What if the AI model built to find vulnerabilities in every major OS and browser was sitting in a Discord server, available to anyone who knew the right URL?

That's not a red-team exercise. That's what happened to Anthropic's Claude Mythos over the past two weeks.

On April 7, 2026 — the same day Anthropic announced it was releasing Mythos to a select group of companies under the Project Glasswing initiative — a small group of unauthorized users gained access to the model. They didn't breach Anthropic's infrastructure directly. They walked in through a third-party vendor's environment, using knowledge from a separate data breach to guess where the model was hosted.

Since then, they've been using it regularly. And they have screenshots to prove it.

What Is Claude Mythos?

Mythos isn't your average Claude model. Anthropic designed it specifically as a cybersecurity tool — capable of identifying and exploiting vulnerabilities in every major operating system and every major web browser when directed by a user.

Anthropic has been very clear about why it's not publicly available. The company has called it its "most dangerous" model. Official access is limited to a handful of major tech companies — Nvidia, Google, Amazon Web Services, Apple, and Microsoft — through the Project Glasswing initiative. Governments are also negotiating access.

The concern isn't hypothetical. A general-purpose model with active exploitation capabilities is fundamentally different from a coding assistant or a chatbot. In the wrong hands, it's not a tool for defense — it's an automated attack platform.

How the Breach Happened: A Chain of Small Failures

The unauthorized access wasn't the result of a single catastrophic failure. It was a chain of smaller ones — each insufficient on its own, but devastating in combination.

Step 1: The Mercor Data Breach

Earlier this year, Mercor — a company that makes AI training data — was hit by a security breach. The attackers obtained knowledge about Anthropic's model formats and deployment patterns.

Step 2: An Educated Guess

The group that accessed Mythos used that knowledge to make what Bloomberg described as "an educated guess" about the model's online location. They didn't brute-force their way in. They simply knew enough about how Anthropic structures its deployments to find the right URL.

Step 3: A Third-Party Vendor Environment

The actual access point was a third-party contractor working with Anthropic. One member of the unauthorized group told Bloomberg they were a contractor for the company. The group used a mix of the contractor's access and "commonly used internet sleuthing tools" to reach the model.

Step 4: Two Weeks of Regular Use

The group accessed Mythos on April 7th and has been using it regularly since. They provided Bloomberg with screenshots and a live demonstration. Critically, they reported using it for purposes other than cybersecurity — presumably to avoid triggering Anthropic's monitoring systems.

The same group has reportedly accessed other unreleased Anthropic models as well.

What This Reveals About AI Security Architecture

This incident highlights a pattern that's becoming increasingly common in AI security: the model itself isn't the weak point. The infrastructure around it is.

Three structural failures enabled this breach:

1. Model Discovery Through Deployment Patterns

Anthropic's models follow predictable deployment patterns. Once an attacker understands those patterns — through a breach, through leaked documentation, or through careful observation — finding new models becomes a reconnaissance problem, not a hacking problem.

This is the same reason security teams rotate infrastructure patterns and randomize endpoint names. Anthropic's deployment architecture apparently didn't include sufficient obfuscation to prevent targeted discovery.

2. Vendor Access as an Uncontrolled Extension

The breach happened through a third-party contractor, not Anthropic's own infrastructure. This is a classic supply chain problem — but applied to AI model access rather than traditional software dependencies.

When you grant a vendor access to a restricted model, you're extending your security perimeter to include their entire environment. Their breaches become your breaches. Their contractors become your exposure.

3. Detection Blind Spots for Non-Attack Usage

The group deliberately avoided using Mythos for cybersecurity tasks to evade detection. This suggests Anthropic's monitoring focused on the model's outputs — looking for exploitation behavior — rather than on access patterns themselves.

It's a reasonable monitoring strategy for a model designed for cybersecurity. But it created a blind spot: anyone using Mythos for general-purpose tasks wouldn't trigger the alarms designed to catch malicious use.

The Discord Connection

The unauthorized users are reportedly members of a private Discord channel that seeks out information about unreleased AI models. This isn't a nation-state operation. It's a hobbyist group with enough technical knowledge and motivation to find and access restricted systems.

That should be more concerning, not less.

A nation-state breach is contained by diplomatic pressure, intelligence sharing, and the inherent risk-aversion of state actors. A Discord group of motivated enthusiasts has none of those constraints. They can share access. They can document techniques. They can iterate on methods in real-time, with the collaborative speed that makes open-source development so effective.

The line between "security researcher" and "attacker" has always been blurry. When the tool in question is an AI model capable of finding exploits in major operating systems, that blurriness becomes a critical vulnerability.

Why Anthropic Won't Release Mythos Publicly

Anthropic has stated it currently has no plans to release Mythos to the public. The reason is straightforward: the model's capabilities create asymmetric risk.

A defender using Mythos to find vulnerabilities in their own systems gets incremental value — they can patch faster, identify weaknesses sooner, improve their security posture. An attacker using Mythos gets exponential value — they can find exploits at scale, automate targeting, and reduce the time between vulnerability discovery and exploitation from weeks to hours.

The defense community has more to lose from widespread access than it has to gain. That's not a comfortable position for an AI company whose stated mission includes broad benefit distribution. But it's the correct risk assessment.

Project Glasswing and the Access Problem

Anthropic's response to the access dilemma is Project Glasswing — a controlled release program giving vetted organizations access to Mythos for legitimate security research. Partners include the largest tech companies in the world, and the White House is reportedly preparing for government access as well.

But Glasswing itself creates a new attack surface. Every organization with access is a potential breach point. Every contractor working with those organizations extends the perimeter further. The model that was supposed to be contained within a small circle of trusted entities is now distributed across multiple corporate environments — each with their own security posture, their own vendors, their own potential compromises.

This breach proves that containment is harder than it looks.

What Happens Now

Anthropic is investigating. The company says it has no evidence that the unauthorized access extends beyond the third-party vendor's environment or is impacting Anthropic's own systems. The investigation is ongoing.

But the model has been out there for two weeks. The group has been using it regularly. And they've accessed other unreleased models as well. Even if Anthropic cuts off this specific access point, the knowledge of how to find and access restricted models is now distributed within a Discord community that specializes in exactly this kind of discovery.

This isn't the end of the story. It's the beginning of a new category of AI security incident.

The Bigger Picture

This breach lands in a month of escalating AI security concerns. Cisco just disclosed a memory poisoning attack against Claude Code. IBM announced Autonomous Security — a multi-agent defense system. OpenAI shipped sandboxing for its Agents SDK. The industry is racing to build security infrastructure around AI systems that are evolving faster than the defenses can keep up.

The Mythos breach reveals a fundamental tension in AI security: the most capable models are also the most dangerous, and the organizations trusted with access are also the most attractive targets. Every partner in a controlled release program is a potential breach vector. Every vendor relationship extends the attack surface.

The question isn't whether there will be more breaches like this. The question is what the next one will target — and whether we'll detect it before the model has been in unauthorized hands for two weeks.

If you're an organization with access to restricted AI models through programs like Glasswing, audit your vendor relationships today. Review who has access to what. Check your logs for unusual access patterns. And assume that if a Discord group can find your models, a more sophisticated actor already has.

Sources: Bloomberg (April 21, 2026), The Verge, Engadget, TechCrunch, Fortune