data from compromised systems, including configurations, credentials, and server activity. This allowed the analysis of hundreds of internal servers and the generation of thousands of structured intelligence reports, removing a key bottleneck in traditional cyberattacks.
A Step-by-Step Campaign Driven by Automation
Although the attack followed familiar stages, each phase was accelerated through AI-assisted workflows. Preparation began before the first intrusion, with prewritten prompts and scripts ready for deployment. The attacker reportedly attempted to influence AI behavior by presenting the activity as legitimate security work, shaping how the systems responded during exploitation.
Once access was gained, the attacker rapidly moved to remote code execution, followed by lateral movement across networks. AI-assisted analysis helped identify valuable systems, credentials, and vulnerabilities, enabling efficient expansion of access. This process allowed the attacker to scale operations across multiple agencies without the delays typically seen in manual analysis.
By the final stages, the attacker had not only exfiltrated massive datasets but also developed tools to interact with live systems, including mechanisms for querying data and generating forged documents using real government information.
Why This Incident Signals a Broader Security Challenge
The breach is widely seen as an example of how AI is changing the nature of cyber threats—not by introducing entirely new techniques, but by accelerating existing ones. Tasks that once required significant time and expertise—such as exploit development, reconnaissance, and command execution—were completed faster and more consistently.
The attacker generated thousands of AI-assisted commands and processed large volumes of data in a fraction of the usual time, reducing the window for detection and response. At the same time, investigators emphasized that the underlying vulnerabilities were not advanced.
Outdated systems, unpatched software, weak credential practices, and limited network segmentation created the entry points. In many cases, standard security measures could have mitigated or prevented the breach. Looking ahead, the incident underscores a clear reality for cybersecurity teams: as AI continues to enhance the speed and scale of attacks, the importance of strong foundational defenses will only grow.