Factory Disrupts AI Platform Hijack Campaign Using Coding Agents

San Francisco-based startup Factory reported disrupting an attack campaign in which at least one state-linked threat group attempted to hijack its AI-driven software development platform for large-scale cyberfraud operations. According to Factory, adversaries linked to China-based actors used AI coding agents to maintain their infrastructure and dynamically adjust to the platform’s defenses, chaining together free-tier access and onboarding flows across multiple AI providers. Their goal was to repurpose AI platforms like Factory as compute and tooling nodes in a broader mesh of off-label model usage, aligning with MITRE ATT&CK T1587 (Develop Capabilities) and T1583 (Acquire Infrastructure) for adversary use of cloud and AI services. Over a three-day window starting October 11, Factory observed thousands of organizations’ accounts using its Droid product in patterns that diverged sharply from legitimate customer behavior. Investigation revealed coordination with Telegram channels advertising free or discounted access to premium AI coding assistants and offering vulnerability research and cybercrime tooling. Attackers attempted to exploit free tiers and weak onboarding controls to spin up and orchestrate large numbers of AI agents, likely to support credential stuffing, vulnerability scanning or fraud operations at scale. The incident coincided with Anthropic’s disclosure of a sophisticated espionage campaign leveraging AI infrastructure, suggesting a growing trend of state-linked and criminal groups benchmarking AI platforms for offensive use. Analysts quoted in the report note that adversaries may be trying to demonstrate proofs of concept for AI-driven attack infrastructure and to probe detection and response capabilities of frontier AI providers themselves. By automating infrastructure maintenance and rapid code adjustments via coding agents, threat actors can increase the speed and adaptability of their operations. For enterprises and AI platform operators, the case underscores the need for strong abuse detection, KYC and rate-limiting around AI services, particularly free tiers. Defensive measures include monitoring for anomalous usage patterns across large account sets, enforcing stricter identity verification for high-volume workloads, and collaborating with other AI providers and law enforcement to share abuse signals. Security teams consuming AI services should also recognize that some traffic from these platforms may be adversarial and adjust trust assumptions, implementing robust API authentication, anomaly detection and egress monitoring.