Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell summoned the CEOs of major Wall Street banks to an urgent meeting on April 9, 2026, according to Bloomberg. The subject was not a market crash or a liquidity crisis. It was an AI model.
Anthropic's Claude Mythos Preview, unveiled on April 7, has demonstrated cybersecurity capabilities that the company itself describes as a "watershed moment." The model discovered over 1,000 high- and critical-severity vulnerabilities across every major operating system, every major web browser, and closed-source software, including bugs as old as 27 years. Its exploit generation rate makes the current state of financial cyber defense look outdated overnight.
1,000 critical bugs found across major OSes
The numbers from Anthropic's own red team assessment are blunt. On Firefox JavaScript exploits, Mythos achieved 181 successful exploits versus 2 from its predecessor, Opus 4.6. Against OSS-Fuzz repositories, it reached full control flow hijack on 10 separate targets. Human validators confirmed an 89% accuracy rate on severity assessments.
Speed is the more alarming metric. Exploits that experienced penetration testers estimated would take weeks to develop were generated in hours. Non-experts, engineers at Anthropic with no formal security training, asked Mythos to find remote code execution vulnerabilities overnight and got results by morning.
The model does not stop at finding bugs. It chains them. One FreeBSD demonstration required splitting a 20-gadget ROP chain over multiple packets. Another browser exploit combined four separate vulnerabilities using JIT heap spray techniques. This is not theoretical research. These are working proofs of concept.
Treasury frames Mythos as systemic risk
Financial institutions run some of the most complex software stacks in any industry, layered across decades of legacy systems, third-party integrations, and real-time transaction processing. A model that can find and exploit zero-day vulnerabilities autonomously across operating systems, browsers, and cryptography libraries poses a direct threat to that infrastructure.
Bessent and Powell appear to be treating this as a systemic risk briefing, not a routine technology update. The meeting format, summoning CEOs rather than CISOs or compliance officers, signals that the government views Mythos-class AI capabilities as a board-level concern.
The crypto sector sits squarely in the threat surface. Exchanges, US-facing crypto firms, self-custody wallets, DeFi protocols, and stablecoin issuers all rely on the same operating systems, browsers, and cryptographic libraries that Mythos has already cracked open in testing. A model that can reverse-engineer stripped binaries and generate privilege escalation exploits past hardened defenses like KASLR makes every smart contract audit and penetration test conducted before April 2026 look incomplete.
Project Glasswing: The Defensive Play
Anthropic is not releasing Mythos to the public. The model is available only through Project Glasswing, a controlled deployment to roughly 40 organizations that build or maintain critical software and infrastructure. Launch partners include JPMorgan Chase among other major technology and infrastructure companies, according to TechCrunch.
The company says 99% of the vulnerabilities Mythos found remain unpatched and undisclosed. Each bug report goes through manual validation by professional human reviewers before coordinated disclosure, with standard 90+45 day timelines. Anthropic provides SHA-3 hashes as proof of possession for specific vulnerabilities, a mechanism to demonstrate the findings are real without prematurely exposing the flaws.
A future Claude Opus model is expected to include new safeguards to "detect and block the model's most dangerous outputs," along with a Cyber Verification Program for security professionals whose legitimate defensive work might otherwise be restricted.
Crypto infrastructure runs on the same vulnerable libraries
Ledger's CTO warned last month that AI is driving the cost of crypto attacks toward zero. Mythos makes that warning concrete. The $1.4 billion in crypto losses from 2025 came largely from social engineering and known exploit patterns. A model that autonomously discovers and chains unknown vulnerabilities in the cryptographic libraries underpinning wallets, bridges, and exchanges represents a different category of threat.
The Solana Foundation recently launched STRIDE and SIRN to harden DeFi security after the Drift exploit. Those programs were built for the pre-Mythos threat environment. Every major chain's security infrastructure, formal verification tools, bug bounty programs, third-party audits, needs to be re-evaluated against a world where vulnerability discovery at this scale costs hours, not months.
Crypto markets, as of April 10, are holding steady: BTC at $72,053 (+2.0% over 24 hours), ETH at $2,197 (+1.2%), with the Fear & Greed Index sitting at 45 (Neutral). The Bessent-Powell meeting has not triggered a sell-off, but the policy response is still forming. If regulators conclude that financial institutions, including crypto custodians, need new cybersecurity standards to operate in a Mythos-era threat landscape, the compliance costs will follow.
Overview
Treasury Secretary Bessent and Fed Chair Powell convened an emergency meeting with Wall Street bank CEOs on April 9 over cybersecurity risks posed by Anthropic's Mythos AI model. Mythos discovered over 1,000 critical vulnerabilities across all major operating systems and browsers, generating working exploits in hours. The model is restricted to 40 organizations through Project Glasswing, with JPMorgan Chase among the launch partners. Crypto infrastructure, from exchanges to self-custody wallets, sits on the same software stack that Mythos has already penetrated in testing. No breaches have occurred, but the government is treating Mythos-class AI as a systemic financial risk.
