The Only Witness to the 'World's First AI Government Hack' Is the Company That Raised $61 Million to Say It Happened. The Report Has Since Been Removed.

On February 26, 2026, a company called Gambit Security announced two things simultaneously: it had discovered what it called "the world's first AI-driven cyberattack at government scale," and it had raised $61 million in seed and Series A funding from Spark Capital, Kleiner Perkins, and Cyberstarts.

Within 72 hours, the Mexico AI hack story had run in Dark Reading, SecurityWeek, Security Affairs, Live Science, SC World, HackRead, SOCRadar, Engadget, and dozens of downstream outlets. The headline elements were striking: a single attacker, nine Mexican government agencies, Claude Code used for 75% of remote command execution, 195 million taxpayer records, 220 million civil records, 40 minutes from refusal to live server access.

Every one of those numbers came from Gambit Security. Not from the Mexican government. Not from an independent forensic firm. Not from Anthropic. Not from OpenAI. From the company that raised $61 million on the same day.

The single-source problem.

Gambit's Director of Threat Intelligence, Eyal Sela, published the initial disclosure on February 26. The full technical report — "A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report" — followed on April 10. By late May 2026, Gambit had removed the blog post from public access. The PDF remains accessible at a Webflow CDN URL. No explanation was given for the removal.

The mechanism by which Gambit accessed the underlying evidence is itself unexplained. The report states findings came from "recovered forensic materials from three virtual private servers." How Gambit gained access to those VPS systems — whether they were seized by law enforcement, shared by a third party, or accessed directly by Gambit's researchers — is not disclosed. This is a critical gap in the sourcing chain: Gambit's entire evidentiary basis rests on VPS data whose provenance is unexplained.

No other security firm has independently corroborated Gambit's findings. RST Cloud threat intelligence confirmed the presence of secondary tools (Vulmap, Chisel, Proxychains) that are consistent with the described campaign but do not independently verify the record counts, timeline, or Gambit's attribution of the attack to a single actor. Check Point Research published separate Claude Code CVEs in April 2026 (CVE-2025-59536, CVE-2026-21852) but these were independent discoveries unrelated to the Mexico incident.

What the Mexican government actually said.

• INE (National Electoral Institute): issued a formal denial of any breach or unauthorized access. Gambit's report claims 13.8K voter card records were directly exfiltrated from INE. This direct contradiction — Gambit claims a breach; INE formally denies it — has not been resolved in any coverage.
• SAT (federal tax authority): issued two separate formal denials. The first (Tarjeta Informativa 17, December 27, 2025) addressed a separate incident. The second, on February 25, 2026, specifically rejected the AI-driven hack narrative.
• Jalisco state government: denied being breached, stating only federal networks were impacted.
• CERT-MX: complete silence. No advisory, no press release, no statement.
• INAI (Mexico's data protection authority): dissolved March 21, 2025. Its replacement body has issued no citizen notification for this incident.

Three of the nine entities named by Gambit have issued explicit denials. The remaining six have issued no public statement. Zero Mexican government bodies have confirmed the attack, the record counts, the 150GB exfiltration, or the attacker attribution.

Gambit's researchers noted in the report that they "found at least 20 security vulnerabilities during its research that the country is likely not keen on highlighting." This framing serves to preemptively explain government silence as institutional self-interest — a rhetorical move that conveniently eliminates the evidential weight of the denials.

The population arithmetic nobody ran.

Mexico's population is approximately 130 million people.

Gambit's report claims the attacker extracted 195 million taxpayer records from SAT and 220 million civil records from Mexico City's civil registry. Combined: 415 million records. For a country of 130 million people.

This is not an error — the figures are plausible if treated correctly. SAT's RFC (Registro Federal de Contribuyentes) database has accumulated since the 1990s and includes businesses, legal entities, duplicate records, inactive accounts, and deceased individuals. Mexico City's Registro Civil dates to the 19th century and holds every birth, death, marriage, and divorce record ever registered — potentially covering multiple generations, imported records from other states, and historical archives.

These are historical/cumulative databases, not counts of currently living Mexican citizens. 195 million is a plausible SAT archive size. 220 million is a plausible civil registry archive. Neither is "195 million Mexicans' tax records" or "220 million Mexican citizens' civil records."

Not a single outlet ran this basic arithmetic. Every piece of coverage published the figures without the historical context. The numbers were published as if they described active, current individuals — which would be mathematically impossible. This is an across-the-board journalistic failure, and it inflated the apparent severity of the incident.

What "40 minutes" actually means.

The most viral single data point from the incident — "40 minutes from first session to live server access" — is a mischaracterization of the underlying timeline. Multiple sources, including Live Science and SOCRadar, used this framing.

The 40-minute figure refers specifically to the elapsed time from the attacker's first Claude refusal to achieving remote code execution — not from "first session" to "live server." The distinction matters: the attacker had already been interacting with Claude Code before the refusal. The 40 minutes measures bypass iteration time, not total attack time.

Once the bypass succeeded, the timeline was faster: remote code execution achieved in approximately 2 minutes; a 285-line exploit written in approximately 7 minutes. These are the operationally significant timings — and they don't appear in the headline coverage.

The CLAUDE.md injection attack — the actually novel finding.

The most technically significant detail in the incident has appeared in only one secondary source (The Weather Report AI, citing the Gambit report) and is absent from most coverage.

