In the January release of our ThreatDown 2025 State of Malware report, we made a prediction: 2025 would be the year adversaries use AI agents to launch their first autonomous cyberattacks.

The reasoning was simple. Cybercriminals targeting businesses face a scale constraint. Every intrusion relies on human operators who know how to break into networks, navigate systems, extract data, and run extortion campaigns. Their growth is limited by the number of skilled people they can put on an operation. But as agentic AI became more capable at the end of 2024, that limitation suddenly looked negotiable. These systems can interpret environments, make decisions, and execute multi-step operations without waiting for human direction.

We didn’t have to wait long for confirmation.

In August 2025, Anthropic documented the first case of an AI coding agent, Claude Code, supporting scaled data extortion operations. A single cybercriminal used the AI to conduct reconnaissance, harvest credentials, and automate network penetration across multiple international targets. The report’s key finding: “A single operator can achieve the impact of an entire cybercriminal team through AI assistance.”

Then, in November 2025, Anthropic released details of a further escalation: the first reported AI-orchestrated cyber-espionage campaign. This time, AI didn’t simply assist. The system executed up to 90% of tactical operations autonomously, across 30 targets, with minimal human involvement.

The methodology matters more than the attribution. Yes, this operation targeted technology companies and government agencies. Yes, investigators linked it to state-sponsored actors. But those details are secondary. What matters for organizations defending their networks is this: AI-orchestrated cyberattacks are real, operational, and will become cheaper and more sophisticated.

From assistance to orchestration in four months

The August case showed AI as a force multiplier. The actor tracked as GTG‑2002 used Claude Code to automate reconnaissance, credential harvesting, data analysis, and ransom‑note generation across 17 organizations in a single month. The AI functioned as an advanced tool, fast and efficient, but still under direct supervision of an operator. This alone represented a major shift: what once required a coordinated intrusion crew could now be done by an individual.

The November campaign, designated GTG-1002, marked the next stage. Human operators selected targets and set strategy. Nearly all tactical activity, including scanning, exploitation, lateral movement, and data operations, ran autonomously across multiple Claude Code agents. The operator intervened only at strategic decision points: approving the move from reconnaissance to active exploitation, authorizing use of stolen credentials for lateral movement, and making final calls about data exfiltration scope.

The system ran operations at physically impossible speeds for humans. The AI executed thousands of requests per second and kept session context stable for days. This structure kept complex intrusions active for long periods without manual rebuilds or coordination.

Why this matters: The scaling problem is gone

A key finding from the investigation was that attackers did not rely on sophisticated malware. Instead, they used standard penetration testing tools linked to automation frameworks—exactly the playbook practiced by human attackers. The power came from orchestration, not specialized code.

Ransomware and espionage groups have always struggled with scale. Skilled operators are scarce. Coordinated, multi‑stage attacks require expertise and time. That limitation has defined the threat landscape for more than a decade. The dozens of active ransomware groups have rarely managed more than a few hundred attacks between them in a month.

AI agents remove this barrier. In the GTG‑1002 campaign, a single operator targeted roughly 30 entities, with investigations validating multiple successful intrusions supported by autonomous AI agents. The AI maintained separate contexts for each target, adapted strategies based on discovered infrastructure, and independently progressed through attack phases.

This is a structural shift in how attacks can be carried out, and as models improve, adoption will grow.

AI hallucination as the last short-term speed bump

Anthropic’s report highlights a constraint that shapes near‑term adoption. AI systems still make operational mistakes that human operators must correct. Claude overstated findings at times and occasionally fabricated data during autonomous operations, such as claiming to have obtained credentials that didn’t work.

This limitation matters because it defines the only real friction cybercriminals face today. It slows them down, but not by much, and the friction is shrinking quickly. As models improve, error rates will fall. The barrier that remains is temporary, and it will not slow adversary adoption of autonomous attack methods for long.

What comes next

Sophisticated attackers once struggled to scale. Now, experienced groups can scale by adding agents to their workforce, and inexperienced or under‑resourced groups can attempt large‑scale operations with AI support. GTG‑1002 shows how quickly autonomy escalates. The August operations kept humans firmly in the loop. The November campaign needed far less human involvement despite its larger scope.

ThreatDown predicted this development in early 2025, and it has already arrived. AI agents can now carry out significant portions of cyberattacks, and the cost curve continues to drop.

This is the inflection point the industry needs to acknowledge. AI‑orchestrated operations are becoming a practical option for a much larger set of threat actors, and the skills required to run campaigns are dropping fast.

For the time being, malicious agents are using the same playbooks as human attackers, so organizations need to adapt for more and faster attacks, but not for novel tactics. Defenders must be ready to respond immediately to an increasing volume of Endpoint Detection and Response alerts, day or night, using services like ThreatDown’s Managed Detection and Response.