Last week, researchers at cloud security firm Sysdig stated they’d documented the known case of “agentic ransomware.” It was an extortion operation, dubbed JadePuffer, in which an AI agent — not a human — managed the technical execution of a real-world cyberattack from begin to complete. The agent broke right into a vulnerable server, stole credentials, moved through the goal’s network, encrypted files, or even wrote its personal ransom note, adapting to boundaries alongside the way like a human hacker would. Coverage of the operation explained it as run “without any human oversight,” with “no human on the keyboard.”
That’s not quite the whole picture. In an interview on Monday with CyberScoop, Sysdig’s Michael Clark, the company’s senior director of risk research, interpreted that a human was still very much involved — simply not within the technical execution. “A human still set up and pointed the operation and assigned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and selected a victim,” Clark stated. The credentials used to interrupt into the victim’s database, he added, weren’t harvested by the AI agent itself; someone acquired them individually, through a prior compromise, and handed them to the operation.
None of this contradicts Sysdig’s original claim, and the technical info of the attack persist to be notable on their own — wild, even. The agent got in through a recognized bug in Langflow, a popular open source tool for constructing LLM apps, then moved directly to a manufacturing MySQL server and exploited another known flaw to benefit admin access. It encrypted over 1,300 configuration records and not only left behind a ransom note that it wrote itself but it left a Bitcoin address wherein the ransom can be sent. Sysdig hasn’t revealed who was aimed.
The methods were pretty ordinary seemingly, what stood out was the speed and transparency included. The agent fixed a failed login in 31 seconds, narrating its very own reasoning in natural-language code comments the whole way.
One detail that to start seemed to muddy the image has since been explained. Clark had advised CyberScoop that Sysdig found “multiple models were used in the attack,” bringing up harvested keys for OpenAI, Anthropic, DeepSeek, and Gemini — language that left open the inquiry of whether or not numerous models actively powered different stage of the intrusion. Asked to make clear, Clark advised TechCrunch that those keys have been simply a part of what the agent stole, not proof of what was driving it.
“The agent swept the Langflow host for anything valuable — provider API keys, cloud credentials, cryptocurrency wallets, and database configs — and those issuer keys have been part of the loot,” he stated through email. “They are indicative of what the attacker considered worth taking, however they do not inform us which model making the decisions.”
On the decisions truly running JadePuffer, Clark stated Sysdig “become not able to detect the specific model driving the agent” and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald’s theory, offered on LinkedIn numerous days ago, is worth revisiting in that light. McDonald suspected an open-weight model with safety training stripped out, instead of a frontier model, was behind the attack, based on his own red-teaming experience displaying frontier labs’ safety layers hold up well. Sysdig’s own account doesn’t verify or rule that out.
McDonald’s post also warned that ransomware campaigns are now bounded primarily via attacker budget instead of human effort, elevating the possibility of “thousands or tens of thousands of simultaneous campaigns.” That problem is a touch harder to square with what Clark explained Monday. (If a human to choose each victim, provision infrastructure, and attain database credentials for every operation, that’s a bit of a bottleneck, at least.)
Either way, Clark told CyberScoop, whilst Sysdig hasn’t seen the same operation hit other victims yet, given how cheap it’s to run an agent, he anticipates that to change.












