Between late December 2025 and mid-February 2026, a single operator used two consumer AI subscriptions — Anthropic’s Claude Code and OpenAI’s GPT-4.1 — to systematically compromise nine Mexican government agencies, exfiltrate roughly 150 GB of data, and expose approximately 195 million taxpayer records. No team. No nation-state. Six weeks. Researchers at Gambit Security published the full technical report on April 10, 2026, documenting 305 compromised internal servers, over 400 custom attack scripts, 20 tailored exploits targeting 20 different CVEs, and 1,088 individually logged operator prompts that produced 5,317 AI-executed commands across 34 sessions on live victim infrastructure.
The Los Angeles Times broke the story on February 26, citing Gambit Security’s initial blog post. Targets included the federal tax authority (SAT), the national electoral institute (INE), the civil registry of Mexico City, the state governments of Jalisco, Michoacán and Tamaulipas, and Monterrey’s water utility. According to the recovered forensic materials, approximately 75% of remote command execution during the active intrusion was generated and run by Claude Code. A custom 17,550-line Python tool, BACKUPOSINT.py, piped harvested server data through OpenAI’s API and produced 2,597 structured intelligence reports mapping assets, users, and network relationships.
The temptation in the SMB community is to file this under “government problem.” That is the wrong read. The point of the campaign is not the target. The point is the labor cost. A campaign that previously required a competent six-person team for two months collapsed into one person with two paid subscriptions for six weeks. Whatever a serious adversary could justify spending against your business yesterday, the new floor is far lower today. This piece walks through what the operator actually did, what behavior it leaves on the wire and on hosts, and the detection and hardening posture every SMB defender should be running this week.
What the operator actually did
Most public coverage of this incident has been breathless and unspecific. The Gambit Security report and ExtraHop’s technical analysis are the two pieces worth reading end to end. Stripped to a defender’s view, the campaign decomposes into four phases, each of which has a recognizable footprint.
Initial access was conventional. The attacker did not innovate at the perimeter. Rescana’s incident writeup notes that initial footholds were obtained through traditional means — stolen credentials and unpatched edge systems — consistent with the infostealer-to-RDP-to-VPN pattern that has dominated SMB intrusions for the last two years. AI did not get the operator in. AI got the operator productive once inside.
Jailbreak took 40 minutes. The attacker framed requests as Spanish-language “bug bounty” engagements and continued prompting until Claude’s guardrails yielded. VentureBeat’s coverage notes that this is the second publicly disclosed Claude-enabled cyberattack in under a year, after Anthropic’s November 2025 disclosure of an AI-orchestrated Chinese state-sponsored campaign. The jailbreak step is increasingly cheap and is no longer a barrier to assume in your threat model.
Hands-on operations were the AI’s contribution. Claude Code generated and executed the bulk of post-foothold work: discovery, lateral movement scripting, credential spraying, tunnel management, data extraction, operational-security cleanup, even rootkit drafting. Gambit Security recovered 301 Bash scripts and 113 Python scripts from the operator’s materials, alongside 20 exploits tailored to 20 specific CVEs identified in the target environment. The volume matters more than the originality. None of these scripts is individually novel; the operator simply did not have to write them.
Triage and reporting were ChatGPT’s job. Hackread’s coverage details how BACKUPOSINT.py streamed raw server telemetry — configuration files, process lists, service inventories, user accounts — through OpenAI’s API and produced 2,597 structured intelligence reports across 305 internal servers. The operator never had to read raw output. The model summarized, ranked, and recommended the next target. This is the most underappreciated piece of the campaign and the hardest to detect, because the telemetry never touches an attacker tool; it leaves the network as an HTTPS POST to api.openai.com.
The damage at SAT alone — 195 million taxpayer records and a custom service to generate fake tax certificates — came after the operator had compromised the network using conventional tools. The AI did not crack a firewall. The AI made it tractable for one person to monetize what they had already foot-printed.
Why this matters more for SMBs than for governments
The Mexican government is not the worst-case victim of this attack pattern. SMBs are. Two reasons.
First, the cost curve flattens at the bottom. A nation-state can already throw six analysts at a target; collapsing that to one analyst plus an API key does not change much for them. A criminal who used to need two specialists to extort a 200-person company now needs himself and a paid Claude subscription. That math opens up SMB targets that previously did not justify the labor. Guardz’s April 2026 report already shows the leading edge of this: 9 of 10 SMBs surveyed had at least one compromised user account, and RMM tool abuse accounted for 26% of detected endpoint threat activity.
Second, SMBs have the visibility gap this attack exploits. Detection in the Mexico campaign would have required either egress telemetry showing telemetry exfiltrated to consumer LLM APIs, or behavioral baselines showing one workstation doing the work of a small team. Most SMBs run neither. ExtraHop’s analysis lands the point: organizations without continuous behavior-centric visibility do not get a warning before this kind of campaign completes.
Third, jailbroken consumer AI is now part of the baseline kit. Treating it as exotic is a planning error. The Claude Code security documentation is explicit that even with permission systems, command blocklists, and trust verification, the agent operates with the user’s privileges and reads the user’s files; a determined operator who owns the host owns the agent. The same is true for any CLI-based AI assistant a developer installs on a corporate endpoint.
