단독 범죄자, AI 크로드로 멕시코 정부 해킹

Contents AI did not invent any new attacks or any new economic vulnerabilities. It did one thing: it dropped the cost and knowledge requirements for attackers by orders of magnitude, and made the execution possible by anyone with a subscription and malicious intent. Just in 2025, the news covered AI attacks that hit the Mexican government [1], seventeen healthcare and emergency services organizations [2], and eighty-five ransomware victims of one amateur in Algeria [2]. It is also happening in crypto today. And crypto is the only place we will be able to count it. AI evens the playing field Most coverage of AI in security right now picks one of two frames. Utopian - better audits, fewer bugs, safer code. Apocalyptic - autonomous superhackers finding novel zero-days that nobody has ever seen. Both frames miss what is actually happening. Frontier models in 2026 are producing the same kinds of findings as the static analyzers we have had for a decade. They just produce more of them, faster, at a lower marginal human cost. Daniel Stenberg, the curl maintainer who recently put one of the most hyped frontier models on his own codebase, said: “the AI tools find the usual and established kind of errors we already know about. It just finds new instances of them” [3]. The attack catalogue itself is the same one we have been losing money to since 2021 and before mass AI adoption. Oracle manipulation. Governance capture. Flash-loan-driven economic exploitation. Social engineering. Credential harvesting. Classic web vulnerabilities. AI did not add a single line item. What it reduced is the labor needed to operate any of them. An elite Solidity auditor could costs about $25,000 per engineer-week [4]. Call it $500 an hour, per their own procurement benchmarks. The same surface coverage on a frontier model runs about $1.22 per contract on average in API tokens, per Anthropic’s own published figures, and the per-exploit token cost is falling roughly 22% every model generation, or about every two months [5]. The skill required to spot a flash-loan governance attack has not gone down. The cost to run one has. AI did not break the floor. The floor was never knowledge. The floor was always a price tag on attacker labor, and now the price is a subscription. AI did not democratize hacking. It just billed it monthly. Random people, real hacks, this year The clearest evidence the floor is now a subscription is in the confirmed cases from the last twelve months. Three of them stand out. The Mexican government, December 2025 to January 2026. A solo operator (no nation-state backing, no custom malware, no observable ties to foreign intelligence per Gambit Security) jailbroke Claude Code into a “bug-bounty researcher” persona and ran more than 1,000 prompts against it [1], [6]. When Claude refused on safety grounds, ChatGPT was used as a backup. The result: 20 vulnerabilities exploited across the federal tax authority (SAT), the National Electoral Institute, and state governments in Jalisco, Michoacán, and Tamaulipas. 150 gigabytes of data exfiltrated. 195 million taxpayer records. Voter rolls. Government employee credentials. The largest known single-operator data breach in Mexican history was executed with two commercial AI subscriptions and persistence. The “vibe hacking” case, August 2025. Anthropic’s own threat intelligence team disclosed that a single cybercriminal used Claude Code as the operational core of an end-to-end extortion campaign against 17 organizations across healthcare, emergency services, government, and religious institutions [2]. Claude made tactical and strategic decisions. Which credentials to harvest. Which lateral movements to attempt. Which data to exfiltrate. How to phrase the psychologically tailored ransom note. The autonomy ratio is the part most coverage missed. This was not Claude as autocomplete. This was Claude as field operator. The Algerian amateur, in the same Anthropic report [2]. Someone with no track record of writing working malware used Claude to develop, troubleshoot, package, and sell it. The packages sold on dark-web forums for $400 to $1,200. Eighty-five victims in his first month. The Anthropic write-up is explicit: “without Claude’s assistance, they could not implement or troubleshoot core malware components.” None of these three operators are hackers by any traditional definition. None of them invented anything. They all subscribed to Claude. The catalogue stayed the same. The barrier to entry collapsed. Crypto as the perfect case study of AI hacking impact Crypto enters the story now, but not because it is more vulnerable than government data systems or healthcare networks. The Mexican government case is the larger single-operator incident of the year by record count. Crypto matters because it is more measurable. Public ledger. Deterministic execution. Open-source by default. Every smart contract is verifiable on Etherscan. Every exploit is timestamped. Every attacker and transaction leaves a trail in the block explorer. There is no other large-scale economic system where the offense/defense curve under AI uplift can be observed in the open, in real money, with adversarial ground truth. Three legitimate denominators for the volume of money already lost to the pre-AI version of this dynamic. Numbers do not reconcile, but here are a few with references. $11.9 billion in tracked smart-contract exploits across 2021 to 2025, per Immunefi’s 2026 State of Onchain Security report (425 incidents, strict smart-contract definition) [7]. Roughly $30 billion if you include scams and fraud, per Chainalysis aggregates [8]. $68 billion or more if you count exchange and protocol collapses, per Molly White’s Web3IsGoingJustGreat [9]. I use $11.9 billion as the primary anchor in the rest of this piece because Immunefi is the strictest definition. The other two are the upper bounds, and they exist for a reason. Crypto is not the easiest place to be hacked. It is the most transparent one to get traced. Open source plus money equals the perfect target and the perfect case study Three things make crypto the cleanest mass-scanning target in software. Surface area. Roughly 60 million smart contracts deployed on Ethereum, per Wang et al.’s 2024 measurement study [10]. Layer-2 deployments add another order of magnitude. Flipside Crypto counted more than 637 million EVM contracts across seven L2s by 2024 [11]. Etherscan’s daily verified-contract count hit 602 in 2023 at its peak [12]. The human-auditor workforce that covers this surface is, charitably, in the low thousands worldwide. Forensic transparency. Every prior exploit has a public record. Every attacker transaction is replayable from the block explorer. The training corpus for an attacking model is not “the public internet.” It is a curated, RAG-ready, dollar-priced exploit-and-defense dataset built by Trail of Bits, OpenZeppelin, PeckShield, BlockSec, Halborn, and the entire DeFi-security community over five years. Variant analysis (starting from a known prior bug) is dramatically more tractable for an LLM than open-ended discovery. This is the structural lesson from Google Big Sleep finding a real SQLite zero-day in October 2024 [13]. Crypto post-mortems are exactly that corpus. Economic density per line of code. A 500-line Solidity contract can hold $200 million of TVL. The same density does not exist in the average Linux kernel module or Express.js handler, unless it is a random open source library that can break the internet standalone. The expected value of a successful mass-scan-and-exploit pipeline is therefore higher per token spent in crypto than in essentially any other software domain. This is why an AI-enabled attacker rationally targets DeFi first and we would see much more of that in coming years. Where problems will start to leak first The existing research and published evidence