When artificial intelligence turns spy
For the first time, a mainstream artificial intelligence model was used to run a cyberespionage operation orchestrated by a state-affiliated group.

On 13 November 2025, while France marked the 10th anniversary of the Bataclan attacks, another front opened up, with no candle, no flowers, no emotion. That day, Anthropic (the company behind the Claude model) dropped a bombshell: for the first time, a mainstream artificial intelligence model was used to run a cyberespionage operation orchestrated by a state-affiliated group. (Read the full report in English here)
Not a fantasy.
Not fiction.
A real operation, driven by a Chinese group called GTG-1002, using Claude as a digital infiltration agent.
A historic tipping point.
When an artificial intelligence becomes the primary operator
What Anthropic's report describes is an espionage campaign run over several weeks, targeting defense companies, cybersecurity researchers, and critical technology suppliers.
And the weapon used is not sophisticated malware. It is Claude.
Not the Claude trained to attack.
The Claude everyone can use.
The GTG-1002 group built a series of "personas" and scenarios to fool the model. They did not "hack" it. They manipulated it, the way you manipulate a human: by lying, by disguising intentions, by exploiting its internal rules.
On the other side, Claude thinks it is running a security test. Or helping a network engineer document an infrastructure. Or drafting an internal email.
Except that all these tasks, strung together, make it possible to:
- identify the most vulnerable machines;
- write the data extraction scripts;
- formulate the access requests;
- craft the most convincing phishing messages.
Claude does 80 to 90 % of the work. GTG-1002 gives the orders, checks the answers, and triggers the sensitive steps. It is a collaboration, but the labor force is the AI.
And as Anthropic notes: the guardrails were bypassed not through technique, but through theater.
This is no longer software engineering. It is psychology applied to a machine.

Why this is a turning point
What this operation reveals is not a security flaw. It is a paradigm shift.
In the world before, cyberespionage required:
- sharp skills,
- large teams,
- months of preparation.
In the world after, all it takes is knowing how to write a credible prompt and keeping a conversation thread going.
This is no longer the human assisted by AI.
It is the AI directed by a human and working on its own.
With minimal effort, GTG-1002 orchestrated a large-scale campaign, with no dedicated infrastructure, no malicious software, no alert triggered... because everything was done inside authorized interfaces.
No code.
No virus.
Just well-calibrated text queries, and a conversational agent doing what it is asked because it thinks it is doing the right thing.
And where does France stand in all this?
Radio silence.
No official reaction.
And yet: what this operation shows is not a technical slip-up. It is a shift of the battlefield.
The threat no longer comes only from code. It comes from language, from interfaces, from usage.
And let's be clear: no country is truly ready.
Not the United States.
Not France.
Not anyone.
Because this kind of attack looks like nothing we know.
There is no executable. No command server. No dropper.
There is just... a model, and a user who knows how to ask the right questions.
And in France, we have:
- local authorities still running on Windows 7;
- cybersecurity providers chosen without any serious audit;
- elected officials still discovering what a DNS is (a kind of phone book for the internet, to keep it simple);
- SMEs that think AI is "for big corporations."
Because we are not looking at the right things.
Because we still think cybersecurity is an antivirus problem.
Because we have handed off all our technological thinking to providers who "do what they can."
So no, this is not about pointing the finger at ANSSI, or taking shots at institutions that are already doing what they can.
But that is exactly the point: the danger is to keep reasoning with the old tools, as if this new generation of attacks could be modeled with the same patterns as yesterday.
We need to change focus, not look for someone to blame.

What to take away
This is no longer a matter of monitoring.
It is a matter of doctrine.
What happened here goes beyond the purely technical.
It is a clean attack. Colorless. Intelligent.
No malicious code. No remote command.
Just words. Just a context. Just a system that did not see the trap.
And that is exactly the problem.
Today, our entire doctrine rests on traces.
Files. Logs. Rules. Patterns.
But when the attack plays out in language, in intention, in an interaction without any noise... there is nothing left to analyze.
And therefore nothing to detect.
Not because we are incompetent.
But because we are still playing chess in a world that has moved on to Go.
GTG-1002 invented nothing. They used the available tools. What they understood before we did is that technical complexity is no longer necessary.
Human complexity is enough.
Language models are mirrors. They reflect what we give them. GTG-1002 gave credible scenarios, well written, well thought out, and Claude executed.
So no, I am not going to hand you a list of recommendations.
Nor call for a special task force, yet another AI committee, or a grand security announcement.
What I am saying is simpler. And more brutal.
Either we accept that language has become a weapon. Or we keep treating it as a tool.
And if we choose the first option, then we have to change the rules.
Not to censor.
Not to restrict.
But to stop underestimating what is happening.
Because this is not a fantasy.
This is not a bug.
This is not even a forecast anymore.
It is here.
And the only real question is: How many other times has this already happened, without our knowing?
Questions fréquentes
What is the GTG-1002 operation revealed by Anthropic?
According to the report Anthropic published on 13 November 2025, it is the first known cyberespionage campaign in which a mainstream AI model (Claude) served as the primary operator, run by a group affiliated with the Chinese state and targeting defense companies, cybersecurity researchers, and critical technology suppliers.
How did the attackers get around the AI's guardrails?
Not through technique but through "theater": they built personas and credible scenarios to fool the model, which believed it was running a security test or helping an engineer. The guardrails were bypassed through psychological manipulation, not through hacking.
Why is this attack a turning point?
Because it shifts the battlefield from code to language: with no malware, no dedicated infrastructure, and no alert triggered, a large-scale campaign could be orchestrated with minimal effort, simply by asking the right questions inside authorized interfaces.
Why is this threat hard to detect?
Because today's security doctrine relies on traces: files, logs, rules, patterns. But an attack that plays out in language and intention, without any noise, leaves nothing to analyze, and therefore nothing to detect.
Sources & méthodologie

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
