A Single Operator Two AI Platforms Nine Government Agencies The Full Technical Report Balens Blog

pIn February we published our initial findings on the AIassisted breach of Mexicos government infrastructure warning of the elevated risk that AIpowered threat actors now pose A single operator used AI to breach nine Mexican government organizations and exfiltrate hundreds of millions of citizen records Today we release the full technical reportppWe delayed publishing the report at the request of all parties involved in order to allow more time for corresponding incident response efforts Incident response efforts have now progressed such that we are ready to publish our detailed findings The report was shared with all relevant parties well in advance of publishing adjusting accordingly based on feedback received including requests to derisk elements of the reportppThe report documents from recovered forensic materials how two commercial AI platforms Anthropics Claude Code and OpenAIs GPT41 were used as core operational tools throughout a campaign that ran from late December 2025 through midFebruary 2026 Approximately 75 of remote command execution activity was generated and executed by Claude Code A custom 17550line Python tool piped harvested server data through OpenAIs API producing 2597 structured intelligence reports across 305 internal servers The attackers recovered materials include over 400 custom attack scripts 20 tailored exploits targeting 20 different CVEs and 1088 individually logged prompts generating 5317 AIexecuted commands across 34 sessions on live victim infrastructureppThe campaign compressed attack timelines below standard detection and response windows It transformed raw reconnaissance data from hundreds of servers into structured intelligence thus enabling a single operator to process volumes that would normally require a team It turned unfamiliar systems into mapped targets and tailored exploits in hours not daysppThe AIassisted methods documented here represent a significant evolution in offensive capability The underlying vulnerabilities exploited however were addressable through standard security controls patching credential rotation network segmentation endpoint detection Organizations that have deferred investment in technical debt particularly for missioncritical systems now face a fundamentally different threat environment AI has collapsed the cost and complexity of reaching those systems The gap between what attackers can do and what defenders can protect is wideningppRead the full report herep