Last week, researchers at cloud security company Sysdig announced they had documented the first known case of “agent-based ransomware.” This was an extortion operation called JadePuffer, in which an AI agent, rather than a human, was responsible for the technical execution of a real-world cyber attack from start to finish. The agent infiltrated vulnerable servers, stole credentials, moved through the target’s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker. Funding reports describe the fund as operating with “no human oversight” and “no human sitting at the keyboard.”
That’s not the complete picture. In an interview with CyberScoop on Monday, Michael Clark, senior director of threat research at Sysdig, made it clear that humans are still heavily involved in technical execution. “Humans still set up and directed the operation, provisioned the infrastructure behind it, the command and control servers, the staging servers used for the stolen data, and selected the victims,” Clark said. He added that the credentials used to infiltrate the victim’s database were not collected by the AI agent itself. Someone obtained them separately by prior compromise and handed them over to the operation.
None of this contradicts Sysdig’s original claims, and the technical details of the attack are remarkable and even bleak in their own right. The agent gained entry via a known bug in Langflow, a popular open source tool for building LLM apps, and then moved to production MySQL servers and gained administrative access by exploiting another known flaw. It not only encrypted over 1,300 configuration records and left a self-written ransom note, but also a Bitcoin address where the ransom could be sent. Sysdig did not say who was targeted.
The technique was obviously quite ordinary, but what stood out was its speed and transparency. The agent fixed the failed login in 31 seconds, explaining its own reasoning with natural language code comments along the way.
One detail that initially seemed to obscure the situation has since emerged. Clark told CyberScoop that Sysdig discovered that “multiple models were used in the attack,” citing collected keys from OpenAI, Anthropic, DeepSeek, and Gemini. This language left open the question of whether multiple models were actively powering different stages of the invasion. Asked for clarification, Clark told TechCrunch that these keys were simply part of what the agents stole, not evidence of what was driving them.
“Agents wiped out Langflow hosts for valuables such as provider API keys, cloud credentials, cryptocurrency wallets, and database configurations, and those provider keys were part of the loot,” he said in an email. “These show us what the attacker thought was worth acquiring, but we don’t know which model made the decision.”
As for the model actually running JadePuffer, Clark said Sysdig was “unable to determine the specific model driving the agent” and was unable to see its system prompts or configuration.
Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn a few days ago, is worth revisiting in this light. Based on his own Red Team experience showing that Frontier Labs’ security layer was working well, MacDonald suspected that an open-class model, stripped of safety training, was behind the attack rather than the Frontier model. Sysdig’s own account neither confirms nor denies that.
McDonald’s post also warned that ransomware campaigns are now primarily limited by the attacker’s budget rather than human effort, increasing the likelihood of “thousands or tens of thousands of simultaneous campaigns.” This concern is a little difficult to reconcile with what Clark said on Monday. (At least it becomes a bit of a bottleneck if a human still has to select each victim, provision the infrastructure, and obtain database credentials for every operation.)
In any case, Clark told CyberScoop that Sysdig hasn’t seen the same operation hit other victims yet, but he expects that to change given how cheap it is to hire agents.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
