Sysdig’s Threat Research Team last week documented what is to be the first known agentic ransomware operation, known as JadePuffer, involving an AI-driven extortion chain against an exposed instance of LangFlow open-source code. JadePuffer, a ransomware style operation, used an AI agent to carry out much of an intrusion chain, from reconnaissance and credential work to lateral movement, database encryption and even ransom note generation.
Humans chose the victim, supplied credentials and set up the attack infrastructure, but instead of human collaborators, AI was used as a trusty, fast, tireless cybercrime assistant. JadePuffer shows that while fully autonomous AI hackers have not yet arrived, agentic AI is starting to automate the grunt work of ransomware. For enterprise leaders, this is a serious development. Cybercrime can now be automated with smarter assistants, lower costs, faster execution and fewer skilled people involved at each step.
How AI Is Accelerating Cybercrime Speed
Think of JadePuffer in simple terms, similar to a house break-in. In this case, a burglar picked the house, gets theJadePuffer, a ransomware style operation, used an AI agent to carry out much of an intrusion chain, from reconnaissance and credential work to lateral movement, database encryption and even ransom note generation. entry code and brings the truck. Once inside, the burglar sends in a robotic assistant that races through the rooms, checks drawers, copies keys, locks cabinets and writes a demand note asking for money to unlock the data. The human still directs the crime, but the AI agent does much of the repetitive technical work that used to require patience, expertise and time at the keyboard.
Ransomware has always been a business model with many jobs. Someone needs to find access and steal credentials. Someone studies the network and decides what data matters. Someone encrypts files or threatens disclosure. Then comes the demand and negotiation. Agentic AI adds value by replacing that someone in almost every step of that chain. Even replacing the slowest and tedious middle steps may be enough.
JadePuffer’s techniques were not exotic. Techcrunch’s reporting called them fairly ordinary. The agent used known bugs, hunted for credentials, moved toward a database and left behind an extortion note. Sysdig said the payloads contained natural language reasoning, target ranking and comments that resembled the way AI generated code explains itself.
That is an important detail for cyber defenders. Human operators often hide their intent, but AI agents may leave a strange paper trail as they reason through commands and attack attempts. While now the AI systems are somewhat noisy, security teams should not count on that advantage lasting. Future versions may be quieter, less verbose and harder to separate from normal automation.
Reducing Visibility and Cost of Attacks.
TechCrunch reported that Sysdig could not identify the exact model behind JadePuffer and did not have visibility into the system prompt or configuration. The system swept up API keys for OpenAI, Anthropic, DeepSeek and Gemini, but Sysdig clarified that those keys were loot, not proof that any of those models powered the attack.
However, now with locally hosted, open weight models available such as Deepseek and GLM, the concern is that cloud-based model trails might not be visible at all. Cloud-hosted frontier models can leave a trail. Model providers can see account activity, usage patterns, prompts, tool calls and other telemetry that may help them detect abuse, suspend accounts and share threat intelligence. OpenAI says its threat reports draw on its view of how actors try to abuse AI models, often in combination with other platforms and tools. Anthropic has reported banning accounts and tightening filters after detecting attempts to use Claude for phishing emails, malicious code and safeguard bypasses.
However, locally hosted open weight models change that equation. If an attacker runs a capable model on local machines, rented GPUs, compromised infrastructure or their own hardware, there may be no OpenAI, Anthropic or Google account to shut down. There may be no provider prompt history to subpoena, no cloud model log to review and no centralized safety filter sitting between the operator and the output. The visibility shifts back to the victim’s network, the attacker’s infrastructure and whatever artifacts the agent leaves behind. In JadePuffer, Sysdig caught useful traces because the payloads were self narrating and included natural language reasoning, target ranking and unusually verbose comments. Future operators may tell their agents to be quieter.
The cost side may be just as important as the visibility side. CSIS wrote in July 2026 that recent Chinese models are close enough to frontier systems to compete in many real world tasks, naming GLM, DeepSeek, Qwen and Kimi among the models closing the gap with U.S. systems. That means attackers increasingly have more choices, lower switching costs and less need to rely on heavily monitored commercial APIs.
There is already public evidence that cybercriminals are experimenting with these tools. Check Point Research reported in 2025 that criminals were sharing jailbreak prompts for DeepSeek and using ChatGPT, Qwen and DeepSeek together to troubleshoot and optimize scripts for mass spam distribution. This shows that threat actors are treating these models as part of the cybercrime workbench.
Growing Use of AI in Cyber Attacks
The UK National Cyber Security Centre warned in January 2024 that AI would almost certainly increase the volume and impact of cyber attacks over the next two years. Its assessment said AI lowers the barrier for novice cyber criminals, hackers for hire and hacktivists to carry out access and information gathering work, which would likely feed the global ransomware threat.
Agentic systems can search documentation, write code, debug errors, classify stolen files and generate ransom messages. Anthropic has already described abuse cases that point in the same direction. In August 2025, the company said it disrupted a cybercriminal who used Claude Code in a large data extortion operation that hit at least 17 organizations. Anthropic said the tool was used to automate reconnaissance, credential harvesting and network penetration, and that ransoms sometimes exceeded $500,000.
The company’s November 2025 report on an AI orchestrated espionage campaign said a human operator still selected targets and supplied direction, but the AI performed much of the work, including reconnaissance, exploit code writing, credential harvesting and data review. It made mistakes too. It hallucinated credentials and claimed to extract secrets that were public.
AI App Servers Are Now Part Of The Attack Surface
The JadePuffer case should also make companies look harder at the AI systems they are adding to production networks. Langflow and similar tools are useful for building agent workflows, and as a result they may also sit near secrets, cloud keys, model provider tokens, databases and internal services.
Sysdig said JadePuffer entered through an internet exposed Langflow instance by using CVE 2025 3248, a missing authentication flaw in the code validation endpoint that allowed unauthenticated Python execution on the host. Once an attacker can run code on a host like that, then it’s just a matter of what the host can reach.
For companies racing to deploy AI systems, this is an uncomfortable point. With AI projects and vibe-coded systems dependent on third party code, systems can rapidly become vulnerabilities. Agentic ransomware punishes the “move fast and break things” approach to AI. The agent does not need a zero day attack if an exposed tool holds secrets and can reach a production database.
With the advancement of powerful models such as Anthropic’s Mythos and Claude 5.6 and evidence of real-world attacks, it’s clear that we’ve already crossed a threshold when it comes to AI and cybersecurity. Companies should ask which AI development tools are reachable from the public internet. They should ask where model provider keys, cloud credentials and database passwords are stored. They should ask which service accounts can reach production data and why. They should ask whether a compromised AI app server can talk to databases, internal admin panels or storage buckets.
They should also ask whether their security teams can spot machine behavior before it’s too late. A human operator might test a login, pause, read an error and try again. JadePuffer went from a failed login to a working fix in 31 seconds, according to Sysdig and TechCrunch. Detection rules built for human speed may miss agent tempo.
Now that agentic systems can make extortion work cheaper, and already there’s real world evidence of this happening, mass automated, AI-powered ransomware attacks will become more common. The warning from the JadePuffer attack is that it needed less human labor than the old model. In ransomware, less labor usually means more crime.


