The Only Witness to the 'World's First AI Government Hack' Is the Company That Raised $61 Million to Say It Happened. The Report Has Since Been Removed.

In late February 2026, a single Israeli cybersecurity startup named Gambit Security published a report claiming a solo threat actor had used Claude Code and GPT-4.1 to breach nine Mexican government agencies, extracting 195 million taxpayer records and 220 million civil records. The story ran in 50+ outlets within 72 hours. Dark Reading called it 'the world's first AI-driven cyberattack at government scale.' There is one problem: Gambit Security published its report on the same day it emerged from stealth with a $61 million seed and Series A funding announcement. The full technical report, released six weeks later, was subsequently removed from Gambit's public blog. Every data point in every outlet — the 195M figure, the 220M figure, the 40-minute timeline, the 75% statistic, the 17,550-line tool — traces to a single private firm with a financial interest in the narrative. No Mexican government agency has confirmed the breach. INE formally denied it. Two SAT denials are on record. No independent security firm has corroborated Gambit's forensic findings. The combined record totals (415M) exceed Mexico's population of 130 million with no explanation in any coverage. The 'world's first' framing is also factually incorrect: a PRC-linked campaign (GTG-1002) that Anthropic disclosed in November 2025 preceded the Mexico incident and was more autonomous. Separately, there is one genuinely novel technical finding buried in the coverage — a CLAUDE.md context injection attack that represents a real and unaddressed agentic AI attack surface.