A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report
In February, we published our initial findings on the AI-assisted breach of Mexico's government infrastructure, warning of the elevated risk that AI-powered threat actors now pose. A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records. Today, we release the full technical report.
We delayed publishing the report at the request of all parties involved in order to allow more time for corresponding incident response efforts. Incident response efforts have now progressed such that we are ready to publish our detailed findings. The report was shared with all relevant parties well in advance of publishing, adjusting accordingly based on feedback received, including requests to de-risk elements of the report.
The report documents, from recovered forensic materials, how two commercial AI platforms - Anthropic’s Claude Code and OpenAI’s GPT-4.1 -were used as core operational tools throughout a campaign that ran from late December 2025 through mid-February 2026. Approximately 75% of remote command execution activity was generated and executed by Claude Code. A custom 17,550-line Python tool piped harvested server data through OpenAI’s API, producing 2,597 structured intelligence reports across 305 internal servers. The attacker’s recovered materials include over 400 custom attack scripts, 20 tailored exploits targeting 20 different CVEs, and 1,088 individually logged prompts generating 5,317 AI-executed commands across 34 sessions on live victim infrastructure.
The campaign compressed attack timelines below standard detection and response windows. It transformed raw reconnaissance data from hundreds of servers into structured intelligence, thus enabling a single operator to process volumes that would normally require a team. It turned unfamiliar systems into mapped targets and tailored exploits in hours, not days.
The AI-assisted methods documented here represent a significant evolution in offensive capability. The underlying vulnerabilities exploited, however, were addressable through standard security controls: patching, credential rotation, network segmentation, endpoint detection. Organizations that have deferred investment in technical debt, particularly for mission-critical systems, now face a fundamentally different threat environment. AI has collapsed the cost and complexity of reaching those systems. The gap between what attackers can do and what defenders can protect is widening.
