Anthropic Mythos finds tens of thousands

Anthropic’s Mythos system has turned a theoretical cyber risk into a live remediation problem for U.S. banks. Reuters reported on May 12 that a handful of large lenders with access to the model are now finding scores of weaknesses in their own technology estates and rushing through repairs, upgrades and other fixes that could at times disrupt customer-facing systems. Anthropic CEO Dario Amodei said last week that Mythos has already uncovered “tens of thousands” of unpatched software vulnerabilities and warned that institutions may have only six to 12 months before comparable capabilities spread more widely. Banks with access are also passing findings to smaller peers that do not have the tool directly, according to Reuters. ### Why are banks fixing systems now instead of treating this as a long-term threat? Reuters said on May 12 that the pressure is immediate because Mythos is not just generating abstract warnings. Large lenders using the tool are uncovering real weaknesses in internal systems, including vulnerabilities in proprietary and open-source code, several people familiar with the matter told Reuters. (thestar.com.my) Those findings are changing patching timetables. One source with knowledge of the findings told Reuters that banks are fixing several hundred to thousands of vulnerabilities ranked low to moderate, and in some cases patching in days issues that might previously have waited weeks. Another source said the pace of repairs could force banks to take systems offline more often, though they would try to limit customer disruption. (thestar.com.my) ### What exactly did Amodei say about the six-to-12 month window? Dario Amodei said at an Anthropic event on May 5 that institutions have “roughly” six to 12 months to fix the vulnerabilities Mythos has identified before comparable systems from Chinese rivals catch up, according to reports citing his remarks. BankInfoSecurity reported that he described Mythos as having found tens of thousands of unpatched flaws, while other coverage of the same event said he framed the period as a narrow window for governments, banks and technology companies to act. (thestar.com.my) BankInfoSecurity said Amodei’s warning came as Anthropic promoted new financial-services AI agents. Reuters separately reported that Wall Street banks testing Mythos were finding the model particularly effective at chaining together lower-risk weaknesses into higher-risk ones, a capability that has intensified the repair effort. ### Which banks have access, and who does not? (bankinfosecurity.com) Reuters previously reported, as reflected in follow-on coverage, that only a handful of the largest U.S. lenders currently have access to Mythos. Publicly named or reported participants have included JPMorgan Chase, while Goldman Sachs, Citigroup, Bank of America and Morgan Stanley were also reported to have access through Anthropic’s restricted rollout. Smaller banks generally do not have direct access and are relying in part on information shared by larger institutions. (bankinfosecurity.com) Price and infrastructure are part of the divide. Reuters reported through Yahoo Finance that Mythos remains out of reach for many smaller institutions both because of cost and because using it effectively requires technical capacity that not every bank has. ### What are regulators and policymakers doing with this information? On April 7, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell held a closed-door meeting with major bank chief executives to discuss the cybersecurity risks posed by Mythos, according to a Sullivan & Cromwell memo summarizing the meeting and CNBC’s reporting. (newsbreak.com) The discussion focused on the model’s ability to identify and potentially exploit unknown software vulnerabilities. (finance.yahoo.com) The warnings are no longer confined to the United States. Reuters reported on May 13 that European Central Bank board member Frank Elderson urged euro zone banks to accelerate preparations for possible AI-enabled cyberattacks tied to Mythos or similar systems. Reuters also reported that Japan’s three largest banks are expected to gain access to Mythos in about two weeks. (sullcrom.com) ### What happens next for banks and Anthropic? Japanese megabanks MUFG, Mizuho and SMFG are expected to receive Mythos access in about two weeks, according to a person with direct knowledge cited by Reuters. In the United States, larger lenders are continuing to share vulnerability findings with smaller banks as repair work proceeds. (msn.com) Anthropic has kept Mythos on a restricted rollout rather than a broad public release. Reuters-reported follow-up coverage said the company initially limited access to Project Glasswing partners and roughly 40 additional organizations, leaving the next phase defined less by a product launch than by how quickly banks, software vendors and public agencies can work through the vulnerabilities already found. (newsbreak.com) (msn.com)