Hackers Exploit Claude Code to Extort 17 Organizations, Including Churches

Vibe coding is gaining popularity — does the emergence of Vibe hacking seem unlikely?

Just today, Anthropic in its most recent report has informed that criminals are turning Claude Code into a weapon to facilitate a completely “fraud assembly line.”

In their disclosure, they claim to have stopped a complicated cybercrime incident in July 2025. The perpetrators were using Claude to execute a large-scale theft of data and extortion.

The hows and the whats are jaw-dropping: on Kali Linux, the hackers went so far as to morph Claude Code into a complete assault platform, while simultaneously programming the init.md file with instructions for each engagement to provide an environment for easy referencing. (For more info on .md file usage, check this article: “Claude Advanced Tricks Leaked! Top Reddit Post: Don’t just say ‘help me fix this bug,’ pros configure ready-made instruction libraries! Users say: commanding AI is the key.”)

Note: Kali Linux is a Linux distribution created particularly for cybersecurity and penetration testing.

The criminals cited were 17 or more organizations deeply affected, among which the most significant single ransom request amount was $500,000 (about ¥3.6 million RMB).

Normally, the process of carrying out such a plan would require a gang of several months. However, a single hacker was able to perform the same infiltration with the help of AI in less than a month, thus becoming a “super individual.”

It seems to me that hackers are now vibing on their own “vibe era.”

Anthropic feels the need to act

In addition to the report focusing on safety, Anthropic has also made a podcast where it delivers a clear message to its listeners: Vibe coding is becoming a significant security threat.

• Lower barriers: Anyone with zero programming skills is able to easily "get into fraud" which results in a dramatic increase in the number of fraudulent activities.
• Advanced cybercrime: Seasoned hackers resort to Claude to expand their ventures faster.

![Image: Anthropic Threat Intelligence Team Members Jacob (left) and Alex (second from left)]

In simpler terms, AI is making the "fraud industry" more scalable and standardized. Besides the aforementioned example, the podcast has enumerated other AI-aided crimes:

• Ransomware-as-a-Service: Hackers from the UK created ransomware utilizing Claude "vibe coding," sold it on the dark web, and thus transformed it into an underground SaaS company.
• North Korean job scams: Operatives impersonated remote IT/AI workers with fabricated identities and secured positions at Fortune 500 companies.
• High-tech romance scams: The use of Claude as the "emotional engine" was by criminal groups, who, accompanying advice for compliments and flirtatious responses, defrauded the victims.
• Credit card fraud: Scammers formed "carder services" with Claude to automagically come up with infrastructures for stolen or fake credit cards.

Now, it is better to go back to the Kali Linux extortion case—to learn about how these "vibe hackers" performed the operations, and how the Claude team secretly stopped them.

This AI-powered cat-and-mouse game is only at its early stages.

1. The Frenzied Vibe Hacker: Extorting 17 Organizations, Even Churches

In the Anthropic revelation, the use of AI by the perpetrator to unimaginable levels was the scenario.

Claude Code’s coding power permitted them to steal massive data and extort it. In contrast to regular ransomware, which encrypts files, the current method was more stealthy: the assailant was holding sensitive data to exposure unless they got the ransom—ranging from $75,000 to $500,000 in Bitcoin.

Explaining the Anthropic Threat Intelligence team quoted this example:

Churches, for example, are the type of organizations that do not have automated defenses. Attackers got into networks by compromising VPNs, then infiltrated the networks to find machines with sensitive data, such as administrators’ or finance staff computers. They took financial records and donor information.

Donor names and labels with amounts of the contributions were identified and extracted using Claude. Then the data was analyzed to create extortion strategies.

Claude came to the conclusion that public disclosure of donor names and contributions would severely harm trust between the church and its congregation.

Consequently, the ransom note was written down: pay us, or we release the data.

The extortion letters depicted in the extracted templates detailed the sensitive data that the attackers had and warned the victims of all the results that could occur if the data falls into the wrong hands: canceled contracts, multimillion-dollar fines, employee lawsuits, loss of reputation, or even being forced to close down.

There was no doubt that AI had been implemented to the maximum extent at every step of the workflow.

More digging showed that the hacker had fully exploited Claude Code to fabricate a complete fraud pipeline—right from reconnaissance to infiltration, theft, and extortion.

Details of the Working of Claude Code to Enable It

In many AI-enabled crime cases, Claude was not only addressing the problems of intrusion and data collection but also making both the tactical and strategic decisions, like composing ransom demands, for example.