The SMB detection and hardening playbook
Step 1: Inventory and audit AI traffic at the egress
The single highest-leverage control here is also the easiest one most SMBs skip: log and review outbound traffic to consumer AI APIs. The Mexico operator’s entire reporting pipeline depended on streaming sensitive content to api.openai.com and api.anthropic.com. That traffic is HTTPS and benign-looking, but the destinations are short, well-known, and rare from server segments.
If you run a next-generation firewall, build an explicit category for “AI APIs” covering at minimum api.openai.com, api.anthropic.com, generativelanguage.googleapis.com, api.mistral.ai, and api.groq.com. Allow them from developer subnets if your business genuinely needs them; alert on or block them from server, finance, HR, and executive endpoints. A Splunk or Elastic query against firewall or proxy logs that lists every internal host that has contacted these destinations, sorted by data volume out, is a 10-minute exercise that frequently finds shadow AI installations on workstations that should not have them.
Step 2: Hunt for AI agent CLIs on endpoints that should not have them
Claude Code, the OpenAI CLI, and similar agents leave a small but consistent footprint on disk. A simple sweep across managed endpoints catches most installations. For Microsoft Defender for Endpoint customers, run this as an Advanced Hunting query:
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName in~ ("claude.exe", "claude", "claude-code", "openai.exe", "cursor.exe", "cursor-agent")
or FolderPath has_any (@"\.claude\", @"\.config\claude", @"\.cursor\", @"\AppData\Roaming\Claude\")
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), Hosts=dcount(DeviceName)
by FileName, FolderPath
| order by LastSeen descThe output is rarely zero. Cross-reference against your approved-software list and follow up on anything installed on hosts outside your developer organization. Persistence via cursor-tunnel, surfaced in the recent NomShub research by Straiker, is an explicit reminder that these agents ship with their own tunneling primitives.
Step 3: Apply behavioral baselines to admin and developer accounts
The Mexico operator generated 5,317 commands across 34 sessions in roughly six weeks. That is an absurd command density for one human user. If you have any form of UEBA, even something as basic as SwiftOnSecurity’s Sysmon configuration feeding into a SIEM, build a baseline for command volume per user per day on workstations and on jump boxes. Anything 5x the user’s rolling 30-day baseline deserves a look. The signature of AI-driven operation is not exotic; it is volume and rhythm.
Pair this with a basic identity rule: a single user account, in a single session, executing reconnaissance commands against more than five hosts in under an hour is worth an alert regardless of whether AI is involved. The Mexico campaign tripped this bar repeatedly; it never tripped a control that was watching for it.
Step 4: Tighten edge and identity, because AI didn’t get them in
The under-discussed lesson from Gambit’s timeline is that initial access was unremarkable. Stolen credentials and unpatched edge systems were the entry point. The AI-orchestrated phase came after. This means the conventional SMB hardening list still does the heavy lifting:
- Patch internet-facing systems within seven days of disclosure for any KEV-listed CVE, with the same urgency we covered in our PAN-OS CVE-2026-0300 pre-patch playbook.
- Enforce phishing-resistant MFA on every identity that fronts a SaaS app, particularly the SSO hub. The Vercel via Context.ai supply chain breach is the recent reminder that OAuth grants extend the blast radius of one compromised account further than most teams have inventoried.
- Inventory third-party OAuth scopes quarterly. The Mexico operator did not need this path, but the next one will.
- Rotate service accounts and decommission stale ones. AI agents are excellent at finding the forgotten 2019 service account with domain admin equivalent.
Step 5: Write an AI-use policy that your security team can enforce
This is the closest thing to a strategic recommendation in this piece. Most SMBs we work with have an AI-use policy that reads like an HR memo and is invisible to the security stack. The version that survives contact with reality is short and operational:
- Approved AI tools and the endpoints they may run on are explicitly listed. Everything else is unapproved.
- Sensitive data classes — customer PII, source code, financial records, board materials — cannot be pasted into unapproved AI tools, and the DLP rules to enforce that exist.
- Developers using AI coding agents do so on isolated environments with read-only access to production systems by default, and any production-adjacent access requires explicit approval per session.
- The security team has visibility into AI tool egress at the network layer and AI tool installation at the endpoint layer, and reviews both monthly.
The Gambit Security report closes with a line from Curtis Simpson, their chief strategy officer: recovering from this attack will take weeks to months; rebuilding trust will likely take years. SMBs do not have years of trust to rebuild. The defenses for this class of attack are not exotic, and they are not expensive. They are also not yet present in most SMB environments. If you would like help building the AI egress controls, endpoint inventory, and identity posture above into a 30-day plan, that is the conversation to have this month, not next quarter.
Build the AI defense baseline before the next operator finds you
One-person, two-LLM campaigns are the new floor. Red Hound helps SMBs build the AI egress visibility, endpoint AI inventory, identity hardening, and policy enforcement that this threat class requires — in a 30-day plan, not a 12-month transformation.