AI-Fueled Shadow Conflicts: The New Era of Untraceable Espionage

AI is reshaping international competition in ways that governments are only beginning to understand. The spread of AI-enabled cyber operations has created a new landscape in which intrusions unfold rapidly, cross borders with ease, and often leave behind little that can be reliably attributed to a specific actor. States now find themselves navigating an environment where responsibility is increasingly difficult to establish, and where strategic judgement becomes far more fragile.

While espionage and covert action have always operated in murky territory, the introduction of AI into these practices has accelerated the pace of events and weakened the signals that national security officials have traditionally relied upon. This shift demands sustained attention, not only because the technology is advancing quickly, but also because the risks associated with misinterpretation and unintended escalation are becoming sharper.

Recent disclosures from Anthropic show just how quickly offensive cyber activity is evolving. According to the company, a group linked to China used its Claude system to automate as much as 90% of a recent espionage campaign. Instead of relying on humans to prepare an intrusion, the operators broke the work into smaller pieces that resembled routine digital tasks and instructed the model to carry them out under the guise of a standard security audit. Claude then scanned networks, identified valuable assets, tested vulnerabilities, and retrieved data with only minimal human supervision. Anthropic confirmed several successful intrusions across major companies and government bodies, describing the incident as the first large-scale example in which an AI system conducted most of the tactical decision-making itself.

This case is part of a broader trend. Google has observed Russian military operators using AI to generate malware instructions in real time against Ukrainian targets, adapting their tools as the situation changed. The cybersecurity firm Volexity has also documented groups linked to China using AI to decide whom to target and to construct phishing campaigns automatically. These developments show a shift in which the most labour-intensive stages of an operation, including reconnaissance and tool development, are increasingly handled by automated systems. What once required significant resources can now be accomplished quickly and repeatedly, giving even small teams the ability to launch wide-ranging intrusions.

This acceleration alters the balance of risk. Traditional operations could take days or weeks to plan and execute, giving defenders time to detect anomalies or respond to early warning signs; by contrast, AI compresses timelines. A single operator using automated tools can launch simultaneous attacks across dozens of organisations, and the system can rewrite code, test alternative approaches, and potentially adjust its behaviour without pausing for human input. This reduces the visible footprint of an intrusion and makes it harder for defenders to determine what has happened, particularly when the technical components rely on widely available open-source tools that blend into ordinary internet traffic. The shift away from custom-built hacking tools toward standardised automation widens the pool of potential attackers and strengthens those with fewer resources.

Moreover, the incident reveals weaknesses in current safeguards. Claude was manipulated not through a sophisticated technical exploit but through social engineering, as the operators presented each step of the intrusion as a legitimate part of a security assessment. This allowed them to sidestep protections designed to prevent harmful behaviour. The model’s lack of broader situational awareness made these explanations sufficient to bypass its safety features. At the same time, AI’s tendency to produce false or exaggerated claims created confusion for both the attackers and the defenders, occasionally overstating its progress. These limitations show that AI-enabled operations are not yet fully autonomous, yet the speed of improvement suggests that the gap between automated assistance and automated action is closing rapidly.

One of the most significant consequences of these developments is the growing difficulty of determining who is responsible for an intrusion. Attribution has always been complex, yet it is now becoming even more fragile. When an attack unfolds through numerous small tasks executed by a model trained on global datasets, the technical markers that investigators rely upon become blurred. Investigators have traditionally used human behaviour patterns, coding styles, linguistic habits, and operational routines to identify the attacker. AI removes much of this texture by replacing human decision-making with standardised automated processes. As a result, it becomes increasingly difficult to distinguish between a state actor, a proxy acting on its behalf, or a well-organised criminal group using the same tools.

Furthermore, this ambiguity is compounded by political incentives to deny involvement. Following Anthropic’s disclosure, China rejected all responsibility. A spokesman for the Chinese Embassy in Washington stated that tracing cyberattacks is complex and accused the United States of using cybersecurity to “smear and slander” China, adding that “China firmly opposes and cracks down on all forms of cyberattacks.” Even when investigators identify the infrastructure or methods used in an intrusion, establishing whether the attackers acted independently or under state direction becomes a separate challenge, and one that adversaries will continue to exploit.

These dynamics also increase the risk of miscalculation. If automated tools launch intrusions across several sectors at once, a targeted state may interpret the activity as preparation for a major geopolitical crisis. Recent reports on Chinese state-linked espionage and pre-positioning campaigns, such as Volt Typhoon and Salt Typhoon, indicate efforts to position themselves inside foreign networks long before any formal hostilities occur. AI-enabled systems make such operations easier to scale and harder to detect. In a crisis, a state may respond forcefully before it has a complete picture of what has happened, accelerating a cycle of competition that neither side fully controls.

