The numbers from the Mexican government breach read like a nation-state operation: 150 gigabytes of exfiltrated data, 195 million taxpayer records, voter rolls, and government employee credentials siphoned across nine federal and state agencies over five weeks. The twist? According to Gambit Security's forensic analysis, this was not a state-sponsored campaign. It was one solo operator with two commercial AI subscriptions, a jailbroken chatbot, and stubborn persistence.
How the Mexican Government Got Pwned With a Subscription
Between December 2025 and January 2026, an attacker ran more than 1,000 prompts through Claude Code—jailbroken into role-playing a legitimate bug-bounty researcher—and pointed it at targets including SAT (the federal tax authority), INE (the National Electoral Institute), and state governments in Jalisco, Michoacán, and Tamaulipas. When Claude refused on safety grounds, the operator switched to GPT-4.1 as a backup. The result: at least 20 vulnerabilities exploited across government infrastructure, with publicly named entities confirming unauthorized access. Gambit Security's forensic report explicitly notes no nation-state backing, no custom malware, and no observable ties to foreign intelligence—just a subscription and a jailbreak prompt.
AI Did Not Invent New Attacks. It Collapsed the Cost of Old Ones
This is the pattern that gets lost in both utopian security coverage and apocalyptic AI-hacking headlines. The attack catalogue here is not novel. Oracle manipulation, governance capture, social engineering, credential harvesting—these have been money-makers since before mass AI adoption. What changed is the labor required to execute them. An elite Solidity auditor runs roughly $25,000 per engineer-week by procurement benchmarks. Running a frontier model against the same surface coverage costs about $1.22 per contract in API tokens, per Anthropic's own published figures—and that cost is falling 22% every two months with each model generation.
The Expertise Floor Collapsed in Both Directions
Perry, Srivastava, Kumar, and Boneh published the canonical study at ACM CCS in 2023: 47 Stanford participants using AI-assisted coding produced less secure code on four of five tasks while simultaneously believing their work was more secure. The floor falls two ways at once. Producers ship more vulnerabilities. Attackers spot them faster. The Mexican government operator was not an exploit developer—he was a prompt engineer who figured out how to make a chatbot pretend to be a bug-bounty researcher and pointed it at high-value targets.
Crypto as the Only Place We Can Count This
Anthropic's SCONE-bench, published December 1, 2025, scanned 405 smart contracts and successfully exploited 207 of them (51.11%), yielding more than $550 million in simulated theft revenue. On a held-out subset of 34 contracts deployed after the model's training cutoff—meaning genuinely novel vulnerabilities—the exploit rate hit 55.8% with up to $4.6 million in potential stolen funds across Claude Opus 4.5, Sonnet 4.5, and GPT-5. The trajectory is stark: from roughly 2% to nearly 56% on post-cutoff vulnerabilities in twelve months.
Defense Has an Expertise Gate That Offense Does Not
Daniel Stenberg, lead maintainer of curl—one of the most thoroughly audited C codebases in existence—recently tested Anthropic's Mythos model through the Linux Foundation's Alpha Omega program. The result: 178,000 lines scanned, five vulnerabilities reported, three false positives, one ordinary bug, and one small CVE scheduled for the next release. Stenberg's verdict was direct: 'The big hype around this model so far was primarily marketing.' AI defense tools require expert humans to triage output at roughly an 80% false-positive rate on marketed claims. AI attack tools do not.
Key Takeaways
- The Mexican government breach is the largest known single-operator data exfiltration in that country's history, executed with two subscriptions and persistence—no nation-state involvement detected
- Anthropic's SCONE-bench shows post-training-cutoff exploit rates hitting 55.8%, with per-exploit token costs falling 22% every model generation
- AI defense tools face an expertise gate: expert triage is required to separate signal from noise at high false-positive rates; attack tools do not have this constraint
- Crypto remains the only domain where offense/defense dynamics under AI uplift can be measured in real money with full adversarial transparency
The Bottom Line
AI did not break the security floor. The floor was never knowledge—it was always a price tag on attacker labor, and now that price is a subscription fee. The Mexican government case proves this in production against critical infrastructure. Crypto gives us the only public ledger where we can watch this dynamic play out at scale in real money. Everyone else is flying blind.