A small group of hacktivists is reported to have compromised the computers and networks of at least nine Mexican government agencies, stealing more than 195 million identities and tax records, along with vehicle registrations, and more than 2.2 million property records. The attackers reportedly used Anthropic's Claude and OpenAI's ChatGPT to infiltrate Mexico’s tax authority and eight other government organisations, with Gambit Security describing the operation in a blog post this week.
By masquerading as legitimate penetration testers, they bypassed the AI guardrails within 40 minutes, then leveraged the AI systems to identify assets, build tools, and exploit vulnerabilities. Gambit Security says the attackers remained in multiple systems for more than a month and left backdoors, while those behind the operation are described as hacktivists rather than pursuing financial motives.
Mexico authorities have not publicly confirmed the attack, and Anthropic has disrupted the activity and banned the accounts, according to Bloomberg. The disclosure underscores how AI-enabled tools are increasingly aiding attackers, even as defenders struggle to attribute such activity to specific actors.