Anthropic study finds 67% of malicious actors used Claude to write malware over the past year

Anthropic on June 3 published a year-long study of how malicious actors have used Claude, examining 832 accounts the company banned for cyber abuse between March 2025 and March 2026. The headline finding: more than two-thirds of those actors used the model to help write malware, and the share of actors that Anthropic's internal risk-scoring system classifies as medium-risk or higher grew roughly 1.7x across the year. The findings were released alongside companion data shared in Verizon's 2026 Data Breach Investigations Report, mapped to the MITRE ATT&CK framework.

What's new

• A first-party year-long misuse data set. Anthropic studied 832 accounts it banned for malicious cyber activity between March 2025 and March 2026.
• A concrete malware-assistance number. "The most common AI-enabled activities in our database related to preparing for a cyberattack, such as writing malware (560 of the 832 accounts we studied, or 67.3%, used AI for this purpose)."
• A trend line showing the threat is escalating. "In the first six-month period of our analysis, 33% of actors were classified by our risk-scoring system as medium risk or higher. But by the second six-month period, that share had jumped to 56% — a roughly 1.7-fold increase."
• A shift in where in the attack chain AI is being used. "Across the period we studied, attackers' use of AI shifted from techniques to gain initial access to a system towards activity carried out once they were inside the system."
• A mapping of the observed behavior to MITRE ATT&CK, the industry-standard adversary-behavior taxonomy maintained by MITRE.

Context

Anthropic has been publishing periodic misuse and threat-intel write-ups for over a year — including the original Project Glasswing launch and the May 22 Glasswing update — but until now most of those write-ups were qualitative case studies of individual operations. This report is the first time the company has published an aggregate, year-over-year picture of how actors who try to abuse Claude are evolving.

Releasing the work alongside Verizon's DBIR is significant by itself. The DBIR is one of the most-cited annual cybersecurity reports — a benchmark threat-intel publication that defenders treat as a baseline for budgeting and prioritization. Anthropic getting its findings into the 2026 edition pulls model-misuse data into the same conversation as ransomware actor playbooks and phishing dwell times.

The ATT&CK mapping matters because it makes Anthropic's data actionable for defenders. ATT&CK tactics and techniques are how security operations centers describe what an attacker is doing; if Anthropic can tell defenders "these are the ATT&CK techniques where attackers are increasingly leaning on LLMs," SOC teams can prioritize detections accordingly.

Why it matters

The 1.7x growth in higher-risk actors is the most consequential number in the report. It contradicts the comforting narrative that model-level safety guardrails on the frontier labs are holding the line on offensive use. Whatever progress Anthropic's classifiers have made, the population of actors trying to use Claude offensively is getting more capable, more determined, and is succeeding far enough to warrant a 832-account ban list and a published study.

The shift from "initial access" to "post-compromise" activity is the second important signal. It suggests attackers are no longer just using LLMs to write phishing emails and find vulnerabilities at the front door — they are using them to maintain access, move laterally, and exfiltrate. That is a more sophisticated, more damaging stage of an intrusion, and one where defenders have historically had less help from off-the-shelf tooling.

For enterprise buyers and AI policy regulators, this report adds primary evidence to a debate that has largely run on anecdote. For competitors — OpenAI, Google DeepMind, Microsoft AI, xAI — it sets a transparency bar. If Anthropic is publishing a year-over-year malicious-use baseline alongside the DBIR, the others will be asked why they are not.