By AJ Vicens and Raphael Satter
April 13 (Reuters) – Anthropic’s Mythos, a new AI model the company and cybersecurity experts warn could supercharge complex cyberattacks, poses significant challenges to the banking industry with its legacy technology systems, experts said in the days following the model’s announcement.
The model, announced April 7, is the company’s “most capable yet for coding and agentic tasks,” the company said in a blog post, referring to the model’s ability to act autonomously.
Its capabilities to code at a high level have given it a potentially unprecedented ability to identify cybersecurity vulnerabilities and devise ways to exploit them, experts said.
That’s a particular problem for banks and other financial institutions, which run technology stacks that integrate state-of-the-art tools with decades-old software, potentially opening a large number of vulnerabilities, according to TJ Marlin, the chief executive of enterprise AI security firm Guardrail Technologies.
Marlin said Mythos Preview can “look across a very complex architecture, including this legacy infrastructure where, frankly, these undiscovered vulnerabilities and complexities are now accessible and threat factors.”
The banking industry is also closely connected, with many companies operating the same narrow set of software to onboard customers, perform know-your-customer checks, and handle transactions.
“Because it’s a very specialized industry and heavily regulated, there’s a lot of IT interconnections,” said Naresh Raheja, a San Francisco-based consultant who previously worked at the Office of the Comptroller of the Currency. “Many banks use the same vendors and the same solutions.”
Marlin said that could act as a force multiplier for breaches, making any AI-powered exploits “potentially catastrophic at scale.”
Government officials in at least three countries – the U.S., Canada and Britain – have met with top banking officials to discuss the threats posed by Claude Mythos Preview.
The U.S. Treasury said that Donald Trump’s administration was pushing financial institutions “to understand and anticipate a wide range of market developments” and that further meetings around the issue were planned. Anthropic declined to comment beyond its April 7 announcement.
Anthropic has said Claude Mythos Preview will not be made generally available. Instead, the company announced Project Glasswing, in which it invited major tech companies, cybersecurity vendors and JPMorgan Chase, along with several dozen other organizations, to privately evaluate the model and prepare defenses accordingly.
IDENTIFYING VULNERABILITIES
Claude Mythos Preview is capable of identifying and exploiting previously undiscovered vulnerabilities in every major computer operating system and every major web browser, the company said in announcing Project Glasswing.
In a technical blog released alongside the main announcement, Anthropic researchers describe how Mythos Preview identified “thousands” of high and critical-severity vulnerabilities, meaning that targets could suffer grave impacts as a result, including data and operational compromise.
The researchers described how the model identified a 16-year-old vulnerability in the widely used FFmpeg software library, an open-source program used for processing audio and video files, and how it identified a bug in an unnamed virtual machine monitor program, which allows users to create segregated virtual computers within their own in ways that are supposed to protect the host system.
A Cloud Security Alliance coalition of cybersecurity executives and former senior U.S. government officials warned in an April 12 strategy briefing that Mythos represents “a step change” in the trajectory of capable AI models that “lowers the cost and skill floor for discovering and exploiting vulnerabilities faster than organizations can patch them.”
Costin Raiu, a longtime security researcher and co-founder of cybersecurity firm TLPBLACK, said in an interview that the banking industry has key legacy technology systems initially released decades ago that have been updated many times over the years, pointing to products produced by firms including IBM, as an example.
“A model like Mythos would have a field day finding exploits” in certain IBM systems, Raiu said, pointing to examples of IBM-related vulnerability research. “And it’s just one example of ancient technologies powering the financial industry.”
In an April 9 blog post, IBM said that Mythos is “forcing enterprise security teams to rethink their defenses from the ground up,” and called for more of an open-source approach, where more companies and researchers have access to the model to make everyone more secure. The company did not respond to requests for comment.
JPMorgan Chase said in a statement last week that it was part of a group of leading companies that were privately evaluating Mythos, something it called “a unique, early-stage opportunity to evaluate next-generation AI tools for defensive cybersecurity across critical infrastructure.” The company did not return a message.
Wells Fargo also didn’t respond to a message. FS-ISAC, the nonprofit that works to boost the cybersecurity of the global financial system, did not respond to written questions.
Bank of America, Citibank, the American Bankers Association and the Consumer Bankers Association declined comment.
(Reporting by AJ Vicens in Detroit and Raphael Satter in Washington; Editing by Nick Zieminski)
Comments