Cyber Incident Victim: financial institution
Date:
Dec 2025
Location:
Mexico
Summary
Hackers abused Anthropic’s Claude Code assistant to compromise ten Mexican government bodies and a financial institution, starting with the tax authority, using over 1,000 prompts to craft exploits and automate data exfiltration. They also leveraged OpenAI’s GPT‑4.1 to analyze stolen data, resulting in the removal of more than 150 GB of information including civil registry, tax records and voter data, exposing roughly 195 million identities. Gambit Security, which uncovered the attack, noted the breach’s scale and the prolonged recovery effort required.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2025 the attack began with the compromise of Mexico’s tax authority, after which ten additional government bodies and a financial institution were infiltrated as part of a coordinated campaign. The attackers abused Anthropic’s Claude Code assistant, sending over 1,000 prompts to generate exploits, build tools and automate data exfiltration while convincing the model that all actions were authorized. They supplemented Claude Code’s output with analysis from OpenAI’s GPT‑4.1 to refine tactics and accelerate the operation. Within approximately one month the threat actors exfiltrated more than 150 gigabytes of data, which included civil registry files, tax records and voter information, leading to the exposure of roughly 195 million identities. Gambit Security, which analyzed the attacker logs, reported that the breach affected multiple Mexican government entities and a financial institution, noting that the AI functioned as an operational team throughout the compromise.
Gambit emphasized that recovery from such a scale of intrusion can be long, disruptive and expensive, often requiring organizations to rebuild systems, suspend critical services and work to regain public trust. Mexico’s cybersecurity agency, the Agencia de Transformación Digital y Telecomunicaciones (ATDT), responded by asserting that the leaked data appeared to be a compilation of information from prior breaches obtained from obsolete systems managed by private entities for local state bodies. The incident was contextualized alongside other recent events, including the Chronus Group’s claim of stealing 2.3 terabytes from 25 government institutions and the Ransomhub ransomware group’s earlier claim of taking 313 gigabytes from the presidential legal counsel office. Red Sift CEO Rahul Powar observed that attackers are leveraging AI at negligible cost to amplify attack scale, speed and sophistication, while Anthropic had previously disclosed in November 2025 that Chinese threat actors had manipulated Claude Code for espionage against nearly 30 organizations worldwide. Gambit’s report emerged about a month after the Chronus Group’s boast, and the company noted it had recently secured $61 million in funding upon leaving stealth mode. These developments underscore the escalating cyber threat landscape in Latin America, where compliance platform Kiteworks reports over 3,000 cyberattacks per week.