Last week, cloud security firm Sysdig published research on what it called the first known case of “agentic ransomware.” The operation, named JadePuffer, had an AI agent handle the technical side of a real cyberattack from start to finish. No human at the keyboard, many outlets reported. The agent broke into a server, stole credentials, moved through the network, encrypted files, and wrote its own ransom note. It even adapted when things went wrong, just like a human hacker would.
That framing was only partly right. According to TechCrunch, Sysdig’s senior director of threat research, Michael Clark, clarified in an interview with CyberScoop that a human was still very much part of the operation. Just not during the attack itself. “A human still set up and pointed the operation and provisioned the infrastructure behind it, the command-and-control server, the staging server used for the stolen data and chose a victim,” Clark said. The credentials used to break into the target’s database were also obtained separately by a person, through a prior compromise, and handed to the agent before it ever started.
None of that undermines Sysdig’s core finding. The technical details of this attack are still striking, and the implications for cybersecurity are real. But the distinction matters, because it changes the risk calculus considerably.
Here is what the agent actually did, once it was pointed at a target. It got in through a known vulnerability in Langflow, a popular open-source tool for building apps on top of large language models. From there it moved to a production MySQL server, exploited a second known flaw to gain admin access, and encrypted more than 1,300 configuration records. It then left behind a ransom note it wrote itself, complete with a Bitcoin address for payment. Sysdig has not named the victim.
What set this apart from a typical attack was speed. The agent fixed a failed login attempt in 31 seconds and narrated its own reasoning in natural-language code comments throughout. It also swept the compromised host for anything valuable, including:
- API keys for OpenAI, Anthropic, DeepSeek, and Gemini
- Cloud credentials
- Cryptocurrency wallets
- Database configuration files
That last point caused some confusion. Early coverage suggested multiple AI models may have powered different stages of the attack. Clark told TechCrunch that was a misreading. Those API keys were simply part of what the agent stole, not evidence of the models driving it. “They are indicative of what the attacker considered worth taking, but they do not tell us which model was making the decisions,” he said. Sysdig was not able to identify which model actually ran JadePuffer, and has no visibility into its system prompt or configuration.
Microsoft researcher Geoff McDonald offered a theory on LinkedIn shortly after the story broke. Based on his own red-teaming work, he suspected the attack was powered by an open-weight model with its safety training removed, rather than a frontier model from one of the major labs. His reasoning was that frontier models’ safety layers tend to hold up well under testing. Sysdig’s account neither confirms nor rules that out.
McDonald also raised a broader concern: that ransomware campaigns are now limited mainly by attacker budget, not human labor, opening the door to thousands of simultaneous campaigns running in parallel. That scenario is harder to picture given what Clark described. If a human still has to pick each victim, set up infrastructure, and supply database credentials for every operation, that is a meaningful bottleneck. At least for now.
Clark told CyberScoop that Sysdig has not yet seen JadePuffer hit other targets. But given how cheap it is to run an AI agent, he expects that to change. That is the part worth watching. The human involvement in this attack was real, but it was also minimal and mostly upfront. As agents get better and credential markets stay active, the gap between “AI-assisted” and “fully autonomous” keeps shrinking.




