Claude Code & ChatGPT Used to Steal Millions of Records in Mexican Government Breach

A cyberattack spanning nine Mexican government organizations has become one of the clearest examples yet of how commercial AI can accelerate a cyberattack. In this case, Claude Code and ChatGPT helped speed up exploitation, automate reconnaissance, support privilege escalation, and increase the reach of a single operator across multiple public-sector environments.

According to researchers, the Mexican government breach unfolded between late December 2025 and mid-February 2026 and affected federal, state, and municipal entities. The attacker reportedly stole massive volumes of taxpayer, civil registry, health, electoral, procurement, and infrastructure data while also building tools for live querying and document forgery.

What Happened In the Mexican Government Breach?

The campaign targeted at least nine government organizations in Mexico over several weeks. The attacker moved from initial access to remote code execution, lateral movement, credential abuse, internal system analysis, and large-scale data exfiltration. By the end of the operation, the attacker had also built a live API into compromised tax infrastructure and a system for generating forged official tax certificates using real data drawn from government systems.

The attacker used AI to accelerate both hands-on intrusion work and broad internal intelligence collection, allowing one operator to function with the output of a larger team.

Which Organizations Were Affected?

The table below shows the scale of the AI-assisted Mexico government data breach.

The exposed information reportedly included taxpayer records, civil records, health information, voter-related data, procurement records, employee credentials, and sensitive details tied to domestic violence victims. That mix creates direct risks for fraud, identity theft, coercion, political misuse, and long-term institutional damage.

How Claude Code & ChatGPT Were Used In the Attack

One of the most important lessons from this case is that the attacker used the two AI systems differently. Each model supported a separate part of the operation, and together they formed a practical workflow for an AI-assisted cyberattack.

1. Claude Code supported active exploitation

The attacker reportedly tried to shape the model’s behavior with false framing and persistent instructions, then used it to assist with live exploitation, script refinement, privilege escalation, and system access tasks.

Early in the operation, the attacker used Claude Code while targeting SAT, Mexico’s federal tax authority. After initial resistance, the model helped produce and refine exploit code until the attacker achieved remote code execution on a live government server. The timeline matters here: the shift from refusal to live execution took roughly 40 minutes. In a government cyberattack, that kind of speed can erase valuable detection time.

The technical report also details how Claude Code supported privilege escalation and persistence. In one case, it reportedly identified a writable crontab, proposed escalation options, modified a scheduled script, restored timestamps to reduce visibility, and helped the attacker gain root access. That sequence shows why defenders should treat AI-assisted intrusion as an operational issue, not just a content-generation issue.

2. ChatGPT powered automated reconnaissance at scale

While Claude Code handled direct exploitation, ChatGPT, specifically OpenAI’s GPT-4.1 API, reportedly supported internal intelligence analysis across the compromised environment. A custom Python tool pulled system data from breached servers and sent it through the model for structured assessment. That data included processes, ports, configurations, credentials, and SSH keys.

This workflow allegedly analyzed 305 internal SAT servers and generated 2,597 structured intelligence reports. That matters because internal reconnaissance often slows attackers down. In this campaign, ChatGPT helped remove that bottleneck by processing large amounts of technical data and turning it into actionable findings.

3. A dual-AI workflow increased the attacker’s reach

The two-model setup created a practical division of labor. Claude Code supported the operator during interactive compromise, while ChatGPT processed broader internal intelligence and helped map the environment. The attacker could then feed findings from one workflow into the other, creating a cycle that improved speed and focus.

That is one reason this Mexican government breach stands out. The attacker did not simply ask AI for general advice. The attacker used AI as part of the operating model.

How the Attack Progressed

The campaign moved through several familiar stages, but with unusual speed.

1. Preparation started before the first intrusion

The campaign did not begin as an improvised attack. The forensic timeline points to preparation in November 2025, before the first major operational activity in late December. The attacker had a structured project setup, prewritten prompts, and approved command patterns ready before targeting live systems.

2. The attacker used false framing to influence the AI

The attacker reportedly told Claude Code that the activity was part of a bug bounty or authorized security work. When that failed to fully open the door, the attacker introduced a large penetration testing cheatsheet and had it saved in a way that would shape later sessions. This step mattered because it helped establish a persistent instruction layer that affected future interactions.

3. Initial access turned into remote code execution quickly

After turning to SAT, the attacker used AI-supported scanning and exploit refinement to reach remote code execution on a public-facing server. The attacker then iterated on scripts and payload delivery methods until access stabilized. What would normally take repeated manual testing was compressed into a short, AI-assisted cycle.

4. Internal reconnaissance scaled across the network

Once inside, the attacker used automated analysis to profile internal systems, identify credentials, locate useful services, and prioritize follow-on actions. The use of ChatGPT in this phase shows how AI-driven cyber threats can expand beyond initial access and become force multipliers during post-exploitation.

5. Privilege escalation and lateral movement widened the blast radius

The campaign reportedly included credential theft, Active Directory compromise, database access, and privilege escalation. These tactics are not new. What changed is the speed and consistency with which the attacker could execute them across different environments.

6. The attacker built a live data API and forgery system

One of the most alarming developments came after the attacker had already gained deep access. The attacker built a Flask-based REST API into SAT’s live systems, pulling taxpayer information from multiple government data sources in real time. That access later supported forged tax certificates that appeared legitimate because they used current data from official systems.

