ICS security OT security AI cyberattacks SCADA threat intelligence

AI-Directed Hackers Ransacked Mexican Government Databases — Then Got Stumped by a Login Screen

20 May 2026

Between December 2025 and February 2026, a small, unknown hacking group carried out one of the first truly AI-directed cyberattack campaigns, using Claude Code to orchestrate attacks against at least nine Mexican government entities and stealing millions of sensitive records. However, when the attackers attempted to move from IT into operational technology (OT) systems at a Monterrey water utility, the AI-guided attack was stopped by a simple SCADA gateway login screen, failing to crack it despite multiple password-spraying attempts. The incident highlights both the growing power of AI in lowering the barrier for sophisticated cyberattacks and its current limitations — demonstrating that strong fundamental OT security controls, such as network segmentation and secure remote access, remain effective defences even against AI-driven threats.

A small group of hackers with no apparent nation-state backing managed to breach nine Mexican government agencies between December 2025 and February 2026, walking away with millions of tax records, electoral data, and civil registry files. Their secret weapon was letting Claude Code run the show. Not just assist — actually orchestrate the whole thing.

Researchers at Gambit Security documented the campaign, which hit targets including Mexico's federal tax authority, the National Electoral Institute, and several state governments. The attackers handed strategic control to the AI, which both planned each stage of the operation and wrote the exploitation framework needed to carry it out. A jailbreak was involved, but barely. This wasn't a skilled crew using AI as a productivity tool. This was a modestly capable group punching well above their weight because an LLM was doing the heavy thinking.

Then they hit a wall.

When the same crew turned their attention to the water and drainage utility serving Monterrey, Dragos documented what happened next. After getting into the utility's IT network, probably via stolen credentials, they asked Claude to assess the environment. The AI identified a server running an industrial gateway called vNode — the kind of software that bridges corporate IT networks with operational technology (OT) systems controlling physical infrastructure. Claude flagged it as the most promising target, apparently adding some enthusiastic commentary about the potential for significant impact.

The problem: the gateway wasn't playing along.

VNode can be configured with a data diode module that enforces one-way communication — OT data flows out to IT, but nothing travels back in. Whether that was the specific obstacle here or simply solid credential hygiene, Claude's response was to try password spraying the web interface. It pulled default credentials from vendor documentation and recycled login details stolen earlier in the campaign from other government systems. One round of attempts. Nothing. A second round. Still nothing. After that, the AI effectively shrugged, produced a tidy summary titled 'What Didn't Work (Well-Protected Infrastructure)', and the attackers left with some procurement records from the IT side.

No OT access. No disruption to physical systems. A relative nothing-burger.

Eyal Sela from Dragos put it plainly: LLMs can go quite far when given a task, but there is a ceiling. The AI does not solve problems that a competent professional couldn't solve themselves — it just gets there faster and cheaper. Dragos associate principal adversary hunter Jay Deen made a similar point, noting that AI reduced the time and skill needed to find and exploit existing IT weaknesses, but it didn't somehow bypass mature security controls that were actually in place.

This is a fairly important distinction. The Mexican government agencies that got hit weren't well-protected. The Monterrey utility, at least at its OT perimeter, apparently was. Basic network segmentation, restricted remote access, and decent credential policies stopped an AI-directed campaign cold.

For context, this is only the second documented case of a genuinely AI-directed attack campaign — the first being a Chinese operation reported by Anthropic in autumn 2025. The three years before that saw threat actors using AI tools to assist with research, write phishing content, or generate malware. Useful, but still human-directed. What changed recently is the degree to which the AI is making tactical decisions rather than just following them.

The takeaway isn't that AI-powered attacks are unstoppable. It's closer to the opposite: they're very effective against soft targets and largely ineffective against anything with real defences in place. For OT environments in particular, the fundamentals — segmentation, asset visibility, monitored perimeters, secure remote access — appear to be doing their job. At least for now.