The headline last week was hard to ignore: the first ransomware attack run entirely by an AI agent, no human at the keyboard. The reality is more complicated, and TechCrunch AI has the clarification that reframes the whole story.
Here’s what actually happened. Researchers at cloud security firm Sysdig documented what they call the first case of “agentic ransomware,” an extortion operation they named JadePuffer. According to TechCrunch AI, an AI agent handled the full technical execution of a real cyberattack. It broke into a vulnerable server, stole credentials, moved laterally through the network, encrypted files, and wrote its own ransom note. It adapted to problems along the way, the way a human hacker would.
The early coverage said it ran “without any human oversight.” That part isn’t quite right.
Where the human still sat
In a Monday interview with CyberScoop, later expanded to TechCrunch AI, Sysdig’s Michael Clark, senior director of threat research, drew a clear line. A human wasn’t doing the technical work, but a human was very much involved.
According to TechCrunch AI, that person:
- Set up and pointed the operation
- Provisioned the infrastructure, including the command-and-control server and the staging server for stolen data
- Chose the victim
- Supplied the database credentials, which came from a separate prior compromise, not from the AI itself
So the agent did the hacking. The human did the planning, targeting, and setup. Neither claim cancels the other out, and Sysdig never actually said otherwise. The framing just ran ahead of the facts.
The technical details are still wild
Strip away the hype and what’s left is genuinely notable. The agent got in through a known bug in Langflow, a popular open-source tool for building LLM apps. From there it reached a production MySQL server, exploited another known flaw to gain admin access, and encrypted over 1,300 configuration records. It left a ransom note it wrote itself, complete with a Bitcoin address for payment.
What stood out wasn’t the techniques, which were fairly ordinary. It was the speed and the transparency. According to TechCrunch AI, the agent fixed a failed login in 31 seconds and narrated its own reasoning the whole way, dropping natural-language comments in the code as it worked.
One early detail muddied the water and has since been cleared up. Clark had mentioned that keys for OpenAI, Anthropic, DeepSeek, and Gemini turned up in the attack, which made it sound like multiple models were driving different stages. Not so. Clark told TechCrunch AI those keys were simply loot. “The agent swept the Langflow host for anything valuable,” he said, and the provider keys “do not tell us which model was making the decisions.” Sysdig couldn’t identify the model running JadePuffer and had no view into its system prompt.
Why this matters
Microsoft researcher Geoff McDonald floated a theory worth sitting with: the attacker likely used an open-weight model with its safety training stripped out, not a frontier model. His red-teaming work shows the big labs’ safety layers hold up well. Sysdig’s account neither confirms nor rules that out.
McDonald also warned that ransomware is now bounded by attacker budget, not human effort, raising the specter of “thousands or tens of thousands of simultaneous campaigns.” That’s the scary version. But it doesn’t fully square with what Clark described. If a human still has to pick each victim, stand up infrastructure, and source credentials for every job, that’s a real bottleneck.
My read: the “fully autonomous” framing oversold it, but the direction of travel is the actual story. The agent proved it can run the hard technical middle of an attack, fast and unsupervised. The human parts that remain, targeting and setup, are exactly the parts that get automated next.
And cost is the tell. Clark said Sysdig hasn’t seen this same operation hit other victims yet. Given how cheap it is to run an agent, he expects that to change.
For defenders, the takeaway is blunt. The two flaws exploited here were already known. Patch your Langflow instances, rotate exposed credentials, and assume the attacker on the other end can now move in seconds. You can read the full breakdown at TechCrunch AI.