itsecurityguru.org via Reddit

Anthropic Mythos finds bank zero-days, EU locked out

7 sources tracking this story
anthropic cybersecurity ai-security banking

Key insights

  • All 111 ECB-supervised eurozone banks attended the emergency meeting; none currently hold Mythos access through Project Glasswing.
  • Mythos compresses patch reverse-engineering from several weeks to approximately 30 minutes, rendering standard bank update cycles operationally insufficient.
  • DORA mandates penetration testing resilience but provides no mechanism compelling Anthropic to grant European regulators or banks sovereign access to Mythos.

Why this matters

The ECB's emergency summons of all 111 directly supervised eurozone banks over Anthropic's Mythos AI marks the first time a major central bank has mobilized its entire supervised roster over a single commercial AI model's offensive capabilities. Mythos is available to roughly 40 to 50 organizations globally through Project Glasswing, none of them European banks, while the model can reverse-engineer patches in approximately 30 minutes, making standard bank update cycles operationally insufficient. DORA mandates penetration testing resilience but provides no mechanism to compel Anthropic to grant sovereign access, leaving regulators able to set remediation requirements they cannot equip banks to meet. Europe's reactive posture -- the ECB meeting followed a parallel US Treasury and Federal Reserve emergency banking meeting by six to seven weeks -- and the parallel BNP Paribas and Mistral AI sovereignty-model effort signal that the AI cybersecurity access divide has become a structural fault line in transatlantic financial stability.

Summary

The European Central Bank held an emergency meeting on May 27 with over 300 participants after Anthropic's Mythos AI uncovered thousands of zero-day vulnerabilities across major operating systems and browser stacks. Mythos can reverse-engineer patches into working exploits within hours. ECB Vice-Chair Frank Elderson called the situation urgent and immediate, not a distant scenario. Essentially: (Anthropic, ECB) at the center of a security asymmetry Europe didn't choose. - Anthropic restricted Mythos to roughly 40 US firms, leaving European banks unable to study the same threats the model identified. - Zero-days span major OS and browser stacks, the software layer every bank runs on. The access gap turns a cybersecurity crisis into a geopolitical one.

Potential risks and opportunities

Risks

  • European banks operating on unpatched OS and browser stacks could face nation-state exploitation of Mythos-identified zero-days before vendors ship fixes, with no ability to prioritize their own defenses using the model
  • If Mythos-identified vulnerabilities leak outside Anthropic's 40-firm access circle through a breach or insider, adversaries gain a comprehensive zero-day catalog against global banking infrastructure with no coordinated disclosure backstop in place
  • EU regulators may impose emergency compliance requirements on European banks within 90 days, forcing costly security audits against a threat profile they cannot directly model or validate

Opportunities

  • European cybersecurity consultancies (NCC Group, SEC Consult, NVISO) are positioned to capture significant mandates from banks needing threat modeling and red-team exercises without direct Mythos access
  • EU-based AI and security research institutions (Fraunhofer, Aleph Alpha) gain leverage to pitch European regulators on domestically accessible security AI alternatives as the access asymmetry becomes a policy flashpoint
  • OS and browser vendors (Microsoft, Google, Mozilla) face pressure to accelerate patch pipelines and may fast-track security research partnerships, opening contract opportunities for firms specializing in rapid vulnerability triage

What we don't know yet

  • Which specific OS vendors (Microsoft, Apple, Linux distributions) and browser makers (Google, Mozilla) have been notified about Mythos-identified zero-days, and what their remediation timelines are
  • What criteria Anthropic used to select the roughly 40 US firms granted Mythos access, and whether European financial regulators have formally requested access or been denied
  • Whether the May 27 ECB meeting produced any coordinated disclosure framework between Anthropic, EU regulators, and affected software vendors

What others are reporting

Coverage cluster as of 24h after publish

  1. The Irish Times Read →

    Frames the central problem as an information asymmetry: European banks face Mythos-revealed vulnerabilities without the tool US competitors hold, an access gap the ECB tried to bridge at the Tuesday meeting.

    "The clock is ticking," Elderson said regarding the urgency of banks addressing vulnerabilities.
  2. The Next Web Read →

    Adds the geopolitical dimension: Mistral AI is developing a competing European cybersecurity model framed explicitly as a technological sovereignty response, with only 40 to 50 organizations globally holding Glasswing access.

    AI models can now reverse-engineer software fixes within minutes of their release.
  3. ActuIA Read →

    Strongest DORA gap analysis: Article 26 covers threat-led penetration testing but is silent on tool access, and neither ENISA nor EBA issued offensive AI guidelines in 2025 or 2026, leaving the regulatory gap structurally unaddressed.

    A software patch can now be reverse-engineered in about thirty minutes, compared to several weeks previously.
  4. FStech Read →

    Reports that Mythos can compound individually lower-risk flaws into serious threats, a capability FStech describes as game-changing, and notes Anthropic agreed to brief the Financial Stability Board and European Commission.

    Banks using Mythos discovered the model could combine lower-risk flaws into more serious threats.
  5. Yellow.com Read →

    Puts the precise supervisory scope on record at 111 banks and includes Elderson's call to move from andante to presto on patching, plus his request that US-based Glasswing members share Mythos testing insights with European counterparts.

    Attackers can now reverse-engineer a fix within 30 minutes, so the slower update cycles common at many banks no longer suffice.
  6. OECD.AI Monitor Read →

    Classifies the situation under OECD's formal AI Incidents and Hazards taxonomy as an AI Hazard, not yet an Incident, with affected principles including robustness, digital security, and critical infrastructure resilience.

Originally reported by itsecurityguru.org

Read the original article →

Original headline: ECB Holds Ad Hoc Emergency Meeting After Anthropic's Mythos AI Uncovers Thousands of Zero-Days in Banking Systems — European Banks Excluded From Model Access