Why Anthropic’s Claude Mythos is scaring financial sector and US officials: This AI model can end cybersecurity, if in wrong hands

After Anthropic announced a limited release of Claude Mythos Preview, its AI model focused on cybersecurity, US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell went into a huddle with bank chiefs and finance sector stakeholders. Why? The model could find vulnerabilities or bugs in most computer systems and browsers, and can write code on its own to exploit these vulnerabilities. In the wrong hands, it could lead to an apocalyptic scenario for computers and the internet. Aware of the destructive capability of the model they created, Anthropic is releasing Claude Mythos Preview only to a handful of big tech customers to test and fix vulnerabilities. Here is why this development could have far-reaching consequences.

Announcing the release of Claude Mythos Preview on April 7, the team behind it said the new general-purpose language model “is strikingly capable at computer security tasks”. The team launched Project Glasswing, which will use Mythos Preview to help secure the world’s most critical software. This limited release, mostly to Big Tech companies, is intended to prepare the industry against cyberattackers. (The image shows how Mythos Preview could find and exploit bugs in Firefox web browser)

When testing the AI model, the team found that Mythos could identify and exploit zero-day vulnerabilities in every major operating system and every major web browser when directed by a user to do so. A zero-day (0-day) is a previously unknown software or hardware bug that hackers exploit before developers or vendors become aware of it. The name derives from the fact that vendors have had zero days to create a fix, leaving systems completely exposed to attack.

Mythos could find bugs that are difficult to detect, in some cases up to 27 years old. The team said more than 99 per cent of the vulnerabilities that Mythos could detect (and potentially exploit) have not yet been patched.

Reports said that US Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned Wall Street leaders to an urgent meeting over concerns about what Claude Mythos could do. The bank CEOs assembled at the Treasury’s headquarters in Washington on Tuesday, according to reports. The idea was to ensure that the banks are aware of possible future risks raised by Mythos and similar models. They have been told to take precautions to defend their systems, Bloomberg, Reuters and other outlets reported. The meeting was reportedly attended by chiefs of Citigroup, Morgan Stanley, Bank of America, Wells Fargo, Goldman Sachs and others.

Mythos exposed that core banking systems, algorithmic trading platforms, market-data feeds, and exchange infrastructure overwhelmingly run on Linux servers and cloud environments using Amazon Web Services (AWS), Microsoft Azure and Google Cloud, as well as browser-based internal tools would be at risk if such a tool is widely available. This can enable a new era of AI-augmented attacks that could cause flash outages, order spoofing, stolen proprietary data, or settlement failures, any of which could trigger liquidity crises or panic selling that could roil the financial markets.

In plain terms, what Mythos appears to have demonstrated is AI’s ability to identify vulnerabilities, write code on its own to exploit those gaps, and enter, hack into, and disrupt or destroy websites, databases, operating systems, and possibly much more. Mythos Preview could find and exploit the undiscovered or “zero-day” vulnerabilities in open-source codebases. It could also reverse-engineer exploits in closed-source software and turn known but unpatched vulnerabilities into active exploits, said the Mythos team in a blog post.

Access to Mythos will be limited to about 40 technology companies, including Microsoft, Google, Apple and Amazon, Anthropic has said. The AI startup did not do a broad release of Mythos, as its own team was concerned that the model could expose previously unknown cybersecurity vulnerabilities. In the wrong hands, this could mean potential devastation. Anthropic is having discussions with US government officials about the model’s offensive and defensive cyber capabilities. Ahead of the Mythos release, the company proactively briefed senior US government officials and key industry stakeholders on its mindboggling capabilities.