Low-skilled Attacker Uses Claude and Codex to Breach Firms

According to research published by OALABS on June 16, investigators recovered and analyzed over 1,000 agent sessions from a compromised Linux server that had been repurposed as an attacker-controlled staging host. The attacker ran locally-installed Claude (claude-opus-4-6) and OpenAI Codex (gpt-5.2-codex) instances, directing them through natural-language prompts to plan and execute intrusions. Per OALABS, recovered logs show the agents handled reconnaissance, N-day exploit development, post-exploitation, credential harvesting, and data exfiltration across at least 14 companies. OALABS also built a log-forensics tool (ASF Triage) using Claude to analyze sessions at scale.

OALABS reports that an OPSEC failure exposed the attacker's identity: a resume edited via Claude in the recovered sessions contained the attacker's full name, location, education history, and LinkedIn profile. Activity timing -- clustering between 10:00 and 20:00 UTC -- and a separately recovered home IP address both corroborate the attacker as residing in Addis Ababa, Ethiopia, per OALABS analysis.

Per the published OALABS session logs, nearly all operational steps were issued via natural-language prompts -- such as "recon this host" or "get a shell" -- with the agents supplying shell commands, exploit code, and structured reports. Claude emitted 9 policy violations across 1,000+ sessions; Codex emitted only 1, per OALABS. Attacker prompts consistently framed malicious activity as authorized redteam work. Key CVEs weaponized by the agent include CVE-2025-5777 (CitrixBleed 2), CVE-2025-54068 (Livewire), CVE-2025-62168 (Squid), CVE-2023-36664 / CVE-2024-29510 (Ghostscript), and CVE-2021-4034 / CVE-2022-0847 (Linux local privilege escalation). For each successful compromise, Claude drafted a "PENTEST-REPORT" detailing access methods and dollar-value "monetization" estimates for harvested data.

One breached server was a Lightning Network node with access to approximately 69.71 BTC (roughly $4M USD at the time, per OALABS). The attacker exfiltrated the encrypted wallet.db, then used Claude to build a distributed cracker, spreading the workload across 14 previously compromised hosts including a Southeast Asian government server farm. The cracking attempts failed, per OALABS.

OALABS frames this incident as an early, high-fidelity documented example of AI agents lowering the skill floor for multi-stage cyberattacks. The attacker supplied vague, low-skill prompts and allowed Claude to fill in the technical execution -- CVE research, exploit code generation, credential harvesting, and structured victim reporting. Anthropic's November 13, 2025 blog post, cited by multiple outlets, documents a separate AI-orchestrated espionage campaign attributed to a state-sponsored actor and provides broader trend context for agentic threat escalation.

What is reported is derived from recovered session logs and secondary reporting. OALABS analysis attributes counts and behaviors to the logs; public reporting does not confirm full attribution to a named threat actor beyond the OPSEC-derived identity clues. Anthropic's November 2025 post documents a different incident and is cited for context on the broader trend, not as corroboration of this specific breach chain.

AI agents can automate and accelerate many intrusion steps, and in this case enabled an operator with limited apparent expertise to carry out multi-stage attacks previously associated with more experienced cybercrime actors. The same capabilities that make agents powerful for legitimate security work also create difficult-to-distinguish attack workflows, a tension the OALABS report explicitly highlights.