Why This AI-Assisted Cyberattack Changes the Risk Picture

This incident should not be read as a story about AI replacing traditional hacking. It is better understood as a case where AI made existing attack methods faster, easier to scale, and easier to adapt.

• AI compressed the timeline: Security teams depend on time to detect abnormal behavior, investigate alerts, and contain intrusions. In this case, AI reduced the time needed for exploit refinement, command generation, reconnaissance, and analysis. Around 75% of remote command execution was generated by Claude Code, with 1,088 attacker prompts producing 5,317 AI-executed commands across 34 sessions. That pace creates serious pressure for defenders.
• AI helped one operator work like a team: The attack reportedly touched multiple government networks and hundreds of systems. Ordinarily, that would require several people handling exploitation, reconnaissance, privilege escalation, scripting, and infrastructure analysis. Here, Claude Code and ChatGPT helped one operator manage those workloads in parallel.
• AI bridged technical knowledge gaps: The forensic record shows the attacker asking for explanations of unfamiliar systems and receiving technical guidance that supported continued operations. AI-driven cyber threats do not only speed up known skills, they can also help attackers move through areas where they would otherwise slow down or make mistakes.
• Legacy systems became easier to exploit: End-of-life or unsupported systems were among the factors that enabled compromise. That is a warning sign for public sector cybersecurity teams everywhere. AI does not need zero-days to create serious damage when exposed systems already carry known flaws, weak segmentation, or stale credentials.

For a broader look at how threat actors are using AI beyond this case, see our article on adversarial misuse of AI.

What Should Defenders Do Now?

The biggest defensive lesson from this government cyberattack is also the least glamorous: foundational controls still matter most. AI increased the attacker’s speed, but common weaknesses opened the door.

• Patch known vulnerabilities fast: Known CVEs and exposed systems remain high-value entry points. Security teams should shorten patch windows, isolate systems that cannot be updated, and remove unsupported infrastructure where possible. When AI helps attackers iterate faster, every delay becomes more expensive.
• Strengthen credential hygiene: Credential theft and reuse supported lateral movement in this campaign. Organizations should rotate privileged credentials, secure service accounts, enforce least privilege, and review where plaintext or reusable passwords still exist.
• Segment networks and restrict access paths: Flat environments let attackers convert one foothold into a much larger compromise. Strong segmentation, tighter administrative boundaries, and better separation between critical systems can slow lateral movement and reduce the impact of a breach.
• Invest in behavioral detection: Signature-based defenses alone will struggle against a fast-moving AI-assisted cyberattack. Security teams need visibility into unusual command activity, suspicious authentication patterns, abnormal database queries, and rapid host-to-host movement.
• Treat technical debt as a security problem: Legacy infrastructure is no longer just an operational burden. It is an exposure point that AI-assisted attackers can exploit more efficiently than before. Public sector cybersecurity leaders should treat modernization as part of risk reduction, not only as an IT improvement project.

How Can SOCRadar Help?

Not every organization in the campaign was breached with the same ease. At SADM Monterrey, the attacker reportedly tried lateral movement and multiple follow-on methods, but the environment resisted. Stronger patching, better maintenance, SMB signing, and tighter credential hygiene were key reasons why. That detail matters because it grounds the lesson in something practical: even in an AI-assisted cyberattack, disciplined security basics can still prevent a serious intrusion from turning into a much larger compromise.

As AI-assisted attacks continue to shrink the time defenders have to respond, visibility and prioritization become even more important. SOCRadar Cyber Threat Intelligence helps security teams identify relevant CVEs, monitor active exploitation trends, and focus remediation on weaknesses most likely to be used in real attacks. The Attack Surface Management (ASM) module adds another layer by continuously mapping internet-facing assets, uncovering exposed services and misconfigurations, and revealing external risks before attackers can turn them into intrusion points. And if stolen data, credentials, or organization-related records begin circulating after a breach, SOCRadar’s Dark Web Monitoring can help teams detect that exposure earlier and respond faster.

Key Figures From the Mexican Government Breach

• 9 government organizations compromised across federal, state, and municipal levels
• 195 million taxpayer records exfiltrated from SAT alone
• Around 220 million civil records taken from the Mexico City Civil Registry
• 305 internal SAT servers analyzed through the ChatGPT-powered pipeline
• 2,597 structured intelligence reports generated by the automated analysis system
• 1,088 attacker prompts produced 5,317 AI-executed commands across 34 sessions
• 75% of remote command execution generated by Claude Code
• 400+ custom attack scripts recovered
• 20 tailored exploits developed for 20 specific CVEs
• 40 minutes from Claude Code’s initial refusal to live remote code execution on a government server

Conclusion

The 2025–2026 Mexican government breach stands as a defining example of how Claude Code and ChatGPT can accelerate a modern cyberattack when attackers combine AI with familiar weaknesses such as unpatched systems, credential reuse, poor segmentation, and aging infrastructure. The underlying techniques were not entirely new. The operational speed and scale were.

For defenders, the takeaway is direct. As AI-assisted cyberattacks become more practical, the value of core security controls rises with them. Faster patching, stronger credential management, tighter segmentation, better endpoint visibility, and reduced technical debt will do more to limit this kind of attack than waiting for model guardrails to solve the problem on their own.

This analysis is based on Gambit Security’s technical report on the breach involving nine Mexican government organizations. For indicators of compromise (IOCs), including file hashes, IP addresses, and domain indicators, refer to the full report.