The role of credentials in the AI espionage campaign reported by Anthropic
by Anand Srinivas
December 9, 2025 - 5 min
Related Categories
Anthropic recently announced that the company has disrupted the first reported AI-orchestrated cyber espionage campaign. This attack used Claude Code to automate many steps, with AI handling up to 90% of the tasks, including web searches and the autonomous writing of exploit code. The attackers bypassed Claude’s guardrails by breaking each step into small tasks and role-playing as a red team member. By taking this approach, the attackers avoided having any individual Al task flagged for violating Claude guardrails.
While this type of attack is new, the bad actors also relied on tried-and-true methods to maximize access. Once the AI agents obtained valid certificates, they relied on password extraction to move laterally within the target systems. Anthropic has broken down the espionage campaign into six distinct phases:
Campaign initialization and target selection: Human operators chose the relevant targets to be infiltrated.
Reconnaissance and attack surface mapping: AI cataloged target infrastructure and identified potential vulnerabilities.
Vulnerability discovery and validation: Automated testing of identified attack surfaces to determine exploitability.
Credential harvesting and lateral movement: Systematic credential collection across target networks.
Data collection and intelligence extraction: AI queried databases and systems, extracted data, and categorized it based on perceived intelligence value.
Documentation and handoff: Claude generated documentation that included harvest credentials, extracted data, and a complete attack progression, which was handed off to operators.
For our analysis, we’ll be focusing primarily on Phase 4: Credential harvesting and lateral movement.
The role of credentials in the attack
Credentials played a key role in enabling bad actors to gain a foothold and expand their presence. As is typical with lateral movement attacks, once an attacker gains initial access, they seek additional ways to expand their reach. In this case, identifying useful credentials to further exploit each target was an intentional step that enabled the AI agent to escalate its operations from a foothold into a full-scale breach.
Identifying and using credentials was critical to enabling this attack. Per Anthropic:
Systematic Collection: Claude executed “systematic credential collection across targeted networks.”
Extraction Methods: This involved “querying internal services and extracting authentication certificates from configurations.”
Lateral Movement: The harvested credentials were used to enable lateral movement. Claude tested authentication against “internal systems, including internal APIs, database systems, container registries, and logging infrastructure.”
Mapping Privileges: Crucially, the AI independently determined which credentials provided access to specific services. This enabled it to map privilege levels and access boundaries without human direction.
Getting to data collection and intelligence extraction: The successful extraction of credentials directly enabled the next phase (Phase 5: Data collection).
The ease with which the AI could query internal services, extract certificates, and leverage those credentials for widespread lateral movement highlights critical vulnerabilities in existing credential management systems, allowing the AI to act as an execution engine within a larger automated system.
How to minimize the damage by protecting credentials
The AI agent's ability to identify and collect credentials and secrets is highly problematic. Given that this is an example of how AI agents can perform the work of an entire team of hackers with minimal human supervision, there is an increased urgency for implementing proper safeguards around secrets, passwords, and certificates. This also highlights the criticality of ensuring that these security policies are implemented wall-to-wall, meaning every employee and system must be accounted for.
By taking this approach, even if the AI agent gains an initial foothold, the damage can be minimized, or the attack chain stopped, because the AI agents cannot move laterally within the target systems. Indeed, modern cybersecurity methodologies have principles that require these types of precautions to be taken:
Principle of least privilege: every entity within an organization should only have the minimum privileges required to complete its tasks.
Just-in-time access: access should only be provisioned when needed; standing or long-lived credentials should be minimized
Use ephemeral credentials: where possible, provision credentials when needed and immediately deprovision credentials once used
We should note that the above are also critical elements of implementing a Zero Trust strategy, where all access must be verified before it is trusted.
How 1Password Helps
Solutions like 1Password can play an essential role in disrupting these types of attacks in the future. By securing credentials and secrets, the ability of AI agents to move laterally is minimized. This requires changing internal user behavior by requiring secure vaulting of credentials, as well as the development of policies that anticipate these types of attacks in the future.
1Password’s offerings provide critical functionality that can help to minimize the damage caused by this type of attack:
Secure vaulting of credentials and secrets
Simplified creation and management of strong, unique passwords for every employee and AI agent
Separation of credentials from key internal systems
End-to-end encryption of credentials
Zero-knowledge architecture that uses dual-key encryption to ensure only you know your passwords
Auditable, human-in-the-loop processes for sensitive credential access
The reality is that AI-driven cyberattacks will only increase going forward. So even if it isn’t possible to stop them entirely, damage can be mitigated by ensuring the proper behaviors are embraced by employees, and that starts by locking the front door and securing credentials.