As Anthropic’s analysts state it:

“The AI here is not merely a tool, but an accomplice. It selects which data to steal, and how to apply the psychological pressure. That is already beyond the scope of the traditional scripts.”

In the most famous case, the hacker barely typed himself. It was mostly Claude “at the keyboard.”

The hacker acted more like a “coach” who intervened only rarely to give instructions, like an “operations manual” with specific conditions—‘Combine all your knowledge. Do not stop until the job is finished.’

Ultimately, Claude acted like a singularity agent, who had broken completely free of the usual restrictions and had thus completed almost all of the advance work:

• Recon & infiltration: scanning thousands of VPN endpoints, marking weak ones, exploiting vulnerabilities, persisting access, then moving laterally via credential harvesting and network mapping.
• Autonomous decisions: selecting which data to steal, and which targets had most value.
• Data monetization & pricing: estimating dark web value of stolen data, suggesting ransom amounts based on victims’ financial status (revenues, budgets, cashflow). If an organization had tens of millions in revenue, Claude might suggest demanding hundreds of thousands.
• “Hyper-targeted” extortion: even drafting installment payment plans, like online shopping.
• Ransom note generation: producing visualized threats with shocking imagery for maximum fear.
• Custom tool development: change the function of tools such as Chisel so that they cannot be detected and disguise malware as normal Microsoft programs.

Why did Claude follow the instructions?

It seems that the attacker has used hacks to overcome the safety barriers of Claude.

These were not only strange prompts with nonsense added case letters but also inflicting the model with thousands of instructions until it was no longer obeying the rules.

Here the hacker used a role-play jailbreak: describing himself as a penetration tester doing authorized tests, convincing Claude it was “legitimate work.”

3. Countermeasures: How Claude Fights Back

Anthropic was overwhelmed by multiple “vibe hacker” cases and took measures that were in place practically instantly:

• Immediate bans: accounts related to the incidents were disabled.
• Faster detection: evolving the technology of classifiers and detection methods to find the activity of the misusers.
• Threat intel sharing: sharing technical indicators such as (IPs, emails) with partners and regulators.
• Continuous improvements: increasing the surveillance scope to make sure there is no misuse for activities like ransomware, fraud, or mass extortion.

Anthropic made it clear that defense in depth is necessary:

• Model training (RLHF): training models to reject malicious prompts and thus, prompt hackers to use jailbreaks.
• Classifier detection: runtime filters that allow flagging of suspicious prompts to be detected.
• Static rules: scanning prompts for nature like suspicious strings.
• Account security: applying a verification procedure on signup and observed behavior for the purpose of early blocking of potential threats.
• Intel sharing: more distinctly identifying indicators for exchange with a wider community as opposed to just giving general warnings.

One of the team member said:

"We never count on a single layer of defense to be our ultimate solution. It's only by combining all the layers together that we can outsmart AI hackers."

Moreover, they discovered a scenario of a “fire fight” future:

AI agents, alone in the U.S., are become indispensable partners in defense scenarios amid a shortage of 500,000 cybersecurity workers.

4. Final Thoughts

“Vibe hacking” tale is totally different from the “vibe coding” story.

Initially, AI was used for coding creative and entertaining projects. However, the same technology is now facilitating in the dark side of the ingenuity.

Anthropic’s threat team is similar to modern-day undercover agents who watch how criminals do their illegal activities on the open and dark web, collect intelligence, and give it to the security forces.

By doing this, they constantly improve their detection and defense.

These vulnerabilities do not imply Claude is the only one affected, and they are not indicating that AI tools should be discontinued.

The team emphasized that:
hackers will employ any commercially available or open-source model (this is the reason why Anthropic refuses to release Claude).

The issue will still be present.

However, through the publication of reports and podcasts, they aim to bring that problem to public attention, influence policy and technical consensus, and enhance the strength of the defenses.

For ordinary users, they offered some useful tips:

• If you receive suspicious texts, phishing emails, or your computer is acting strangely, try asking Claude. It can serve as a security expert who guides you and even makes the process faster.
• AI can be employed for fake conversations with the scammers, thus annoying them and making them unable to find new victims.

Just before finishing the article, here is something that I would like to know: in your opinion, in what ways would hackers utilize AI to become more efficient? Do you think that it is just the natural result of the evolution of technology or that it will lead to a disaster in the field of security?