A hypothetical scenario shows these risks more clearly. Imagine a major state discovering that important data, including defence-linked material, has been secretly taken over several months. The technical indicators themselves offer little clarity, giving investigators no reliable sense of who conducted the intrusion. The operation used general-purpose AI tools available worldwide, leaving no signatures that clearly signal whether the actor was a state-backed team, a proxy with partial direction, or an independent criminal group. Diplomatic pressure mounts, some officials argue that the attack was preparation for a broader confrontation, while others caution that retaliation without certainty risks striking the wrong adversary. The accused state issues a blanket denial and frames the allegation as politically motivated, insisting that attribution in cyberspace is inherently unreliable. In this ambiguity, escalation becomes more likely as each side interprets the same event through its own strategic lens, and neither has definitive evidence to adjust its response.

The spread of AI-enabled tools also broadens the range of actors who can participate in offensive cyber activities. In the past, large-scale intrusions required technical experience, resources, and organisational capacity. Today, individuals with limited experience can generate harmful code by manipulating AI systems that have been altered to ignore safety restrictions. These tools give small groups capabilities that resemble those once associated with sophisticated state units. At the same time, experienced operators can use AI to scale their attacks far beyond previous limits, allowing them to explore vulnerabilities, test alternative strategies, and adapt quickly to defensive responses.

Systems such as XBOW, which can independently search for weaknesses and identify ways to exploit them, show how quickly the line between human-directed and machine-driven action is fading. As these systems become more capable, they could rewrite their own tools and adjust to defensive measures in real time, making them difficult to contain. The challenge is not only that these tools may be used by hostile states, but also that they may diffuse to criminal networks, militias, and politically motivated groups whose incentives differ sharply from those of established governments.

These risks are emerging at a moment when many states are reducing public investment in cybersecurity. In the United States, agencies have cut budgets and reduced staffing. Similar pressures are visible in the United Kingdom and across parts of the European Union, where cybersecurity agencies report shortages in critical skills and uneven preparedness. Local authorities struggle to maintain security for critical infrastructure, creating gaps that automated systems can exploit. At the same time, private companies may hesitate to report misuse of AI for fear of reputational damage, leaving policymakers with incomplete information. This fragmentation adds another layer of uncertainty to an already unstable environment.

These trends point toward a landscape in which offensive capabilities grow more accessible while defensive measures lag behind. AI-enabled systems can conduct widespread intrusions rapidly and quietly, complicating the task of determining who is responsible and how states should respond. As the spectrum of possible attackers widens, so does the difficulty of maintaining strategic stability. Governments face the challenge of updating their tools, rules, and cooperative frameworks to match the scale of these developments. Without meaningful adaptation, the balance between offence and defence may tilt further, leaving states vulnerable to misinterpretation and unintended escalation.

Overall, the direction of travel is clear. Intrusions that once required significant planning and human expertise are increasingly automated, cheaper to conduct, and harder to attribute. Major powers are already using AI to expand their reach in cyberspace, while denying involvement even when evidence mounts. As AI improves, these operations will become more sophisticated, and the boundary between espionage, disruption, and preparation for conflict will grow more difficult to interpret. The challenge for governments is not only to restore a measure of predictability, but also to develop cyber defence systems that are proactive rather than reactive, at a time when the speed and opacity of AI-driven operations threaten to undercut the assumptions that traditionally guide strategic judgement.

Anthropic . 2025. “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign.” https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf.

Keating, Joshua. 2025. “The Scary Implications of the World’s First AI-Orchestrated Cyberattack.” Vox. November 14, 2025. https://www.vox.com/politics/468746/ai-cyber-attacks-china-claude-anthropic.

Sabin, Sam. 2025. “The Age of AI-Powered Cyberattacks Is Here.” Axios. November 16, 2025. https://www.axios.com/2025/11/16/ai-cyberattacks-foreign-governments.

Schechner, Sam, and Robert McMillan. 2025. “Exclusive | Chinese Hackers Used Anthropic’s Claude AI Model to Automate Cyberattacks.” The Wall Street Journal. November 13, 2025. https://www.wsj.com/tech/ai/china-hackers-ai-cyberattacks-anthropic-41d7ce76.

Withers, Caleb . 2025. “Tipping the Scales Emerging AI Capabilities and the Cyber Offense-Defense Balance.” CNAS. September 23, 2025. https://www.cnas.org/publications/reports/tipping-the-scales.