1. A Security Threshold That Has Been Crossed
In late 2025, Ledger's chief technology officer warned that AI was driving down the cost of cyberattacks and that the industry was not prepared for what was coming. On April 7, 2026, Anthropic's publication of the Claude Mythos Preview technical assessment made that warning concrete. The company released documentation showing that its newest frontier model can autonomously identify and fully exploit zero-day vulnerabilities — previously unknown software flaws — across every major operating system and every major web browser, performing at a level that surpasses all existing automated security tools and nearly all human security researchers.
The capabilities were not designed into the model. Anthropic researchers stated explicitly that they did not explicitly train Mythos Preview for offensive security work. Instead, the capabilities emerged as an unintended consequence of broader improvements in code understanding, reasoning, and autonomous operation — the same general improvements that make the model more effective at the defensive task of patching vulnerabilities also make it materially more effective at finding and exploiting them. That dual-use emergence is what makes the publication significant and what gives it particular relevance to the DeFi ecosystem.
2. What Mythos Found: Decades-Old Bugs in Critical Software
The technical documentation released alongside the model describes findings that security researchers found immediately arresting. Mythos Preview identified a 27-year-old denial-of-service vulnerability in OpenBSD's TCP stack implementation — an operating system specifically engineered to be resistant to attack and widely used for running firewalls and critical infrastructure. The model located this vulnerability across approximately 1,000 automated scanning runs at a total compute cost under $20,000.
A separate discovery involved a 16-year-old flaw in FFmpeg's H.264 video codec, present in a commit from 2003 and exposed by a refactoring in 2010. Automated security testing tools had executed the vulnerable code path approximately five million times without flagging it as problematic. Mythos found it. In FreeBSD, the model autonomously identified and fully exploited a 17-year-old remote code execution vulnerability — triaged as CVE-2026-4747 — in the network file system server component, enabling unauthenticated root access to any machine running the affected configuration. No human involvement was required after the initial prompt instructing the model to search for vulnerabilities.
Beyond these individual high-profile discoveries, Anthropic stated that across its testing program Mythos Preview identified thousands of high- and critical-severity zero-day vulnerabilities, with more than 99% still unpatched at the time of the disclosure announcement. The model also demonstrated the ability to chain multiple vulnerabilities together — in one documented case, writing a browser exploit that connected four separate flaws to escape both the renderer sandbox and the operating system sandbox simultaneously.
3. The Cryptography Library Findings That Concern DeFi
For the cryptocurrency and DeFi ecosystem specifically, the finding that carries the most immediate relevance is buried in a section of Anthropic's technical documentation that might otherwise seem peripheral to blockchain applications. Mythos Preview identified security weaknesses in what Anthropic describes as the world's most widely deployed cryptography libraries — specifically in implementations of TLS (Transport Layer Security), AES-GCM (Advanced Encryption Standard in Galois/Counter Mode), and SSH (Secure Shell).
These are not exotic or niche protocols. TLS secures every HTTPS connection on the internet, forming the foundational layer of trust for every web-based interface through which DeFi users interact with protocols. AES-GCM encrypts stored and transmitted data across virtually every computing platform. SSH is the primary mechanism through which developers and administrators remotely access the servers that run DeFi infrastructure, including the nodes, APIs, and backend systems that protocols depend on for operation. Flaws in any of these libraries could allow an attacker to forge authentication certificates, decrypt previously encrypted communications, or intercept supposedly secure administrative connections to protocol infrastructure.
One specific vulnerability in this category — a critical certificate authentication bypass in the Botan cryptography library — was publicly disclosed on the same day as the Mythos announcement, meaning it had not previously been known to or addressed by the maintainers of systems depending on Botan for security functions.
4. Why Open-Source DeFi Protocols Are Specifically Exposed
The DeFi ecosystem's structural characteristic of operating primarily through open-source code creates an exposure profile that is qualitatively different from the threat model of proprietary financial software. Open-source code is publicly available for inspection, which is both a security advantage — enabling broad community review — and a potential liability when a sufficiently capable tool can systematically identify vulnerabilities that human reviewers and existing automated scanners have missed.
Approximately $200 billion in user assets is locked in smart contracts across Ethereum, Solana, and other blockchain networks at any given time. Those protocols have been audited by specialized security firms, scanned by automated tools, and reviewed by developer communities. But Anthropic's documentation makes a specific point that is directly relevant to DeFi's reliance on these forms of defense: the model has demonstrated capabilities against precisely the categories of tools and processes that DeFi currently treats as its security foundation.
The documentation notes that mitigations whose security value derives primarily from friction rather than hard technical barriers may become considerably weaker against model-assisted adversaries. Multisig governance structures, which require multiple human approvals before a blockchain transaction is executed, are friction-based. Timelocks, which delay the execution of transactions for a set period to allow detection and response, are friction-based. Audit reports that certify the absence of known vulnerabilities are friction-based. Each of these defenses works by making attacks more difficult, time-consuming, or costly. An AI system capable of autonomously developing working exploits in hours dramatically changes the economics of that friction.
5. The Exploit Success Rate: From Near-Zero to 72%
To understand the magnitude of the capability shift Mythos represents, the comparison to prior Anthropic model generations is instructive. Anthropic's internal benchmark tests models against approximately 7,000 entry points across open-source repositories, asking models to find and exploit vulnerabilities autonomously. The benchmark uses a tier system in which tier 5 represents a complete control flow hijack of the target system.
Earlier frontier models — including Claude Sonnet 4.6 and Opus 4.6 — each achieved tier 5 exactly once across the full benchmark. Mythos Preview achieved tier 5 on ten separate, fully patched targets. More strikingly, when tested for exploit development specifically — the ability to take a known vulnerability and produce a functional working exploit that can actually be used to compromise a system — the success rate differential is dramatic. Claude Opus 4.6 produced a working exploit in just over 0% of attempts. Mythos Preview produced a working exploit in 72.4% of attempts.
