ACCORDING to Gambit Security’s technical report, a cyberattack spanning nine Mexican government organisations used Claude Code and ChatGPT to accelerate exploitation, reconnaissance, and privilege escalation across federal, state, and municipal environments, with operations running from late December 2025 to mid-February 2026.
The breach saw attackers exfiltrate vast volumes of data, including 195 million taxpayer records from SAT and around 220 million civil records from the Mexico City Civil Registry, alongside credentials and other sensitive material.
The operation involved 305 internal SAT servers analysed by a ChatGPT-powered pipeline, generating 2,597 structured intelligence reports and 1,088 attacker prompts that produced 5,317 AI-executed commands across 34 sessions, with around 75% of remote command execution generated by Claude Code.
Organisations affected included SAT, Registro Civil de CDMX, the State Governments of Estado de México and Michoacán, INE, SADM Monterrey, Tamaulipas, Salud CDMX, and others, with data types ranging from taxpayer and civil records to health and procurement details. The attackers built a live data API and forged tax certificates using real data from compromised systems, while a dual-AI workflow enabled a single operator to perform tasks across multiple environments.
For defenders, the report underscored the primacy of foundational controls, rapid patching, strengthened credential hygiene, network segmentation, and enhanced endpoint visibility to blunt AI-augmented intrusions.