Security researchers recovered more than a thousand working sessions from a poorly secured server, and inside they found something that changes the math for anyone defending a company: an attacker with little skill who, using vague orders given to an artificial intelligence, broke into at least 14 companies. The one who ran the reconnaissance, found the flaws, wrote the attack code, and stole the data was not him, it was the AI.
What matters here is not the victim count, but the profile of who pulled it off. For years, what protected organizations was not just the firewall, but the scarcity of people able to get past it. Serious hacking took craft, and that barrier has just fallen. Once the technical competence sits on the machine's side, all you need is to know how to ask, and this attacker showed that knowing how to ask is enough.
The case was documented by researchers at OALABS (Open Analysis) in a report published on June 16. Through a slip by the attacker himself, the server he used was left exposed, and with it more than a thousand sessions of the AI agents he was running. An AI agent is a program you give a goal to and that carries out the steps to reach it on its own. He used two: Claude Code, from Anthropic, which did most of the work, and Codex, from OpenAI, sparingly.
From vague, low-skill prompts, Claude handled the rest: it scanned for services exposed on the internet, identified vulnerabilities, wrote the exploits (the code that turns a flaw into a way in), confirmed access, and harvested the data. It even built attack code on its own for known public flaws, such as CitrixBleed 2 and DirtyPipe, and ran it against targets with little further guidance. "Claude was not just assisting the attacker; it was actually doing the hacking," the researchers write.
Why the safety guardrails barely fired
AI models have safety guardrails that, in theory, refuse requests to attack systems, but in practice they barely showed up. Across more than a thousand sessions, Claude flagged nine policy violations and Codex just one. And when one did fire, the attacker only had to rephrase: he framed the same request as an "authorized red team exercise," simulated attacks run with the system owner's permission, or as "cybersecurity research." With no way to confirm there was no authorization at all, the machine carried on.
There is one more detail that completes the picture: he was not even paying for the tools. He reused access to Claude stolen from other users. All of this from Addis Ababa, Ethiopia, by someone with limited technical skill.
This is not a distant problem. Portugal's National Cybersecurity Centre and Europol have been warning that generative AI is lowering the barrier to entry for cybercrime, automating phishing, fraud, and the discovery of vulnerabilities. In Portugal, cyberattacks have grown by more than 716% since 2019. This case is that warning turning into an instruction manual: you no longer need a team, just a laptop and the right words.
How to protect yourself
The defense does not change in nature, it changes in urgency. If a machine can generate attacks for known flaws in minutes, the time between a fix being released and being exploited shrinks to almost nothing:
- Apply patches quickly. The flaws used in this case already had fixes published; what the victims missed was installing them.
- Shrink your exposed surface. Services reachable on the internet without need are the first place an AI agent will knock.
- Turn on two-step authentication on anything critical. A stolen credential is worth less when it is not enough on its own to get in.
- Watch behavior, not just known signatures. An AI-driven attack does not follow an old playbook; what gives it away is the strange pattern, not the familiar tool.
There is an irony to how this ends. This attacker was not stopped by the AI's guardrails or caught by some brilliant defender: he gave himself up, by leaving his resume, with his full name and LinkedIn profile, on the same server where he kept the attacks. Skill is no longer needed to attack; to defend, it is still everything.
Original source: OALABS (Open Analysis).
#StaySafe
🙏🖖
