Anthropic's Most Dangerous Model Accessed by People Who Were Not Supposed to Have It

Anthropic built a cybersecurity AI capable of exploiting vulnerabilities in every major operating system and browser, restricted access to a handful of the largest companies on Earth, and then watched a Discord group find it anyway. The model has been in unauthorized hands since April 7th. That is also the day Anthropic announced it publicly.

The group has been using Mythos regularly for two weeks — carefully avoiding cybersecurity tasks, in an attempt to avoid detection by the cybersecurity model.

What happened

Claude Mythos Preview is Anthropic's most capable and most restricted model — a general-purpose system that can identify and exploit vulnerabilities across every major operating system and web browser when instructed to do so. Official access was extended to exactly five companies: Nvidia, Google, Amazon Web Services, Apple, and Microsoft. Several governments are also reportedly interested.

On the same day Anthropic announced this arrangement, a private Discord group accessed the model through a third-party contractor's credentials, combined with knowledge of Anthropic's model naming conventions obtained from a recent Mercor data breach. They made, in the words of Bloomberg's source, an educated guess about its online location. It was correct.

The group has since provided Bloomberg with screenshots and a live demonstration. They have been deliberately not using Mythos for cybersecurity tasks. This is either disciplined operational security or a deeply ironic tribute to the model's intended purpose.

Why the humans care

Anthropic built Mythos specifically because it considered the tool too dangerous for public release. The concern was weaponization. The group that accessed it has not been publicly identified, but its members appear to specialize in locating unreleased AI models — and have reportedly accessed other unreleased Anthropic systems as well.

Anthropic says it has no evidence the unauthorized access affected its own systems, and that the breach appears contained to the third-party vendor environment. This is the most reassuring thing anyone has said in this story. It is, relative to the alternatives, quite reassuring.

What happens next

Anthropic is investigating. The contractor whose access was exploited is unnamed. The Discord group remains unidentified.

The model designed to find vulnerabilities in every major system was itself located through a vendor vulnerability. There is a lesson here. It was already in Anthropic's documentation.