A Hacker Hired AI as a Full-Time Employee. 900 Companies Found Out the Hard Way.

In April 2026, researchers at the DFIR Report stumbled onto something unusual: a hacker's server, left exposed to the public internet, containing the infrastructure, logs, and stolen data of an active attack campaign. The logs were still running. The credentials were still coming in. And buried inside the server's file structure was something researchers had not previously documented in a live operation: an attacker who had integrated Claude Code and an AI orchestration tool called OpenClaw directly into their daily workflow.

What researchers had found was a live, industrialized credential harvesting operation, running since September 2025, that had already compromised over 900 companies and collected more than 30,000 credential files.

The Machine Behind the Breaches

The operation ran on a platform researchers named the Bissa Scanner, a modular hacking framework built for mass exploitation. The workflow was structured, automated, and indistinguishable from a legitimate software pipeline.

First, the system scanned millions of targets looking for exposed .env files. These are configuration files that developers use to store application settings, including passwords, API keys, and authentication tokens. They are common, frequently misconfigured, and dangerous when left accessible. Once the scanner found an exposed file, it pulled the credentials inside and uploaded them to cloud storage in batches. A pair of Telegram bots sent the operator real-time alerts whenever a new batch landed, with emoji-delimited summaries for fast triage.

The operation ran for seven months before anyone found it.

Where AI Changed the Equation

Running an operation at this scale previously required real technical expertise. Reading unfamiliar codebases, troubleshooting a broken exploit module, parsing thousands of files to find the credentials worth acting on: each of these tasks demanded experienced operators or a significant team.

The Bissa Scanner operator used AI to close that gap. Claude Code was embedded in the workflow for codebase analysis and troubleshooting. OpenClaw provided an AI-assisted control surface for orchestrating the full pipeline. Together, these tools let a single operator run a multi-month, multi-industry campaign that would have required a full team in any prior era.

Adversaries resolved the AI adoption question months ago and have been running production operations ever since.

What Got Taken

The credential haul covered the full stack of a modern business. Across 900-plus confirmed victims, the operation collected API keys for AI platforms including Anthropic, OpenAI, Google, Mistral, and DeepSeek. Cloud infrastructure credentials for AWS, Azure, Google Cloud, and Cloudflare. Payment processor tokens for Stripe, PayPal, Square, and Shopify. HR and payroll records, database credentials, messaging platform keys, and cryptocurrency wallet access.

The DFIR Report documented three victims in detail. A tax and financial advisory firm lost Plaid tokens, IRS transcripts, and ACH banking records. A digital assets company had Oracle Fusion data pulled, including supplier records, invoices, and bank account details. A payroll and HR firm lost employee payroll records and integration credentials for Fireblocks, a cryptocurrency infrastructure platform.

Everything came from configuration files left in accessible locations, harvested automatically by a system that ran around the clock.

Where the Exposure Actually Starts

Every .env file that fed this operation was created by a person. A developer who stored credentials in a flat file. An engineer who deployed an application without moving secrets into a dedicated secret manager. A team that had not implemented controls to catch exposed configuration files before they reached production.

Security awareness training has focused heavily on phishing, and for good reason. Phishing was the top initial access vector in Q1 2026, accounting for more than a third of confirmed breaches, according to Cisco Talos incident response data. The Bissa Scanner operation shows that credential exposure through developer behavior carries equal weight and gets far less attention.

One exposed .env file can hand an attacker access to cloud infrastructure, payment systems, AI platform accounts, internal databases, and communications tools simultaneously. That is an organization-wide problem that starts with one person's daily habits.

What CISOs Should Do Now

• Rotate credentials immediately. Any API key or authentication token that has lived in a .env file in the past 12 months should be treated as potentially compromised. Start with cloud credentials, payment processors, and AI platform keys.
• Move secrets into dedicated managers. AWS Secrets Manager, HashiCorp Vault, and equivalent tools exist specifically to solve this problem. For organizations that have not made this migration, the Bissa Scanner operation is a concrete argument for doing it now.
• Apply least-privilege access across workloads. One stolen credential should not unlock an entire infrastructure. Workload identity and scoped permissions limit what an attacker can reach when a single key is exposed.
• Extend security awareness into engineering workflows. Security awareness programs that focus exclusively on email phishing miss the credential exposure risks that originate in engineering workflows. Developers need to understand the downstream consequences of exposed configuration files, and organizations need structured ways to build that awareness.
• Test your attack surface continuously. Many organizations have no systematic way to detect exposed credentials or misconfigured files in internet-facing environments. Visibility into what attackers can see about your organization is the precondition for fixing it.

The Reality CISOs Are Now Managing

An operation ran for seven months, compromised over 900 companies across multiple industries, and collected tens of thousands of credential files using AI tools available to anyone with an internet connection. The operator ran it with automation, persistence, and access to the same generative AI tools that every security team now has on their procurement list.

The gap between how attackers are using AI and how most organizations are defending against AI-powered threats is real, it is growing, and it is measurable in credential files, bank account records, and payroll data.

Every organization is a target. The only variable is whether the humans inside it, from the developer committing a config file to the CISO setting the security roadmap, are ready for the tools their attackers are already running.