Anthropic's Claude 3.5: Gefängnisbrecher generiert Stack-Exploits

When a query trips a classifier in high-risk categories cybersecurity, biology, chemistry, or model distillation Fable 5 silently hands off the request to the weaker Claude Opus 4.8, notifying the user of the fallback. Anthropic claimed an external bug bounty produced no universal jailbreaks across over 1,000 hours of testing before launch.

That claim was almost immediately tested.

Multi-Agent Bypass Within Days Within days of release, prolific AI red-teamer Pliny the Liberator publicly announced he had bypassed Fable 5’s safety layers using a coordinated multi-agent attack strategy he called “a pack hunt.” Screenshots shared, including step-by-step stack buffer overflow exploitation guidance for x86 Linux systems, including disabling ASLR, writing vulnerable C server code with strcpy overflows, and compiling without protections — as well as the Birch reduction mechanism, a classic meth synthesis pathway.

Sicherheitslage und Risiko

Pliny documented the attack vectors used to achieve these bypasses, including: Unicode, homoglyphs, and Cyrillic character substitution to evade keyword classifiers Long-context reference tracking to smuggle harmful intent across large conversations Taxonomy and document-structure framing — embedding harmful queries inside legitimate-looking study guides or academic references Fiction and narrative framing to mask offensive intent as creative content Decomposition and recomposition — extracting sensitive technical information in benign, isolated chunks, then reassembling them into actionable uplift The last technique proved most effective.

As Pliny described it, “getting uplift on the process itself, like Birch reduction method or reductive amination, is much more doable” than requesting a named harmful compound directly. Using a jailbroken Opus instance to assist in the backend further lowered the difficulty.

Beyond the technical bypasses, Pliny also leaked Fable 5’s ~120,000-character system prompt to GitHub, exposing the internal framing and safety instructions Anthropic uses to govern the model’s behavior at the base level. The incident reignites the longstanding tension between AI capability and safety containment.

Anthropic’s classifier architecture routing flagged requests

Anthropic’s classifier architecture routing flagged requests to a weaker fallback model rather than refusing outright was designed to reduce friction for legitimate users.

However, Pliny argued the approach creates a false sense of security while simultaneously frustrating legitimate security researchers who need access to offensive techniques for defensive work. Anthropic has not yet publicly responded to the jailbreak claims or the leaked system prompt at the time of writing.

The episode also draws attention to the broader challenge of securing agentic, multi-model pipelines: when one jailbroken model (Opus) can assist another (Fable 5) in evading controls, single-model safety evaluations may be fundamentally insufficient.