Summary

• Divide and conquer: Cyberattackers can evade detection by splitting their prompts across separate AI sessions and providers.

• Case in point: In November 2025, Anthropic reported that a Chinese state-sponsored group used this approach against Claude to conduct a large-scale cyber espionage operation.

• Follow the money: US anti-money laundering has long addressed a similar problem: harmful intent becomes visible only when it is aggregated across institutions.

• Recommendations: The Department of Homeland Security should pilot cross-provider identity linkage, while Congress should legislate a safe harbor for information sharing.

In November 2025, Anthropic disclosed that a Chinese state-sponsored group used Claude Code to conduct cyberattacks against roughly 30 global targets.

The operators distributed objectives across multiple chat sessions, so that no individual session was a clear instance of misuse. Anthropic was able to uncover the campaign because every session ran through its platform, giving it visibility of the entire attack chain.

However, attackers may not always use the same AI providers. In February 2026, Google’s Threat Intelligence Group identified an underground service called ‘Xanthorox’, which routes illicit prompts across both commercial and open-source AI products.

Breaking a malicious task into individually benign steps is known as a decomposition attack, and is a central problem for AI misuse. If adversaries weaponize AI across multiple chat sessions or AI providers, they become much harder to detect.

Recent research found that these attacks could bypass GPT-4o’s safeguards with an 87 percent success rate, compared to just 21 percent without decomposition. While the same research showed that lightweight monitoring by AI providers can be effective, this becomes more difficult when prompts are spread across multiple providers.

In the post-Mythos era, and when AI cyber capabilities could be doubling as fast as every 4.7 months, new policies are urgently needed to detect decomposition attacks.

Lessons from anti-money laundering

The anti-money laundering regime addresses a problem with a very similar structure. Individual financial transactions may look legitimate, but harmful intent becomes visible only when they are aggregated across institutions and time.

The US Bank Secrecy Act requires financial institutions to file Currency Transaction Reports for cash transactions exceeding $10,000 and Suspicious Activity Reports when they identify potential criminal conduct. Both flow to the US Treasury’s Financial Crimes Enforcement Network (FinCEN), which identifies patterns no single institution could detect alone.

Decomposition attacks could be addressed in a similar way: through cross-provider reporting to a central aggregator.

Recommendations for DHS

The US AI Action Plan of July 2025 proposes an AI Information Sharing and Analysis Center (AI-ISAC), led by the Department of Homeland Security (DHS). Officials are currently working through how to structure the ISAC.

As a first step to address decomposition attacks, DHS could convene a pilot project on identity linkage with two or three major AI providers, to inform the AI-ISAC’s eventual framework.

The pilot would test whether sessions across providers can be tied to a common identity. It would also develop the supporting infrastructure: standardized reporting for prompt metadata and methods for reviewing chats without exposing user identities.

Strengthening Cybersecurity of Frontier AI Model Companies and Their Supply Chains via DoD Procurement

Kathrin Gardhouse

·

May 6, 2025

Read full story

In the anti-money laundering regime, know-your-customer rules require banks to verify account holders’ identities. Mirroring this approach, the pilot could use payment details that AI providers already collect for subscription tiers and API access. DHS could ask participating AI companies to link billing addresses to user payments. This would reduce the scope for adversaries to open multiple accounts with stolen card details.

Importantly, the pilot would need to think through the privacy implications from the outset. The US Supreme Court has held that aggregated metadata may merit Fourth Amendment protection. One solution would be to pseudonymize all user data sent to the aggregator, with AI providers revealing users’ identities only after suspected misuse.

Recommendations for Congress

For AI providers to share the information needed to detect decomposition attacks, they will need to be confident they will not run afoul of privacy or antitrust rules.

Congress should legislate a statutory safe harbor for cross-provider sharing on AI cyber misuse.

This could mirror the USA PATRIOT Act: AI providers could share linkage information directly with each other, with the AI-ISAC initially acting as a registrar of participants rather than a central database of users.

The easiest way to enact this legislative reform would be to fold it into the reauthorization of the Cybersecurity Information Sharing Act of 2015, which already exempts companies that share such information from antitrust liability. The safe harbor should cover both bilateral provider-to-provider sharing and reporting to the AI-ISAC. The Act is due to expire in September 2026, which gives Congress a clear opportunity to add these protections.

Of course, removing antitrust friction may not create a sufficient incentive for companies to share information. Indeed, ISACs have varying degrees of buy-in.

A more complex, but possibly necessary, legislative reform would be to mandate that frontier AI providers submit ‘Suspicious Interaction Reports’.

Such reports could be modeled on Suspicious Activity Reports under the Bank Secrecy Act. A report would be triggered when an AI company flags a session for indicators of cumulative harmful intent: code mapped to documented attack techniques, obfuscation patterns, or repeated attempts to circumvent security controls.

Instead of providing the chat itself, reports could contain pseudonymized metadata and flagged features. These would allow the AI-ISAC to link flagged sessions across providers without revealing user identity. The AI-ISAC could compare incoming reports and publish anonymized advisories in a similar way to FinCEN Advisories.

Two potential objections

Anti-money laundering regimes have been criticized for intercepting a tiny fraction of illicit money flows while imposing billions in compliance costs. Why would the same playbook have better success in preventing decomposition attacks?

One reason is that the proposed framework would use automated pseudonymized reporting, rather than the labor-intensive review that drives much of anti-money laundering compliance. More importantly, the framework’s primary value is the evidentiary base it creates for post-hoc investigation rather than real-time detection.

The second objection is that determined adversaries will migrate to locally-hosted open-weight models that authorities cannot observe. After all, open-weight models may be only three months behind closed-weight ones.

Self-hosting such models for sophisticated cyber operations still requires significant compute. An identity-linking framework would raise the cost of using frontier companies’ data centers for malicious purposes and capture many less sophisticated adversaries.

The window is open now

The use of Claude for decomposition attacks and the emergence of Mythos have highlighted the need for coordinated defense against AI cyber threats. DHS and Congress should act now, before more serious cases of cyber misuse arise.