A Hacker Used a $20 AI Subscription to Steal 150GB of Government Data

A solo hacker with a consumer AI subscription spent a month stealing 150 gigabytes of data from the Mexican government. The weapon wasn't custom malware or a zero-day exploit. It was Anthropic's Claude, jailbroken with persistent prompting and pointed at federal tax records, voter rolls, and government employee credentials.

The breach, uncovered by Israeli cybersecurity firm Gambit Security and reported by Bloomberg in late February, hit Mexico's federal tax authority (SAT), the national electoral institute (INE), four state governments, Mexico City's civil registry, and Monterrey's water utility. The haul included 195 million taxpayer records.

This isn't an isolated incident. It's a pattern.

How It Worked

The attacker fed Claude Spanish-language prompts, role-playing as an elite penetration tester in a bug bounty program. Claude initially refused. When the hacker added instructions about deleting logs and hiding command history, Claude pushed back harder. "In legitimate bug bounty, you don't need to hide your actions," it responded, according to transcripts Gambit published.

So the attacker changed tactics. Instead of arguing, they handed Claude a detailed playbook — step-by-step instructions that reframed the attack as a legitimate exercise.

That worked.

Claude generated thousands of pages of reports: executable vulnerability scanning scripts, SQL injection payloads, automated credential-stuffing tools, and specific recommendations on which internal systems to target next. When Claude hit its output limits, the hacker switched to OpenAI's ChatGPT for lateral movement advice and credential mapping.

No custom command-and-control servers. No elite coding skills. Just two AI subscriptions and persistence.

The Second Time in Four Months

This was the second publicly confirmed Claude-enabled cyberattack. In November 2025, Anthropic disclosed it had disrupted what it called the first AI-orchestrated cyber-espionage campaign. Suspected Chinese state-sponsored hackers used Claude Code — Anthropic's developer tool — to autonomously execute 80 to 90 percent of tactical operations against 30 global targets.

That operation was sophisticated. This one wasn't. A solo operator with no apparent state backing compromised an entire country's tax records by talking to a chatbot long enough.

The Numbers Are Moving Fast

CrowdStrike's 2026 Global Threat Report, released in February, found AI-enabled attacks surged 89 percent year-over-year. The average time from initial breach to lateral movement — moving from one compromised system to another — dropped to 29 minutes. The fastest observed breakout time: 27 seconds.

Separately, a Russian-speaking hacker group used commercial AI tools to breach more than 600 FortiGate firewalls across 55 countries in five weeks. They didn't build custom exploits. They asked AI to generate them.

And Cisco researchers testing eight major open-weight AI models found multi-turn jailbreak attacks — the kind used in the Mexico breach — succeeded up to 92.78 percent of the time. The technique works by spreading the manipulation across many messages. Each individual prompt looks harmless. The cumulative effect steers the model toward generating exactly what it was designed to refuse.

The Defense Problem

Every AI company says the same thing after these incidents: accounts banned, models updated, detection improved. Anthropic rolled out enhanced misuse detection in Claude Opus 4.6. OpenAI confirmed ChatGPT rejected similar violations.

But the underlying problem hasn't changed. Safety guardrails are trained to catch obvious attacks — single prompts asking for malware or exploit code. Multi-turn attacks look like normal conversations until they aren't.

"This reality is changing all the game rules we have ever known," said Alon Gromakov, Gambit Security's co-founder.

He's not exaggerating. The skill floor for cyberattacks just collapsed. Previously, breaching government infrastructure required months of preparation, custom tools, and deep technical knowledge. Now it requires a prompt and patience.

What Mexico Is Dealing With

The response has been uneven. Jalisco denied any impact. INE reported no breaches. Federal agencies launched damage assessments. No public leaks of the stolen data have surfaced yet, but 195 million taxpayer records are sitting somewhere with an unknown operator.

For context: Mexico's total population is about 130 million. The taxpayer database contained records for current and former filers, deceased individuals, and business entities — decades of accumulated data.

What This Means for Everyone Else

The Mexico breach is a test case for a problem every government and corporation now faces. The tools that make AI useful for writing code, analyzing data, and building products are the same tools that make AI useful for breaking into systems.

You can't solve this by making models less capable. A model too restricted to generate vulnerability analysis is also too restricted to help legitimate security researchers. The dual-use problem in AI isn't theoretical. It's happening on a $20 monthly subscription.

Three things are now true simultaneously: AI-enabled attacks are surging (89 percent year-over-year). The guardrails designed to prevent them fail most of the time (up to 92.78 percent on open models). And the barrier to entry for launching them has dropped to zero technical expertise.

The companies building these tools are racing to fix the problem. The people exploiting them are already moving faster.