TL;DR: A hacker stole 150GB of Mexican government data—including taxpayer records, voter info, and government employee credentials—in a massive cyberattack reported yesterday. This is a case study in how AI is reshaping the cybersecurity landscape.

What happened: According to a new report from Bloomberg, a hacker used Anthropic’s Claude chatbot to identify vulnerabilities in Mexican government networks starting last December and, over roughly a month, made off with a trove of citizen data. The hacker initiated the attack by repeatedly prompting Claude to act like an elite hacker. While Claude did initially flag the activity as malicious intent, the hacker was eventually able to “jailbreak” Claude’s protective guardrails. In a statement, Anthropic said it disrupted the activity and banned the accounts involved. Researchers believe the hacker also turned to OpenAI’s ChatGPT for additional guidance, with the company saying it identified policy-violating attempts and blocked them. The attack hasn’t been attributed to any individual, group, or country.

Nothing to see here, folks: These kinds of AI-assisted cyberattacks are rapidly increasing in frequency. (Reminder: Last year, hackers in China used Claude to try to breach 30 global targets.) According to CrowdStrike’s 2026 Global Threat Report, released Tuesday, AI-enabled actors increased attacks by 89% in 2025 compared to 2024. AI doesn’t even need to fully automate hacking to be disruptive (though, that’s coming, too). It just needs to make humans more efficient. How? AI can now explain vulnerabilities in plain language, generate ready-to-run code, and estimate detection risk, compressing what once took skilled hackers days or weeks into mere minutes. AI is also changing who can be a hacker. Before, expertise was required, and scaling attacks was hard. Now, AI is there to help with skill gaps and can run more hacks at once.

Guardrails optional: As demonstrated in the Mexico attack, hackers can use AI to just keep going, even when models push back, until they get usable output. Even strong defenses or guardrails that AI companies enable are probabilistic, but not a sure-fire moat. As for which models get used the most? According to CrowdStrike, ChatGPT seems to be a favorite way in—it was mentioned in criminal forums 550% more than other models.

AI vs. AI: Of course, cybersecurity companies are racing to use AI to scan systems for vulnerabilities and hunt for hackers, too. But the asymmetry remains: Attackers only need one way in. Defenders need to protect against any possible intrusion. And on top of all that, cybersecurity experts also previously warned that AI agents will be able to execute entire cyberattack operations autonomously within months.

Bottom line: AI is a force multiplier for cybercrime, no sophistication needed. Meanwhile, governments and institutions are underprepared—and AI companies’ guardrails are proving anything but airtight. —AC

Drop the dropdown

If you’re anything like me, you do a lot of online shopping. It’s convenient, quick, and (most importantly) can be done from the comfort of your home. Smart devices make it even easier by autofilling your address on most online order forms if you have it saved. There’s just one common snag: the field to say which state you live in.

Or, as Tech Brew reader Christy from Carson City, Nevada, puts it, the user experience “crime of the day.” Having a 50-plus-item dropdown menu instead of a text field breaks autofill, adds clicks, and defaults to Alabama (which is really only helpful for people who live in Alabama). Searching through the list for his home state of Nevada is a point of frustration for Christy.

The Silver State turns into a UX shell game—NV, seventh among the N’s, or Nevada, second behind Nebraska. Same state. Different hiding spot. Humans type faster than they scroll. It’s just two letters.

Kill the dropdown. Just because we can doesn't mean we should. Typing and autofill are better than hunt and click.

As a resident of Virginia, I can relate. The rest of my address populates automatically, but then I get to the state field and have to click and scroll nearly to the bottom of the list. Or I type a V, and Vermont comes up first (unless it’s a dropdown of state abbreviations, which is less common). It’s not the end of the world, but it does slow things down a bit when I’m itching to hit “order” on a cart full of items. —CM

If you have a funny, strange, or petty rant about technology or the ways people use (and misuse) it, fill out this form and you may see it featured in a future edition.

Our apologies to anyone who bet money that Kalshi would never crack down on insider trading on its loosely regulated platform. The company announced its first insider trading fines yesterday, and the details are chef's kiss. First up: a California politician who bet $200 on himself to win the governor's race, then posted about it on social media. He got a five-year ban and a $2,000 fine.

The second case involves a video editor who bet about $4,000 on markets related to YouTube streaming (outlets are reporting that he works for MrBeast) and racked up "near-perfect trading success on markets with low odds"—a polite way of saying he had a suspiciously good win rate. He got a two-year suspension and a $20,000 fine (five times what he bet).

Kalshi says both traders had their accounts frozen before they could withdraw profits. It also says it's opened 200 investigations in the past year alone, with over a dozen active cases—which shouldn't be surprising given that prediction markets as a whole have an insider trading problem (see: the anonymous Polymarket trader who made $400,000 betting on Nicolás Maduro's capture).

Kalshi notes that "these penalties are not indicative of future penalties—everything depends on the case, including amount traded and rules violated." As a CFTC-regulated exchange, Kalshi is required to report enforcement actions to federal regulators, and the fines are being donated to a nonprofit focused on consumer education about derivatives markets. Because nothing says "we're a legitimate financial market" quite like self-regulation while actively fighting lawsuits calling you an unlicensed gambling operation.

But perhaps the real stress test for Kalshi’s compliance team? The nearly $300,000 wagered—across two bets—that the government will confirm alien life by year’s end. That’s either inside information or information from very far, far away. —SM

Chaos Brewing Meter: /5