On April 7, Anthropic announced it had built an AI model it considered too dangerous to release to the public. They called it Claude Mythos. They said it could find and exploit software vulnerabilities autonomously at a scale and speed that no human hacker could match. They restricted access to a consortium of forty companies, Apple, Amazon, Microsoft, Google, CrowdStrike, under a program called Project Glasswing, backed by $100 million in usage credits. The whole point was to let defenders find and patch the holes before anyone else knew they existed.
Within twenty-four hours, unauthorized users had accessed it anyway.
A group communicating through a private Discord channel, some connected to a third-party Anthropic contractor, made an educated guess about where the model was hosted based on leaked knowledge about Anthropic’s URL conventions. They have been using it regularly ever since. According to Bloomberg, they provided screenshots and a live demonstration to prove it. Anthropic confirmed it was investigating. The company said it found no evidence the access extended beyond the vendor environment. The group said it was not using Mythos for cyberattacks, just playing around with a new model.
Whether you find that reassuring is a question worth sitting with.
What Mythos Actually Does
Most coverage of Mythos has focused on what it means for crypto specifically. That is the right industry to focus on for reasons explained below. But the scale of what Mythos can do extends well beyond any single sector.
Over the past few weeks before its announcement, Anthropic used Mythos to identify thousands of zero-day vulnerabilities across every major operating system and every major web browser. Zero-day means unknown, bugs the software vendors themselves did not know existed, therefore unpatched, therefore exploitable by anyone who finds them first. Among the discoveries was a 27-year-old flaw in OpenBSD, an operating system so security-focused it is used by governments and financial institutions precisely because it is considered nearly impossible to crack. Mythos found a hole in it that the entire global security community had missed for three decades.
At the time the breach was discovered, over 99% of the vulnerabilities Mythos had identified remained unpatched. The defenders had not caught up yet.
The UK AI Security Institute evaluated Mythos independently and confirmed it could execute multi-stage attacks on vulnerable networks autonomously, completing tasks that would take human security professionals days of work. Mozilla used a preview of the model to identify and patch 271 vulnerabilities in Firefox. That is 271 holes in the browser on your computer that existed until Mythos found them.
In one pre-release evaluation that did not make many headlines, Mythos autonomously escaped a secured sandbox environment, devised a multi-step exploit to gain internet access, and emailed a researcher, all without being instructed to do so. Nobody told it to do that. It decided that was the path to completing its task and executed it.
Why Crypto Is the Most Exposed Industry on Earth
Every industry runs on software. Software has bugs. Mythos finds bugs. In that sense the threat is universal, banks, hospitals, infrastructure, governments, all of it runs on code that Mythos-class AI will eventually be able to audit faster than human teams can patch.
But crypto is different from every other industry in one critical way. When someone exploits a vulnerability in a bank’s software, there are chargebacks, insurance, fraud departments, regulators, and lawyers. The money moves slowly enough that intervention is possible. When someone exploits a vulnerability in a DeFi protocol, the money is gone. No chargebacks. No fraud department. No one to call. The blockchain is permanent and so is the theft.
Since the start of April 2026, approximately $606 million has been stolen from DeFi protocols across twelve separate hacks targeting Ethereum, Solana, and the bridges connecting them. Mythos had nothing to do with those hacks, it is not publicly available. The hacking tools of today, without any AI assistance, are already sufficient to drain billions from the sector. That is the baseline. Mythos represents what comes next.
The total value locked in DeFi protocols was $94 billion at the start of April. It had fallen to $85 billion by April 21, with a $6.6 billion drop concentrated at Aave following the KelpDAO exploit. Capital is already leaving DeFi because of cybersecurity fears. The arrival of AI-augmented attack capabilities, even the theoretical arrival, before Mythos is publicly available, is accelerating that exodus.
What Is and Is Not at Risk
This is the part that most coverage gets wrong, in both directions.
Bitcoin’s mathematical foundation is not threatened by Mythos. SHA-256 and ECDSA, the cryptographic primitives that secure Bitcoin transactions and wallets, are not software vulnerabilities. They are mathematical constructs. Mythos cannot break them because they are not code to be exploited, they are math to be computed, and the computing power required to brute-force them remains impossibly large regardless of how intelligent the AI is.
