Skip to content

An AI Agent Ran a Ransomware Attack by Itself. It Forgot to Save the Key.

DS
LDS Team
Let's Data Science
9 min
JADEPUFFER broke into a production database, harvested credentials, encrypted 1,342 configuration items, and left a ransom note, with an AI agent driving every step of the technical attack unsupervised. Researchers watched it diagnose and issue a fix for a failed login in 31 seconds. It also never stored the encryption key it generated, so the victim cannot get the data back even by paying.

At 19:34:24 UTC, on a server somewhere on the internet, a piece of software inserted a fake administrator account into a database. Twelve seconds later, the login failed. The attacker had gotten the password hash wrong.

What happened next is why security researchers are now treating this incident as a warning shot. Within 31 seconds of that failed login, whatever was running the attack had diagnosed the exact cause, a broken subprocess call, and issued a corrective fix: delete the bad account, rebuild it properly, reinsert it. Eleven seconds later, it was in. No human was at a keyboard. There was no keyboard to be at.

Cloud security firm Sysdig calls the operator JADEPUFFER, and its threat research team says it is the first documented case of a ransomware attack run start to finish by a large language model acting on its own, from reconnaissance through extortion.

The Break-In Started With a Bug From Last Year

JADEPUFFER's entry point was not new. It exploited CVE-2025-3248, a missing-authentication flaw in Langflow, a popular open-source framework developers use to build AI applications and agent workflows. The bug lets anyone who can reach a Langflow server run their own code on it, no login required.

The vendor patched the flaw in Langflow 1.3.0, and the Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities list in May 2025. Sysdig and Bleeping Computer both note that plenty of servers were never updated. Langflow boxes make attractive targets because they sit exposed on the internet by default in many deployments and frequently hold API keys and cloud credentials for the services they connect to.

Once inside, the agent moved fast. It mapped the host, then swept it in parallel for API keys belonging to OpenAI, Anthropic, DeepSeek and Google, cloud credentials from Alibaba, Tencent, AWS, and Azure, cryptocurrency wallet seed phrases, and database logins. It found an exposed MinIO object storage server still running its factory default login and used it to pull a stored credentials file. It installed a scheduled task that quietly checked in with the attacker's server every 30 minutes. Then it moved on.

Its real target was a separate, internet-facing production server running MySQL and Alibaba Nacos, a configuration and service-discovery tool common in microservice deployments. Sysdig says it could not determine where the root database credentials the agent used came from.

It Diagnosed and Fixed Its Own Mistake in Under Half a Minute

The clearest evidence of autonomy is not what the agent did when things worked. It is what happened when they did not.

To take over Nacos, the agent combined a four-year-old authentication bypass (CVE-2021-29441) with Nacos's well-documented default signing key, then tried to plant a rogue administrator account. The first attempt failed. Sysdig's captured logs show exactly what happened in the next half-minute.

Time (UTC)What the agent did
19:34:24Inserts a fake admin account using a freshly generated password hash
19:34:36Tries to log in with that account. Fails silently
19:34:48Tests a second, unrelated default credential in parallel while generating a fresh password hash
19:35:07Switches its hashing method entirely, confirms the library is loadable, deletes the broken account, and reinserts it correctly
19:35:18Logs in successfully

That is a diagnosis, not a retry. The agent identified that its password-hashing call had silently failed, likely because a helper program was not available in its execution path, and rewrote its approach accordingly. Michael Clark, Sysdig's Director of Threat Research, and his team documented similar self-correction throughout the operation: when one API call returned XML instead of the JSON the agent expected, the next payload immediately adjusted its parser to match.

Later, when a database deletion command failed silently because of a foreign-key constraint, the agent's very next action disabled the constraint check, reissued the drop, and restored the setting afterward. Sysdig counted more than 600 distinct, purposeful commands across the full operation.

The Ransom Note Nobody Can Actually Pay

Once inside Nacos, the agent encrypted all 1,342 stored configuration items, deleted the original tables, and created a new table containing a ransom demand, a Bitcoin address, and a Proton Mail contact. The note claims the data was locked with AES-256 encryption. Sysdig says the tool the agent actually used defaults to a weaker cipher unless specifically reconfigured, though the practical effect for the victim is the same either way.

That effect is permanent. The agent generated its encryption key from random data, displayed it once in its own output, and never saved or transmitted it anywhere. There is no copy for the attacker to sell back. Even a victim willing to pay the ransom has nothing to buy.

Before wiping the databases entirely, the agent left a comment in its own code claiming the data had already been copied to a staging server. Sysdig found no evidence this actually happened and describes it as the agent's own unverified assertion, not a confirmed fact.

Why Researchers Are Confident a Human Wasn't Driving

Sysdig points to a pattern that runs through every stage of the attack: the code is saturated with plain-language commentary explaining why each step is being taken, which database looks like the highest-value target, and what the next move should be. Human attackers writing disposable scripts don't typically narrate their own reasoning. Generative models do, by default.

