Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “agentic ransomware.” It was an extortion operation called JadePuffer, in which an AI agent – not a human – took over the technical execution of a real-world cyberattack from start to finish. The agent broke into a vulnerable server, stole credentials, moved through the target’s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker. Reporting on the operation described it as being carried out “without any human supervision” and “without people at the keyboard.”
That’s not quite that full Picture. In an interview with CyberScoop on Monday, Sysdig’s Michael Clark, the company’s senior director of threat research, clarified that a human is still heavily involved – just not in the technical execution. “A human still built and ran the operation, deployed the infrastructure behind it, the command and control server, the staging server for the stolen data and selected a victim,” Clark said. He added that the credentials used to penetrate the victim’s database were not captured by the AI agent itself; Someone obtained them separately through a previous compromise and gave them to the operation.
None of this contradicts Sysdig’s original claim, and the technical details of the attack remain remarkable – even wild – in their own right. The agent entered the game via a known bug in Langflow, a popular open source tool for building LLM apps, then switched to a production MySQL server and exploited another known bug to gain administrative access. It encrypted over 1,300 configuration records and left not only a self-written ransom note, but also a Bitcoin address to which the ransom could be sent. Sysdig has not disclosed who was targeted.
The techniques were seemingly fairly ordinary, what stood out was the speed and transparency involved. The agent fixed a failed login in 31 seconds while explaining his own reasoning in natural language code comments.
A detail that initially seemed to cloud the picture has now been clarified. Clark had told CyberScoop that Sysdig had found that “multiple models were used in the attack,” citing keys collected for OpenAI, Anthropic, DeepSeek and Gemini – a formulation that left open the question of whether multiple models actively supported different phases of the intrusion. Asked for clarification, Clark told TechCrunch that these keys were merely part of what the agent stole and not evidence of what was driving him.
“The agent searched the Langflow host for anything of value – provider API keys, cloud credentials, cryptocurrency wallets and database configurations – and these provider keys were part of the loot,” he said via email. “They provide information about what the attacker thought made sense, but they don’t tell us which model made the decisions.”
As for the model that JadePuffer actually runs on, Clark said that Sysdig “has not been able to identify the specific model that controls the agent” and has no insight into its system prompt or configuration.
Microsoft researcher Geoff McDonald’s theory, presented on LinkedIn a few days ago, is worth revisiting in this light. McDonald suspected that an open-weight model with no security training, rather than a Frontier model, was behind the attack, based on his own red-teaming experiences that showed Frontier Labs’ security layers holding up well. Sysdig’s own report does not confirm or rule this out.
McDonald’s post also warned that ransomware campaigns are now limited primarily by the attacker’s budget rather than human effort, raising the possibility of “thousands or tens of thousands of concurrent campaigns.” That concern is a little harder to reconcile with what Clark described Monday. (If a human still has to select each victim, deploy the infrastructure, and obtain database credentials for each operation, that’s at least a small bottleneck.)
Either way, Clark told CyberScoop, although Sysdig hasn’t seen the same operation hit other victims, he expects that to change given how cheap it is to run an agent.
If you purchase through links in our articles, we may receive a small commission. Our editorial independence remains unaffected.
https://techcrunch.com/2026/07/06/the-first-ai-run-ransomware-attack-still-needed-a-human/
