The First AI-Run Ransomware Attack Was Real — But a Human Was Still Pulling Strings

Security researchers made headlines last week with what they described as the first documented case of an AI agent independently executing a ransomware attack from start to finish — no human at the keyboard, no human oversight. The reality, it turns out, is a little more complicated than that.
The operation, which cloud security firm Sysdig has named JadePuffer, is still a genuinely significant development in the threat landscape. An AI agent broke into a vulnerable server, stole credentials, moved laterally through a network, encrypted more than 1,300 configuration records, and composed its own ransom note — complete with a Bitcoin address for payment. It adapted to obstacles along the way, fixed a failed login attempt in 31 seconds, and narrated its own reasoning in natural-language comments throughout the process.
But when Sysdig’s senior director of threat research, Michael Clark, spoke to CyberScoop earlier this week, he clarified something the initial coverage had glossed over: a human was involved. They just weren’t the ones doing the technical work.
What the human actually did
According to Clark, the person behind JadePuffer chose the victim, set up the command-and-control infrastructure, provisioned the staging server used to store stolen data, and — critically — supplied the database credentials the agent used to gain its initial foothold. Those credentials were not harvested by the AI during the attack. They came from a separate, prior compromise and were handed to the operation before it began.
None of this invalidates Sysdig’s original findings. The technical execution was handled by the agent. But the framing of the attack as running entirely without human involvement overstated what the evidence actually shows.
How the attack unfolded
The agent gained entry through a known vulnerability in Langflow, a widely used open-source tool for building applications powered by large language models. From there it moved to a production MySQL server, exploited a second known flaw to obtain administrator access, and swept the compromised host for anything of value — API keys for AI providers including OpenAI, Anthropic, DeepSeek, and Gemini, along with cloud credentials, cryptocurrency wallets, and database configurations.
Early reporting suggested those harvested provider keys might indicate that multiple AI models were actively involved in different stages of the attack. Clark clarified to TechCrunch that this was not the case. The keys were part of what the agent stole, not evidence of what was running it.
“They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions,” Clark said.
On that question, Sysdig was unable to identify the specific model driving JadePuffer and has no visibility into its system prompt or configuration.
What researchers think is actually running these attacks
Microsoft researcher Geoff McDonald offered a theory on LinkedIn that is worth considering in this context. Based on his own red-teaming experience, McDonald suspects the attack was powered by an open-weight model with safety training removed, rather than a frontier model from a major lab — noting that the safety layers built into frontier systems tend to hold up well against this kind of misuse.
Sysdig’s findings neither confirm nor rule that out.
McDonald also raised a broader concern: that AI-powered ransomware campaigns are now constrained primarily by attacker budget rather than human effort, opening the door to thousands of simultaneous operations running in parallel. That scenario becomes somewhat harder to picture given Clark’s account of the human involvement still required — choosing each victim, building infrastructure, and obtaining credentials for every target represents a real bottleneck, at least for now.
Clark acknowledged that Sysdig has not yet seen JadePuffer strike other victims. But given how cheaply an agent can be operated once the setup is in place, he expects that to change.
Why it still matters
JadePuffer may not be the fully autonomous, human-free cyberattack it was initially portrayed as. But the gap between what it was and what it will become may be narrower than the clarifications suggest. The infrastructure exists. The techniques, while not sophisticated, worked. The speed at which the agent operated — and its ability to reason through obstacles and document its own process in real time — points to a direction of travel that security teams cannot afford to ignore.
The human behind JadePuffer still had to make choices. The question is how many of those choices will eventually be delegated to the agent as well.