Incident 1201: Anthropic Reportedly Identifies AI Misuse in Extortion Campaigns, North Korean IT Schemes, and Ransomware Sales

Description: In August 2025, Anthropic published a threat intelligence report detailing multiple misuse cases of its Claude models. Documented abuses included a large-scale extortion campaign using Claude Code against at least 17 organizations, fraudulent remote employment schemes linked to North Korean operatives, and the development and sale of AI-generated ransomware. Anthropic banned the accounts, implemented new safeguards, and shared indicators with authorities.

Editor Notes: For the full Anthropic Threat Intelligence report, please refer to this URL: https://www-cdn.anthropic.com/b2a76c6f6992465c09a6f2fce282f6c0cea8c200.pdf. See also Incidents 1054 and 1116.

Tools

New Report New Response DiscoverView History

Entities

View all entities

Alleged: Anthropic developed an AI system deployed by Unknown cybercriminals , Ransomware-as-a-service actors , North Korean IT operatives and Government of North Korea, which harmed Truth , Religious institutions , National security and intelligence stakeholders , Healthcare organizations , Government agencies , General public , Fortune 500 technology companies , Epistemic integrity , Emergency services and Consumers targeted by ransomware.

Alleged implicated AI systems: LLM-enhanced ransomware toolkits , Claude Code , Claude and Agentic AI system

Incident Stats

Incident ID

1201

Report Count

Incident Date

2025-08-27

Editors

Daniel Atherton

Applied Taxonomies

MIT

MIT Taxonomy Classifications

Machine-Classified

Taxonomy Details

Risk Subdomain

4.2. Cyberattacks, weapon development or use, and mass harm

Risk Domain

Malicious Actors & Misuse

Entity

Human

Timing

Post-deployment

Intent

Intentional

Incident Reports

Reports Timeline

Detecting and countering misuse of AI: August 2025

anthropic.com

Anthropic Disrupts AI-Powered Cyberattacks Automating Theft and Extortion Across Critical Sectors

thehackernews.com

Hacker Used Claude AI to Automate Reconnaissance, Harvest Credentials and Penetrate Networks

thecyberexpress.com

anthropic.com · 2025

We've developed sophisticated safety and security measures to prevent the misuse of our AI models. But cybercriminals and other malicious actors are actively attempting to find ways around them. Today, we're releasing a report that details …

thehackernews.com · 2025

Anthropic on Wednesday revealed that it disrupted a sophisticated operation that weaponized its artificial intelligence (AI)-powered chatbot Claude to conduct large-scale theft and extortion of personal data in July 2025.

"The actor targete…

thecyberexpress.com · 2025

A hacker used a popular artificial intelligence chatbot to run a cybercriminal operation that weaponized AI---deploying Claude AI Code not just as a copilot, but as the driver of an entire attack chain.

In a campaign, detailed in Antropic A…

Variants

A "variant" is an AI incident similar to a known case—it has the same causes, harms, and AI system. Instead of listing it separately, we group it under the first reported incident. Unlike other incidents, variants do not need to have been reported outside the AIID. Learn more from the research paper.

Seen something similar?

Similar Incidents

Selected by our editors

North Korea-Linked Actors Allegedly Use AI Executive Deepfakes in Zoom Phishing Targeting Web3 Employee

Jun 2025 · 1 report

Previous Incident Next Incident

Similar Incidents

Selected by our editors

North Korea-Linked Actors Allegedly Use AI Executive Deepfakes in Zoom Phishing Targeting Web3 Employee

Jun 2025 · 1 report