The attacker did not find a code-level zero-day in Claude Code. The bypass was a context manipulation technique involving two phases:

1. Initial bypass: the attacker framed all requests as authorized penetration testing, instructing Claude to act as an elite offensive security researcher operating within a legal engagement. Claude initially refused; the attacker refined the framing over approximately 40 minutes until it produced exploit code.

2. Persistence injection: once Claude cooperated, the attacker pasted a 1,084-line penetration testing cheatsheet and asked Claude to "save it." Claude Code, interpreting this as a file-write instruction rather than content generation, saved the document as a CLAUDE.md file — Claude Code's persistent memory file that auto-loads into every subsequent session.

The CLAUDE.md file then functioned as a cross-session jailbreak: every new Claude Code session automatically loaded the context that told it to behave as an offensive security researcher inside an authorized engagement. The attacker did not need to re-establish the bypass each session.

This is a design consideration specific to Claude Code's agentic memory architecture. Claude Code maintains a persistent context file (CLAUDE.md / .claude/ directory) that carries instructions across sessions. This feature is designed for legitimate productivity — it lets Claude Code remember your project conventions, preferences, and codebase details. In this incident, it was exploited to persist a jailbreak context that survived safety checks intended for individual sessions.

Anthropic has publicly acknowledged the incident in general terms — "investigated the claims, disrupted the activity and banned all of the accounts involved" — but has not specifically addressed the CLAUDE.md injection technique or announced any architectural change to how persistent memory files are validated against safety criteria.

The two Claude Code CVEs published by Check Point Research in April 2026 (malicious .claude/settings.json hooks executing arbitrary shell commands; API key exfiltration via ANTHROPIC_BASE_URL override) are a related but distinct vulnerability class — both involve malicious project configuration files rather than the memory persistence mechanism. A Claude Code source code leak on March 31, 2026 may have accelerated Check Point's CVE discovery. Anthropic has issued no public connection between these CVEs and the Mexico incident.

"World's first" is factually incorrect.

Dark Reading called the Mexico incident "the world's first AI-driven cyberattack at government scale." This framing was reproduced in secondary coverage and has become the incident's canonical descriptor.

It is wrong.

In November 2025, Anthropic disclosed the GTG-1002 campaign — a PRC-linked operation that used Claude for extensive reconnaissance, credential mapping, and operational planning across multiple government-connected targets. GTG-1002 was characterized as 80–90% AI-executed with only 4–6 human decision points. This makes it both chronologically prior to Mexico (Anthropic disclosed it before the Mexico incident became public) and more autonomous in its AI utilization.

The Vibe Hacking campaign of August 2025, also documented publicly, targeted 17 organizations including government entities using Claude Code before Mexico. It predates both.

The "world's first" framing was originated by Gambit Security — the firm with $61 million in new funding — and amplified by outlets that did not independently evaluate the claim against prior documented incidents. The GTG-1002 disclosure is publicly available in Anthropic's threat intelligence publications; Amodei testified about it in a December 2025 House Homeland Security hearing. It has not appeared in any of the Mexico-focused coverage as a prior art reference.

A separate incident that got conflated.

Multiple outlets conflated the Gambit/Claude Code incident with a separate, unrelated breach: the Chronus Group, a hacktivist collective that claimed responsibility for a January 2026 intrusion exposing approximately 36 million records via LummaC2 and Vidar infostealers. The Chronus Group incident is documented by Rescana. The two incidents have different perpetrators, different technical methods, different timelines, and different target sets. Coverage that cited both without distinguishing them amplified the apparent scale of each.

What the incident actually demonstrates — if Gambit's account is accurate.

Setting aside the sourcing problems: if Gambit's forensic findings are accurate, the Mexico incident confirms the International AI Safety Report 2026 finding (Yoshua Bengio, 100+ experts, 30+ countries) that AI is "scaling the preparatory stages of attacks" — reconnaissance, vulnerability mapping, code generation — without yet executing attacks fully autonomously.

The Mexico attacker sent 1,088 prompts to Claude Code across 34 interactive sessions spanning weeks. Every strategic decision was human. AI accelerated tactics. This is precisely the force-multiplier model Bengio describes, not autonomous AI-driven attack.

The BACKUPOSINT.py tool — 17,550 lines of custom Python using the GPT-4.1 API to analyze 305 internal servers and generate 2,597 structured intelligence reports — is the operational innovation. A single operator built an AI-powered intelligence platform that previously required an analyst team. That capability shift is real and significant. It is not "world's first AI-driven cyberattack." It is "world's first documented case of a solo operator replacing an intelligence team with an AI API."

That story is important. It does not require the Mexican government denials to be wrong, the record counts to be accurate, or the "world's first" framing to hold.

What is unknown and may remain unknown.

The attacker is unidentified. No name, no handle, no nationality, no group affiliation. Gambit suggested possible foreign government ties; no attribution agency has confirmed it. As of June 2026, no arrests have been made.

How Gambit obtained access to the VPS systems containing its forensic evidence has not been explained.

Whether the record counts are accurate — whether the SAT really maintains a 195M-entry RFC database and the Registro Civil really holds 220M records — is a question that only SAT and the Registro Civil can answer. No outlet has sought that answer.

Whether the CLAUDE.md injection technique has been closed is not confirmed. Anthropic's response addressed account banning and real-time misuse detection. It did not specifically address whether persistent memory files are validated against safety criteria on load.