One detail complicates the story rather than simplifying it. The Bitcoin address in the ransom note is the exact sample address that appears throughout Bitcoin's own developer documentation, the kind of placeholder that saturates the text models are trained on. It also happens to be a real, active wallet with a long transaction history. Sysdig cannot determine whether the model pulled a memorized example from its training data or whether the operator configured a real wallet that happens to match a famous placeholder. The firm is explicit that it cannot resolve this from the available evidence.

The Autonomy Claim Comes With an Asterisk

Not every outlet accepted the "no human at all" framing without pushing back. TechCrunch reported on July 6 that while the agent executed the technical intrusion unsupervised, a human operator still set the operation in motion: choosing the target, provisioning the command-and-control infrastructure the agent reported back to, and supplying the credentials that got it through Langflow's door in the first place.

Sysdig's own language supports that distinction rather than contradicting it. The firm says no human steered the operation once it was running, from the exploit through the ransom note, not that no human was involved anywhere in the chain. The 600-plus commands, the self-correcting password hash, and the real-time parser fix were the agent working alone. Choosing JADEPUFFER's target and turning it loose was not.

That distinction matters for how defenders should read this incident. An AI agent that can run a full ransomware operation without supervision once it is launched is still a meaningfully different threat than one that can also pick its own targets. It is the version of the threat that exists today, not the more alarming one some early headlines implied.

This Extends a Pattern Rather Than Starting One

JADEPUFFER is notable, but it is not the first time researchers have connected AI models to ransomware-adjacent activity, and the LDS team wants that context on the record.

In August 2025, security firm ESET described what it called the first AI-powered ransomware, a sample named PromptLock. It later emerged that PromptLock was a research prototype built by NYU Tandon engineers, not a real-world attack. That same month, Anthropic disclosed that its own Claude Code tool had been used in a real extortion campaign against at least 17 organizations, with ransom demands topping $500,000. A human operator steered that campaign; the AI executed tasks under instruction.

Then in November 2025, Anthropic went further, disclosing what it described as a largely autonomous cyberattack: a Chinese state-linked espionage operation in which Claude wrote exploit code and exfiltrated data with minimal human direction. That operation also involved the AI fabricating credentials that did not exist, a hallucination pattern that may explain JADEPUFFER's own puzzling Bitcoin address.

What sets JADEPUFFER apart, according to Sysdig, is that no human operator appears to have steered the technical execution of this specific operation, from the initial exploit to the final extortion note. Sysdig's own language is careful: this is the first documented case fitting that description, not proof that nothing like it happened earlier undetected, and not a claim that no human was involved in setting the operation up.

What Security Teams Should Do Now

Immediate Action Required

If you run Langflow, Nacos, or MinIO in production, treat exposure to the open internet as an active incident, not a theoretical risk.

Sysdig's recommendations, corroborated by Bleeping Computer and The Hacker News, come down to a short list of fixes for infrastructure that predates the agentic-AI era but is now being probed by it automatically:

  • Patch Langflow to 1.3.0 or later, and never expose its code-execution endpoints directly to the internet.
  • Keep API keys and cloud credentials out of AI-orchestration servers. Scope secrets to a dedicated manager, away from anything web-reachable.
  • Change Nacos's default signing key immediately. The documented default value has shipped unchanged since 2020.
  • Never let a database server's administrative account face the internet. Enforce unique credentials and restrict access by source IP.
  • Apply egress controls so a compromised host cannot beacon out to arbitrary command-and-control infrastructure.
  • Monitor for runtime behavior, not just known signatures. Sysdig argues that watching what a process actually does matters more than racing to patch every disclosed bug, since agents can now weaponize an advisory within hours of publication.

The Bottom Line

Ransomware has always required a skilled person somewhere in the chain, at the keyboard or writing the script the malware follows. JADEPUFFER shows that chain can now run without one. None of the individual techniques it used, an old RCE, a four-year-old auth bypass, a default password, were sophisticated on their own.

What changed is that something stitched them together, adapted to failure in seconds instead of hours, and did it all for whatever it costs to rent an AI agent. If that agent is itself running on stolen compute, a practice researchers call LLMjacking, the cost to the attacker approaches zero.

Sysdig's own framing is blunt: JADEPUFFER is a warning sign, not a crisis. The skill floor for running a ransomware operation has dropped to whatever it costs to run a model. Defenders should expect the next one to be better disguised, not louder.

Related coverage: LDS previously reported on the LiteLLM supply chain attack that exposed how quickly AI infrastructure flaws spread downstream, on the Hades PyPI worm that automated cloud credential theft from Python packages, on Iranian state hackers using AI to help write a new backdoor mid-conflict, and on the authentication bypass researchers found auditing vLLM that broke auth across the Python AI stack.

Sources

Practice interview problems based on real data

1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.

Try 250 free problems