That gap — between near-zero and nearly three-quarters — is not an incremental improvement. It is a threshold crossing. The model has moved from being unable to reliably develop exploits to being capable of doing so in the majority of cases, autonomously, without human guidance at each step.
6. Anthropic's Decision Not to Release Mythos Publicly
Recognizing the security implications of the capabilities it had developed, Anthropic chose not to make Mythos Preview publicly available. Instead, the company launched Project Glasswing — a coordinated defensive initiative under which a selected group of organizations with responsibility for critical software infrastructure can access the model to scan their own systems for the same vulnerabilities Mythos can find and exploit.
The Project Glasswing partners include Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks. Beyond the twelve founding partners, Anthropic has extended access to approximately 40 additional organizations that build or maintain critical software. The company is committing up to $100 million in usage credits for Mythos Preview across the initiative, along with $4 million in direct contributions to open-source security organizations.
The framing of the initiative is explicitly defensive: get the most critical software patched before models with comparable capabilities become available through other means. The unspoken assumption embedded in that framing is that capabilities similar to Mythos Preview will eventually become available more broadly — either through other AI labs developing comparable models, through the gradual capability improvement of publicly available models, or through other channels. Project Glasswing is an attempt to use the defensive application of these capabilities to reduce the attack surface before the offensive application becomes accessible.
7. The Unintended Emergence Problem
One of the most consequential aspects of Mythos Preview's capabilities is how they arose. Anthropic's researchers did not build a specialized offensive security tool. They built a general-purpose model optimized for code understanding, reasoning, and autonomy — capabilities intended to make the model more effective across a wide range of tasks including software development, debugging, and code review. The offensive security capabilities are a side effect of those general improvements, not a design goal.
This emergence pattern has significant implications for the broader AI safety and capability development landscape. It suggests that the gap between "capable general AI model" and "capable autonomous vulnerability discovery and exploitation system" may be smaller than security planners have assumed, and that the boundary between those categories may be crossed without deliberate intention to do so. Models that are being developed and deployed for legitimate productivity purposes may, above certain capability thresholds, also possess offensive security capabilities that their developers did not plan for and may not have adequately evaluated.
The Mythos documentation explicitly acknowledges this: "The same improvements that make the model substantially more effective at patching vulnerabilities also make it substantially more effective at exploiting them." That sentence describes a structural feature of the capability landscape that will remain true for future model generations, not just for Mythos.
8. Implications for DeFi Security Architecture
The immediate practical implication for DeFi protocol teams is the same one that the Ledger CTO articulated more broadly and that the Drift incident illustrated in specific detail: security frameworks that depend on friction-based defenses are less durable than they appear. Audits certify the state of a codebase at a point in time against known vulnerability patterns. Multisig governance delays but does not mathematically prevent administrative actions. Timelocks create detection windows but not hard barriers.
Against an adversary operating with a tool like Mythos Preview — or a future, more capable successor — the friction that these defenses impose may not be sufficient to prevent a determined attack. The relevant question is not whether an attacker can find a vulnerability in a DeFi protocol, but whether the attacker can find it faster than the protocol's defensive scanning can identify and patch it, and whether they can turn it into a working exploit before a timelock provides an opportunity for intervention.
Protocol teams that want to maintain meaningful security margins in this environment will need to integrate AI-assisted vulnerability discovery into their own defensive workflows — using tools like Mythos Preview through Project Glasswing while access is available, investing in formal verification for the highest-value contract logic, and shortening the cycle time between vulnerability identification and patch deployment.
9. The Post-Quantum Cryptography Migration Risk Compounds
Mythos Preview's ability to find vulnerabilities in battle-tested cryptography library implementations has a secondary implication that compounds the post-quantum cryptography migration challenge discussed extensively in recent weeks. If AI systems can find implementation flaws in TLS, AES-GCM, and SSH — protocols that have been scrutinized for decades and implemented by expert cryptographic engineers — the risk profile for newly developed post-quantum cryptography implementations is substantially higher.
Post-quantum cryptographic algorithms are newer, less reviewed, and implemented by a smaller community of specialists than the current generation of cryptographic standards. The period immediately following their deployment, before the ecosystem of defensive tooling, expert review, and battle-hardening that classical crypto benefited from has had time to develop, may be precisely when Mythos-class AI models find critical implementation flaws at scale. The migration to post-quantum cryptography is necessary and time-bounded. But the migration itself may introduce a window of vulnerability that AI-assisted adversaries are better positioned to exploit than the quantum adversaries the migration is designed to protect against.
10. A Near-Term Threat Among Theoretical Ones
The DeFi ecosystem spent the first weeks of April 2026 processing the implications of Google's quantum research suggesting that bitcoin's elliptic curve cryptography could eventually be broken by future hardware. That threat, while genuine, is measured in years — five, ten, or more before machines capable of mounting such an attack could plausibly exist.
Mythos Preview is not a theoretical future threat. It exists today, operated under controlled conditions by a limited set of partners, and it has already demonstrated the ability to find critical vulnerabilities in the cryptographic infrastructure that DeFi depends on. The market, as measured by DeFi sector price performance, did not react negatively to the Mythos announcement on April 8 — the broader ceasefire-driven rally in risk assets was dominating price action. But the security implications do not disappear because markets are rallying. The gap between an AI system that can autonomously develop working exploits for over 70% of target systems and the security architecture that DeFi currently relies on is a problem that needs engineering solutions, not market reassessment, and the window to address it while Mythos-class capabilities remain restricted is not indefinite.