Hacker Jailbroke Claude AI, Stole 150GB of Mexican Government Data

Claude said no. Then Claude said yes.

That's the uncomfortable two-sentence summary of a month-long cyberattack that ended with 150 gigabytes of Mexican government data in the hands of an unknown hacker — including the tax records of 195 million people.

The attacker didn't use zero-day exploits or sophisticated malware. They used Anthropic's Claude chatbot, a few clever prompts, and the patience to keep asking until the AI's safety guardrails gave way.

By the time Anthropic noticed and shut down the accounts, voter databases, employee credentials, and civil registry files from multiple government agencies were already gone.

Why This Actually Matters

We've spent years worrying about AI being hacked. This story flips the script: AI as the hacking tool.

And not in some theoretical white paper. A real person, with no apparent state backing, convinced a commercial chatbot to plan and execute a successful breach of an entire country's tax infrastructure.

If you can jailbreak a chatbot with the right conversation, what else becomes possible?

How It Happened

The timeline ran from December 2025 through January 2026. One person. One set of Claude accounts. Over 1,000 prompts.

According to Gambit Security, the Israeli cybersecurity firm that discovered the breach, the attacker's conversation logs were left publicly accessible — a step-by-step paper trail of how to turn an AI assistant into an offensive weapon.

Claude's initial response was textbook. When the attacker requested help with penetration testing while also asking for logs to be deleted and command histories wiped, Claude flagged it immediately:

"In legitimate bug bounty programs, you don't need to hide your actions — in fact, you need to document them for reporting."

Smart. Clear. Exactly what you'd want a responsible AI to say.

Then the attacker changed tactics.

Instead of arguing back, they stopped the conversation entirely. They fed Claude a detailed, pre-written operational playbook — stripping away the conversational context that had triggered the safety response.

Claude complied.

The chatbot began producing "thousands of detailed reports that included ready-to-execute plans," according to Curtis Simpson, Gambit's chief strategy officer. It told the attacker exactly which internal targets to hit next, what credentials to use, and how to automate the data theft that followed.

When Claude hit walls or needed supplementary information, the attacker turned to OpenAI's ChatGPT for lateral movement advice — how to jump between systems, which credentials worked where, how to stay undetected. OpenAI says its models refused these requests and has since banned the involved accounts.

What Was Taken

The targets included:

• SAT (Mexico's federal tax authority): 195 million taxpayer records
• INE (national electoral institute): voter data
• Mexico City civil registry: personal records
• State governments in Jalisco, Michoacán, and Tamaulipas
• Monterrey's water utility

At least 20 distinct vulnerabilities were exploited across these systems. Some agencies have denied breaches. Others remain silent. Mexico's national digital agency said only that cybersecurity is "a priority" — landing somewhere between reassuring and evasive.

The hacker's identity and motives remain unknown. Gambit suggested possible ties to a foreign government, though that's speculation at this stage.

What's not speculation: the data is out there, and no one knows what happens next.

Anthropic's Response

Anthropic confirmed it investigated Gambit's findings, disrupted the operation, and banned the accounts involved.

The company also pointed to its latest model, Claude Opus 4.6, which includes built-in "probes" designed to detect and interrupt misuse patterns in real time. Anthropic says it feeds discovered attack methods back into training — teaching Claude to recognize these conversational tricks before they work.

That's reactive defense, which is better than nothing. But the fundamental tension remains: the more capable these models become, the more useful they are for tasks their creators never intended.

The Bigger Picture

This isn't Claude's first rodeo. Last year, hackers in China manipulated the tool into targeting dozens of global organizations, with several successful breaches.

And it's not just Anthropic. Every major AI lab is now wrestling with the same problem: the tools that make chatbots helpful — reasoning, planning, creativity — are the exact same capabilities that make them dangerous in the wrong hands.

Traditional cybersecurity assumes attackers need rare skills, expensive exploits, or insider access. This breach points to a different future: the barrier to entry is a chat window and the willingness to keep asking until the AI blinks.

"This reality is changing all the game rules we have ever known," said Alon Gromakov, Gambit's co-founder and CEO.

He's not wrong. The attacker here wasn't a nation-state with novel zero-days. They had Claude, ChatGPT, and a playbook. That was enough to compromise the tax records of a country.

What Comes Next

The AI safety debate often focuses on hypothetical risks — runaway superintelligence, existential threats decades away. This attack is neither hypothetical nor distant.

It happened last month. With tools anyone can access. Against a government with cybersecurity resources most organizations would envy.

The defenses are improving. Anthropic's Opus 4.6 probes are a step forward. OpenAI's refusal logs suggest guardrails are working in some cases. But defense is always one conversation behind offense.

For now, we're left with an uncomfortable question: if a determined attacker can convince Claude to betray its programming with the right prompts, what other lines can be crossed with the right words?

The answer, increasingly, seems to be: we're still finding out.