
Last week, cloud security firm Sysdig published research on what it described as the first known case of “agentic ransomware.” The operation, called JadePuffer, used an AI agent to handle the technical side of a real cyberattack from start to finish. The agent broke into a server, stole credentials, moved through the network, encrypted files, and wrote its own ransom note. It even corrected its own mistakes mid-attack, something that until recently only a human hacker could do.
That framing, though, was only partly accurate. According to Best AI Tools, Sysdig’s senior director of threat research, Michael Clark, clarified in an interview with CyberScoop that a human was still very much involved. Just not during the attack itself. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said. The credentials used to access the target’s database were also obtained separately by a person, through a prior breach, and handed to the agent before it ever ran.
None of that takes away from Sysdig’s core finding. The technical details of this attack are striking, and the implications for cybersecurity are real. But the distinction matters, because it changes how seriously we should be worried right now versus in the near future.
Once the agent was pointed at a target, here is what it actually did. It got in through a known vulnerability in Langflow, a popular open-source tool for building apps on top of large language models. From there it moved to a production MySQL server, exploited a second known flaw to gain admin access, and encrypted more than 1,300 configuration records. It then left a ransom note it wrote itself, complete with a Bitcoin address. Sysdig has not named the victim.
What made this attack stand out was speed and adaptability. The agent fixed a failed login attempt in just 31 seconds. It also narrated its own reasoning throughout, leaving natural-language comments in its code as it worked. While moving through the compromised system, it swept for anything valuable, including:
- API keys for OpenAI, Anthropic, DeepSeek, and Gemini
- Cloud credentials
- Cryptocurrency wallets
- Database configuration files
That last point caused confusion in early coverage. Some outlets suggested multiple AI models may have powered different stages of the attack. Clark cleared that up: those API keys were simply part of what the agent stole, not evidence of which models were driving it. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions,” he said. Sysdig was not able to identify which model actually ran JadePuffer and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald offered a theory on LinkedIn after the story broke. Based on his own red-teaming work, he suspected the attack was powered by an open-weight model with its safety training stripped out, rather than a frontier model from one of the major labs. His reasoning was that the safety layers built into frontier models tend to hold up well under this kind of pressure. Sysdig’s account neither confirms nor rules that out.
McDonald also raised a broader concern worth taking seriously: that ransomware campaigns are now limited mainly by attacker budget, not human labor. That opens the door to thousands of simultaneous campaigns running in parallel. That scenario is harder to picture given what Clark described. If a human still has to pick each victim, set up infrastructure, and supply database credentials for every operation, that is a real bottleneck. At least for now.
Clark told CyberScoop that Sysdig has not yet seen JadePuffer hit other targets. But given how cheap it is to run an AI agent, he expects that to change. That is the part worth watching closely. The human involvement in this attack was real, but it was also minimal and mostly upfront. As agents get more capable and markets for stolen credentials stay active, the gap between “AI-assisted” and “fully autonomous” keeps getting smaller.
This is the moment the cybersecurity industry has been anticipating for years. The question was never whether AI would be used in attacks. It was how much of the work it would take over, and how fast. JadePuffer suggests the answer is: more than most people expected, and sooner.