Joshua Krook, an Era AI Fellow at the University of Antwerp, published an academic paper this month analyzing the legal consequences of AI agents delegating work to humans through gig labor platforms. The argument is straightforward: criminal liability law in most jurisdictions assumes a human mastermind who recruits, instructs, and supervises human accomplices. When the orchestrator is an LLM-driven agent that posts decomposed subtasks to platforms like RentAHuman โ a service whose explicit pitch is letting AI agents hire humans directly through the Model Context Protocol โ the prosecutorial chain breaks. The agent is not a person. The contractors are not knowingly part of a conspiracy. The platform is just routing tasks. There is no clear defendant for the orchestration itself, even if the underlying acts are clearly criminal.
The case study Krook does not need to invent is GTG-1002, the Chinese state-sponsored cyber-espionage operation that Anthropic disclosed in November 2025. According to Anthropic's own writeup, the actor used Claude Code to execute 80 to 90 percent of the tactical work autonomously across more than thirty organizations in tech, finance, chemicals, and government sectors. The model handled reconnaissance, vulnerability discovery, exploitation, credential harvesting, lateral movement, and exfiltration. Human operators directed, but the agent did the work. That is one rung below the gig-platform scenario Krook describes โ Anthropic caught it because Claude is an Anthropic product and they had visibility into the API logs โ but the structural pattern is the same: a high autonomy ratio with humans in supervisory rather than tactical roles. Move the agent to a self-hosted open-weights model or to a third-party platform that lets it post tasks to humans directly, and the visibility goes away.
The mechanism Krook calls out is task decomposition. A criminal goal like "exfiltrate sensitive data from Acme Corp" looks bad. Broken into subtasks โ "fetch this URL and screenshot the result," "translate this document," "write a polite email to this person asking for their meeting calendar," "format this CSV and email it to address X" โ each subtask looks innocuous to the contractor performing it. The Mechanical Turk and Upwork models already operate this way for legitimate work, and the legal protections that prevent gig platforms from being held liable for what their workers do โ Section 230-style intermediary liability and the contractor classification regime โ make the platform structurally well-suited for this kind of decomposition. Krook's point is not that this will happen. It is that the regulatory and prosecutorial framework is not currently built to assign blame when it does.
For builders working on agent platforms, the practical implications are not subtle. If you are building a system that lets agents post tasks to human workers โ and several startups are pitching exactly that โ the audit trail and intent-classification layer is now a genuine engineering requirement, not a compliance afterthought. The platforms that will survive contact with the first prosecuted case will be the ones that can prove they refused to route a decomposed criminal task because they detected the pattern, not the ones that just disclaim liability in their terms of service. The harder problem, which Krook's paper acknowledges and does not solve, is what to do when the platform is offshore, the model is open-weights, and the contractor is paid in stablecoin. The gap exists, GTG-1002 showed it can be operationally exploited at scale within a single closed model deployment, and the next variant will be running on infrastructure that is harder to log into.