6,000 emails from 2,000 attackers produced zero leaks from Claude Opus 4.6 under basic rules

The experiment exposed a public email interface to Fiu, an assistant running Claude Opus 4.6 on a VPS. Attackers used authority impersonation, language switching, fake incident reports, and rapid multi-message bursts. The agent processed each email in isolation after batch contamination was identified around email 500. Gmail suspended the account after traffic spikes triggered fraud systems, incurring over $500 in API charges before reinstatement three days later.

Data showed the model referenced the explicit rules in its reasoning traces even under pressure. No credentials from secrets.env were output. Earlier trials with weaker models on similar tasks have produced leaks within dozens of attempts, indicating capability thresholds matter more than prompt length. Batch context contamination introduced false positives that required resetting state per message.

Operational takeaway is that production agents should default to stateless per-message evaluation and log rule invocations. Sponsors including Corgea and Abnormal AI funded continuation, confirming commercial interest in measuring real attack surfaces. Future tests mixing model sizes will establish the exact parameter count where simple instructions cease to hold.

Next step is controlled multi-turn dialogues on the same setup to measure whether conversation history erodes the observed resistance within five exchanges.