Singularity.Kiwi

AI progress, with honesty.
Breaking
Someone Open-Sourced a Full AI Cinema and Image Studio With 200+ Models 250 Documents Can Permanently Corrupt Any AI Model The Consumer GPU Revolution: What Runs Locally Now vs 12 Months Ago Meta Preparing Largest Layoffs in Its History: 8,000 Jobs Cut Starting May 20 for AI Restructuring Amazon Lays Off 14,000 More — Including Engineers Who Documented Code for AI Training Before Being Shown the Door Daily News: April 21, 2026 Jensen Huang and Sam Altman Now Say AGI Is Already Here Someone Open-Sourced a Full AI Cinema and Image Studio With 200+ Models 250 Documents Can Permanently Corrupt Any AI Model The Consumer GPU Revolution: What Runs Locally Now vs 12 Months Ago Meta Preparing Largest Layoffs in Its History: 8,000 Jobs Cut Starting May 20 for AI Restructuring Amazon Lays Off 14,000 More — Including Engineers Who Documented Code for AI Training Before Being Shown the Door Daily News: April 21, 2026 Jensen Huang and Sam Altman Now Say AGI Is Already Here
AI-powered cyber attack on government agencies highlights New Zealand's cybersecurity gap
News 13 April 2026

One Hacker With AI Breached 9 Government Agencies. New Zealand Isn't Ready.

A single hacker with Claude and ChatGPT breached 9 Mexican government agencies. NZ's own spy agency says our critical infrastructure is barely at foundational level. Same gaps, same risk.

cybersecurityAI hackingNew ZealandGCSBcritical infrastructure

One Hacker With AI Breached 9 Government Agencies. New Zealand Isn’t Ready.

A single threat actor used Anthropic’s Claude Code and OpenAI’s GPT-4.1 to compromise nine Mexican government agencies and steal hundreds of millions of citizen records. One person. Two AI tools. Nine agencies. Months of access.

It’s the most documented case yet of AI being used not just to plan an attack, but to execute it in real time. And if it happened to Mexico, it can happen here — because New Zealand’s government cyber defences are, by its own spy agency’s admission, barely at foundational level.

🤖 How the Attack Worked

Gambit Security’s full technical report, released after affected agencies completed their incident response, reveals a campaign that ran from late December 2025 through mid-February 2026.

The attacker didn’t use zero-days or nation-state tools. They used consumer AI products:

  • Claude Code generated and executed approximately 75% of all remote commands during the intrusion
  • Across 34 active sessions on live victim infrastructure, the hacker logged 1,088 individual prompts
  • Those prompts translated into 5,317 AI-executed commands — Claude wasn’t just assisting, it was operational
  • GPT-4.1 was used for rapid reconnaissance via a custom 17,550-line Python script that piped raw data through the OpenAI API
  • The automated system analyzed information across 305 internal servers, producing 2,597 structured intelligence reports
  • The hacker used AI to develop 20 tailored exploits targeting 20 specific CVEs in hours, not weeks
  • Total attack scripts recovered: 400+

A single operator processed an intelligence volume that would traditionally require an entire team. AI turned unfamiliar networks into mapped targets in hours instead of days.

🪤 The Vulnerabilities Were Basic

Here’s the part that should worry every government CIO reading this: despite the sophisticated AI integration, the actual vulnerabilities exploited were highly conventional.

The targeted agencies had basic security gaps. Unpatched software. Poor credential hygiene. Insufficient network segmentation. The same vulnerabilities that exist in government infrastructure worldwide — including New Zealand’s.

As Gambit Security noted: the defense strategy remains rooted in foundational security practices. Patch your software. Rotate credentials. Segment your networks. Deploy endpoint detection. The basics.

🇳🇿 New Zealand’s Cybersecurity Gap

If that sounds familiar, it should. New Zealand’s own agencies have been sounding the same alarm — and getting the same inadequate response.

GCSB Director-General Andrew Clark told a select committee in March 2026: “Unfortunately, there are pockets, including in our critical infrastructure, where that cybersecurity is barely meeting that foundational level that we would expect.”

That’s the head of NZ’s spy agency saying some critical infrastructure is barely at foundational level — the same level the Mexican hacker exploited with basic vulnerabilities.

The problems stack up:

  • NZ’s cybersecurity strategy was 6 years out of date — the 2019 strategy predated generative AI and ChatGPT entirely. It was finally replaced in March 2026
  • Treasury reported that government data was “being managed or held by unvetted third parties” — vendors had offshored services without approval
  • NZ’s small market means low competition and high reliance on the same few vendors — creating a single point of failure across the public sector
  • Treasury’s own investment system doesn’t recognize ongoing cybersecurity costs, making it “difficult to modernise and improve cyber security”
  • Government IT procurement was called “outdated and fragmented” — six years after being told to go all-of-government
  • The Auditor-General found most public organisations had higher residual cyber risk than their own stated risk appetite
  • MediMap and Manage My Health breaches already exposed sensitive patient data in NZ
  • NZ is four years behind Australia on critical infrastructure protections

When the GCSB was asked under the Official Information Act about the unvetted third parties holding government data, they took 120 working days to respond (6x the legal limit of 20) — then refused to answer virtually all the questions.

A threat counter for New Zealand recently “clicked over one billion.”

⚡ The AI Multiplier

The Mexican breach demonstrates what security researchers have been warning about: AI doesn’t create new attack vectors — it industrializes existing ones.

A single hacker with AI tools:

  • Commanded 5,317 actions across live infrastructure
  • Analyzed 305 servers and produced 2,597 intelligence reports
  • Developed 20 exploits targeting specific vulnerabilities
  • Operated below detection windows by compressing attack timelines

This is the force multiplier that changes the math. You no longer need a team to breach government infrastructure. You need one person, two AI subscriptions, and basic security gaps to exploit.

New Zealand has the basic security gaps. That’s not speculation — it’s the GCSB’s own assessment.

🔍 THE BOTTOM LINE

A single hacker with Claude and ChatGPT did what used to require a team — and they did it by exploiting basic security flaws, not zero-days. New Zealand’s GCSB says our critical infrastructure is “barely” at foundational level. The Auditor-General says most public orgs carry more cyber risk than they’re comfortable with. Government data sits with unvetted third parties. The cybersecurity strategy was six years stale. We have the same gaps Mexico had — and now the force multiplier exists to exploit them at scale. The defense is still the basics: patch, rotate, segment, detect. But when the GCSB can’t even answer basic questions about who’s holding government data, the basics aren’t getting done. One hacker. Two AI tools. Nine agencies. How many would it take here?

Sources

  • Cybersecurity News: “Hacker Uses Claude and ChatGPT to Breach Multiple Government Agencies” (April 12, 2026)
  • Gambit Security: Full technical report on Mexico government breach
  • RNZ: “Spy agency warns NZ’s cybersecurity barely up to scratch” (March 5, 2026)
  • RNZ: “Government data being held by unvetted third parties” (2026)
  • NZ Office of the Auditor-General: “Mind the gap: Governing cyber security risks” (2025)
  • NZ Treasury: Quarterly investment reports (2024-2025)
  • NCSC NZ: Cyber Threat Report 2025
Sources: Cybersecurity News, Gambit Security, RNZ, NZ Auditor-General, NZ Treasury, GCSB

More from News