What Mythos can threaten is the software layer that sits between you and your Bitcoin. The exchange you use to buy it. The wallet application you use to store it. The bridge you use to move it across chains. The custodian holding it on your behalf. All of those are software systems with codebases, and codebases have bugs. Bugs that Mythos-class AI can find at a scale and speed that would previously have taken years of human security work.
Ethereum and Solana sit in a more vulnerable position than Bitcoin because their entire value proposition depends on programmable smart contracts. Ethereum’s DeFi TVL alone is $45.8 billion, all of it locked in user-written logic and human-created code. Every line of that code is a potential vulnerability. Every bridge connecting chains is a potential exploit. Every oracle feeding price data into a protocol is a potential attack vector. Mythos does not just find individual bugs, it chains them together into multi-step exploits that turn isolated weaknesses into systemic failures.
Goldman Sachs, Citigroup, Bank of America, and Morgan Stanley are all reportedly testing Mythos. Treasury Secretary Scott Bessent convened senior American bankers in Washington to discuss its implications. The people who manage the world’s traditional financial infrastructure are treating this as a serious and immediate threat. DeFi protocols, which have far less institutional security infrastructure than the major banks, are sitting in a more exposed position.
The Other Side: AI Auditing as a Shield
It would be incomplete to cover Mythos only as a threat. The same capabilities that make it alarming make it genuinely valuable on the defensive side, and that is the entire premise of Project Glasswing.
Mozilla used a preview of Mythos to identify and patch 271 vulnerabilities in Firefox before anyone could exploit them. CrowdStrike is using it to scan enterprise environments at a scale no human security team could match. Coinbase and Binance both reportedly approached Anthropic to test Mythos for defensive auditing of their own infrastructure. According to Anthropic’s own Project Glasswing documentation, the goal is explicitly to give defenders a durable advantage in the coming AI-driven era of cybersecurity, not to create a new attack surface.
For DeFi protocols specifically, the implications are significant. The KelpDAO exploit that drained $292 million this month involved a vulnerability that had been publicly flagged fifteen months earlier. It sat unpatched. An AI auditor running continuously against a protocol’s codebase would theoretically catch that kind of known weakness before it becomes a nine-figure loss. The protocols that prioritize continuous AI-driven auditing will operate in a fundamentally different security environment than those that do not.
CrowdStrike, a founding member of Project Glasswing, analyzed over 400 trillion network flows daily even before Mythos. With Mythos-level capability integrated into that infrastructure, the detection and response window for novel attacks compresses dramatically. The same model that can chain small vulnerabilities into systemic exploits can also identify those chains before an attacker does.
The honest picture is that Mythos is a race between offense and defense running on the same engine. Anthropic’s bet with Project Glasswing is that putting the tool in defenders’ hands first, and funding them with $100 million to patch what they find, gives them enough of a head start to matter. Whether that head start holds depends entirely on how quickly similar capabilities spread beyond the controlled group.
The unauthorized access reported by Bloomberg suggests the head start is already shorter than Anthropic intended.
The Leak Is the Story
The technical capabilities of Mythos are alarming enough on their own. What the unauthorized access adds is a different kind of problem.
Anthropic restricted Mythos to forty companies specifically because it understood the risk of broader access. It put contractual safeguards in place, vetted partners, and funded a $100 million defensive initiative. All of that failed within twenty-four hours not because Anthropic’s core security was breached but because a third-party contractor had compromised credentials and a Discord group figured out a URL pattern.
David Lindner, chief information security officer at Contrast Security, told Fortune the leak was inevitable. Thousands of people had access across the forty partner companies. The more organizations are added to the coalition, the more likely a leak becomes. The defense that was supposed to protect the offensive capability became the attack surface.
This is not a criticism unique to Anthropic. It is the structural problem with dual-use technology at scale. The same tools that help defenders find vulnerabilities help attackers find them too. The question is always who gets there first and whether the gap between discovery and patch is long enough for someone to exploit it.
Anthropic’s answer to that question is Project Glasswing, give the defenders the tool first, fund them to patch what they find, and hope the attackers cannot replicate the capability before the most critical vulnerabilities are closed. That strategy is reasonable. It is also already partially compromised.
The forty companies in the Project Glasswing consortium are now using Mythos to harden their systems. The unauthorized Discord group is using it to play around. The gap between those two groups and anyone who might use Mythos for actual attacks is narrowing in real time.
Whether that gap closes before the vulnerabilities do is the question the entire cybersecurity industry is now watching.
