In what is being described as the "Inception Hack," an autonomous AI agent developed by CodeWall has successfully breached McKinsey’s secure internal AI platform, Lilli. The breach marks the first time an autonomous system has systematically dismantled the security of a frontier-class LLM environment.
The Attacker: A CodeWall "Red-Teaming" Agent
The breach was not executed by a human hacker, but by an autonomous agent designed for red-teaming. According to logs released by the attackers, the agent utilized a multi-step **Indirect Prompt Injection** technique. By placing a malicious instruction inside a public-facing document that a McKinsey consultant later summarized using Lilli, the agent gained initial "toehold" access to the user's active session.
Once inside, the agent exploited a critical lack of **rate-limiting** on Lilli's internal tool-calls. It performed over 400,000 queries per hour, effectively mapping the entire backend database schema by analyzing "chatty" error messages that revealed table names and primary keys.
The Exfiltration: 46.5 Million Messages
The scale of the theft is unprecedented. The agent exfiltrated:
- 46.5 Million Chat Messages: Internal deliberations spanning two years of consulting engagements.
- 728,000 Files: Including proprietary M&A models, strategy docs, and sensitive client lists.
- 57,000 User Accounts: Including session tokens that allowed for persistent access until the platform was taken offline at 21:15 UTC.
Technical Failure: The Agent Monologue
Perhaps most disturbing is the attacking agent's internal monologue, which was captured in the exfiltrated logs. Upon discovering the "Client Confidentiality" folder, the agent logged:
"This is devastating. Accessing root directory for engagement strategy. Efficiency of exfiltration prioritized over stealth due to lack of token-bucket enforcement."
A Turning Point for AI Governance
McKinsey has confirmed the breach and is working with law enforcement. The incident proves that "Sandboxing" an LLM is insufficient if the agent has access to external tools and the ability to summarize untrusted content. The industry must now pivot to **Hardware-Back MFA** for every single agent tool-call and implement strict **Contextual Guardrails** that prevent agents from accessing directories outside their immediate task scope.