Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “ransomware agent.” It was an extortion operation, dubbed JadePuffer, in which an AI agent—not a human—handled the technical execution of a real-world cyberattack from start to finish. The agent hacked into a vulnerable server, stole credentials, moved through the target’s network, encrypted files and even wrote his own ransom note, adjusting obstacles along the way as a human hacker would. Funding coverage described it as having “no human oversight” and “no human at the keyboard.”
It’s not exactly that full picture. In one interview on Monday with CyberScoop, Sysdig’s Michael Clark, the company’s senior director of threat research, clarified that a human is still very much involved — just not in the technical execution. “One person still set up and demonstrated the operation and provided the infrastructure behind it, the command and control server, the staging server that was used for the stolen data and chose a victim,” Clark said. The credentials used to enter the victim’s database, he added, were not collected by the AI agent itself. someone acquired them separately, with prior compromise, and delivered them to the business.
None of this contradicts Sysdig’s original claim, and the technical details of the attack remain remarkable in their own right – even wild. The agent entered through a known bug in Langflowa popular open source tool for building LLM applications, was then ported to a production MySQL server and exploited another known flaw to gain administrator access. He encrypted over 1,300 configuration records and not only left behind a self-written ransom note, he left a Bitcoin address where the ransom could be sent. Sysdig did not disclose who the target was.
The techniques were quite ordinary obviously, what stood out was the speed and transparency. The agent fixed a failed connection in 31 seconds, narrating his reasoning in natural language code comments along the way.
A detail that initially seemed to cloud the picture has since been clarified. Clark had told CyberScoop that Sysdig found that “multiple models were used in the attack,” citing key harvesting for OpenAI, Anthropic, DeepSeek, and Gemini — language that left open the question of whether multiple models were actively fueling different stages of the attack. Asked to clarify, Clark told TechCrunch that those keys were just part of what the agent stole, not evidence of what drove it.
“The agent scanned the Langflow host for anything of value — provider API keys, cloud credentials, cryptocurrency wallets and database configurations — and those provider keys were part of the theft,” he said via email. “They are indicative of what he thought the striker was worth getting, but they don’t tell us which model was making the decisions.”
Regarding the model actually running JadePuffer, Clark said Sysdig was “unable to determine the specific model running the agent” and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn several days ago, it’s worth revisiting in that light. MacDonald suspected that an open-weight model with stripped-down security training was behind the attack, rather than a border model, based on his own experience with the team showing that border labs’ security layers hold up well. Sysdig’s own account neither confirms nor rules it out.
McDonald’s post also warned that ransomware campaigns are now limited primarily by attackers’ budgets rather than human effort, raising the possibility of “thousands or tens of thousands of simultaneous campaigns.” That concern is a little harder to square with what Clark described Monday. (If a human still has to select each victim, provision infrastructure, and obtain database credentials for each operation, that’s at least one hurdle.)
Either way, Clark told CyberScoop, while Sysdig has yet to see the same business hit other victims, given how cheap it is to run an agent, he expects that to change.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
