A small group of unauthorised users accessed Anthropic’s newly announced Mythos AI model on the day of its limited release in April, raising concerns over the containment of a system designed for high-risk cybersecurity testing.
According to Bloomberg News, the users gained entry through a private online forum and have continued to use the model regularly since early April, citing a person familiar with the matter and supporting documentation. The access coincided with Anthropic’s rollout of Mythos under its tightly controlled Project Glasswing initiative, which restricts usage to approved organisations.
Bloomberg reported that the group did not deploy the model for cyberattack-related purposes, instead using it for benign tasks such as building simple websites. The same source said the users relied on a combination of contractor-level access and publicly available tools to locate the system, including scanning unsecured online repositories.
Anthropic said it is investigating the incident and suggested the breach may be limited in scope. A company spokesperson said, “We’re investigating a report claiming unauthorized access to Claude Mythos Preview through one of our third-party vendor environments,” adding that there is no evidence the issue has affected its core systems.
The company has described Mythos, which was first unveiled on April 7, as capable of identifying and exploiting vulnerabilities across major operating systems and web browsers when prompted. That capability has led Anthropic to limit access to selected partners, including major technology firms and infrastructure providers, for defensive cybersecurity testing.
Bloomberg reported that access may have been aided by knowledge derived from a recent data breach at Mercor, an AI training startup, which exposed technical patterns used by developers. The individual involved reportedly used prior authorised access through contract work to interact with Anthropic systems.
The same source told Bloomberg the group is focused on experimenting with unreleased models rather than causing harm, and has avoided triggering scrutiny by steering clear of sensitive prompts. However, the incident raises questions about whether additional unauthorised users may have obtained similar access.
Interest in Mythos has grown among financial institutions and government agencies seeking early access to test their own defences, according to Bloomberg, reflecting wider concern about the model’s potential impact on cybersecurity.
