Last week, researchers at cloud security firm Sysdig said they had documented the first known case of “agent ransomware.” It was an extortion operation called JadePuffer, in which an artificial intelligence agent, not a human, managed the end-to-end technical execution of a real-world cyber attack. The agent infiltrated a vulnerable server, stole credentials, navigated the target’s network, encrypted files, and even wrote its own ransom note, adapting to obstacles along the way like a human hacker. The funding scope described it as “without any human control,” with “no human at the keyboard.”
This is not complete full picture. one interview Michael Clark, Sysdig’s chief threat intelligence officer, clarified with CyberScoop on Monday that a human is still very much involved — just not in technical execution. “The man still set up and directed the operation and provided the infrastructure behind it, the command-and-control server, the staging server used for the stolen data, and chose the victim,” he said. The credentials used to access the victim’s database, he added, were not harvested by the AI agent; someone acquired them separately, through prior compromise, and put them into operation.
None of this contradicts Sysdig’s original claim, and the technical details of the attack remain remarkable — even brutal — in their own right. The agent was logged in through a known bug LangflowA popular open source tool for building LLM applications then switched to a production MySQL server and exploited another known flaw to gain admin access. He encrypted more than 1,300 configuration records and left not only a ransom note he wrote, but also a Bitcoin address to which the ransom could be sent. Sysdig did not say who was targeted.
The techniques were apparently quite ordinary, the attention-grabbing speed and transparency. The agent fixed the failed input in 31 seconds, explaining its reasoning in natural language code comments all the way.
A detail that initially spoiled the picture was later clarified. Clark told CyberScoop that Sysdig found “multiple models were used in the attack,” citing keys collected for OpenAI, Anthropic, DeepSeek, and Gemini — language that left open the question of whether multiple models actively fueled different stages of the intrusion. Asked for clarification, Clark told TechCrunch that the keys were just part of what the agent stole, not evidence of who controlled it.
“The agent swept the Langflow host for anything of value — provider API keys, cloud credentials, cryptocurrency wallets, and database configurations — and those provider keys were part of the loot,” he said via email. “They are an indication of what the attacker thinks is worth buying, but they don’t tell us what model made the decision.”
In fact, on the model running JadePuffer, Clark said Sysdig “couldn’t identify the specific model running the agent” and it didn’t look like any system command or configuration.
Microsoft researcher Geoff McDonald’s theory, Offered on LinkedIn a few days ago, it is worth revisiting in this regard. Based on his own red team experience, which showed that the border labs’ security layers were holding up well, McDonald suspected that an open-weight model with security training cut, rather than a border model, was behind the attack. Sysdig’s personal account does not confirm or exclude this.
McDonald’s post also warned that ransomware campaigns are now limited primarily by attacker budget rather than human effort, raising the possibility of “thousands or tens of thousands of simultaneous campaigns.” That concern is a bit hard to square with what Clark described Monday. (If a human still has to select each victim, provision infrastructure, and obtain database credentials for each transaction, that’s at least a bit of a bottleneck.)
Either way, Clark told CyberScoop that while Sysdig has yet to see the same operation hit other victims, he expects that to change given how cheap it is to run an agent.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.





