The AI model its own maker says can find and exploit software flaws better than almost any human is back online. It arrives in the middle of crypto’s worst year for hacks. Here is what actually changes, and what the panic gets wrong.
The model built to find software flaws is back, and it landed in the worst possible year for the industry with the most to lose. On July 1, 2026, Anthropic restored access to Claude Fable 5 worldwide after the U.S. Department of Commerce lifted the export controls that had forced the model offline in June, while its more powerful sibling, Mythos 5, returned only to a set of vetted organizations. The timing is what makes it a crypto story. Anthropic describes Mythos-class models as able to find and exploit vulnerabilities better than nearly any human, and crypto is in the middle of a record run of hacks, with billions in assets sitting inside publicly visible code that an AI can read at machine speed.
This piece separates what these models actually change from what the panic gets wrong, and it does so without treating a single headline as the whole picture. The central question is not whether AI makes crypto security riskier; it does. The harder question is where the added risk actually sits, whether it is in smart contracts themselves, bridges, human operations, signing flows, or the speed at which attackers can now move from disclosure to exploit. The answer is less cinematic than the fear, but more useful for anyone holding funds or building protocols.
The distinction between the two models is the first thing to get right, because they are not equally available. Fable 5 is the public, safeguarded member of the Mythos class, released in June 2026 and priced at roughly twice the cost of Anthropic’s prior flagship. It returned to global users on July 1 across Anthropic’s platforms. Mythos 5 is the less-restricted version that carries the full cyber capability, and it did not return to the public.
Anthropic restored Mythos 5 only to a set of vetted U.S. organizations that operate and defend critical infrastructure, through an opt-in program called Glasswing, following government approval in late June. So the model most crypto observers worry about is not the one now sitting behind a consumer subscription. The distinction matters because public access changes the risk surface very differently from vetted critical-infrastructure access. A powerful model in the hands of security teams is not the same thing as a powerful model available to every attacker with a credit card.
The episode that pulled both offline is worth understanding, because it colors the risk debate. In June, researchers at Amazon showed a jailbreak that got Fable 5 to identify software vulnerabilities and write exploit code, and the U.S. government responded with an emergency export-control order that Anthropic complied with by disabling the models entirely, since it could not restrict access by nationality in real time. The controls were lifted at the end of June, and access returned in the first days of July, with Fable 5 global and Mythos 5 limited. Anthropic’s own account of the incident cuts against the loudest fears: its review, conducted with the government, found that the reported technique did not reveal a uniquely Mythos-level capability, and that several weaker models could reproduce the same vulnerabilities.
The company argued the capability had been oversold, and it deployed a new safety classifier it says blocks the specific technique in more than 99% of cases, routing risky cybersecurity prompts to a weaker model in fewer than 5% of sessions. That is the company’s framing, and it matters, but it is not the whole story either. The point for crypto is narrower: even if public access is constrained, the capability exists, it is improving, and weaker models already reproduce parts of it. That means the security problem cannot be solved by focusing on one model alone.
The capabilities that alarmed the security world are real and documented, not hypothetical. Under its restricted program, Mythos-class models reportedly surfaced more than 10,000 high and critical-severity vulnerabilities in systemically important software, and found critical flaws across more than 1,000 open-source projects, including widely used components such as the Linux kernel and a popular media library. In one cited case, the model generated a working proof-of-concept exploit for a complex issue in under 31 minutes. Cloudflare reported that an earlier Mythos preview chained bugs into working exploits across more than 50 of its code repositories before refusing to produce a live demonstration.
The capability that most changes the math for defenders is speed. Anthropic has warned that the window between a vulnerability being disclosed and being exploited is collapsing, in some cases from days to hours. Its researchers concluded that a single operator with this class of model could turn a month of software patches into working exploits in a single afternoon, for a cost measured in a few thousand dollars. Security practitioners have started describing the shift as moving from an era of N-days, where attackers had weeks or months after a disclosure, to something closer to N-hours.
When a patch ships, it also reveals the flaw it fixes, and a model that can read the patch, understand the bug, and build an exploit in hours compresses the defender’s response window dramatically. None of this is the same as inventing a new class of attack. It is acceleration and scale. The model reads public code, compares versions, summarizes audits, and reasons about weaknesses faster and cheaper than a human team, which lowers the cost and expertise needed to do work that skilled attackers already do.
That distinction, acceleration rather than invention, is the fault line the entire debate runs along. For crypto teams, the practical implication is brutal: slow patching, stale dependencies, and unaudited forks become more dangerous when attackers can automate the boring parts of vulnerability discovery. The frontier model does not need to be magical to change the economics. It only needs to make the existing attack pipeline cheaper and faster.
Crypto sits in the blast radius for reasons specific to how it works. Smart contracts are public by design: the code that controls billions of dollars is visible on-chain for anyone, including an AI, to read and analyze. Bridges, the infrastructure that moves assets between blockchains, concentrate the collateral of many chains into a single set of contracts and message-verification systems, which makes them the highest-value targets in the space. An attacker who can scan code at machine speed has an unusually rich, unusually open field in crypto compared with closed corporate systems.
The backdrop is a genuinely bad year. Crypto has lost more than $840 million to hacks in 2026, with some tallies putting the figure past $940 million across more than 120 incidents, and April alone set a record near $600 million. The two largest losses tell the story of where the damage comes from. Kelp DAO lost roughly $292 million when attackers forged a cross-chain message on its bridge, exploiting a setup that let a single compromised node approve fraudulent withdrawals.
Drift Protocol lost about $285 million not to a code bug but to a six-month social engineering operation that ended in compromised administrative keys. Bridges have accounted for the largest share of losses, and North Korean groups have been linked to a large portion of the total. That pattern is the key context for the AI debate, because it shows where crypto actually bleeds. The biggest 2026 losses came less from novel smart-contract bugs than from human error and operational failure: social engineering, exposed keys, flawed signing flows, and misconfigured infrastructure.
Any assessment of what a Mythos-class model changes has to start from that reality, not from the image of an AI writing an exotic new exploit from scratch. The crypto risk surface is not only code. It is bridges, multisigs, admin keys, custody practices, signing devices, deployment scripts, and teams that still operate under startup-style security despite controlling institutional-scale money. AI makes that whole surface easier to search.
The bearish read is straightforward and has serious voices behind it. Simon Dedic, a well-known crypto investor, warned that a public Mythos-class model could sharply lower the cost and expertise needed to find exploitable flaws in smart contracts, and that unaudited protocols would become, in his words, sitting ducks. The argument is about barriers. Finding a subtle vulnerability in a contract used to require rare skill and considerable time.
If a model compresses that to hours and pennies, the population of people capable of attacking a weak protocol expands enormously, and the long tail of small projects, forks, and unaudited contracts becomes far more exposed. The numbers give the argument weight. Analysts have linked part of 2026’s elevated hacking losses to the growing use of advanced AI in identifying vulnerabilities, and the trend line points toward more automated, faster reconnaissance. In this view, even if the very best human attackers gain little, the marginal attacker gains a great deal, and crypto has no shortage of marginal attackers or of weak targets for them to point a capable model at.
The alarm is less about the top of the skill curve and more about how many more people can now operate near it. That is why small DeFi forks, rushed launches, and unaudited protocols are the obvious danger zone. A well-resourced protocol with continuous audits and strong operational controls may use AI defensively. A copy-paste fork with weak key management may simply become easier to attack.
The counterargument is equally serious, and it comes from builders and from Anthropic itself. Michael Egorov, the founder of a major decentralized exchange, argued that smart contracts typically contain only a few thousand lines of code and are already well understood by human auditors and existing AI tools, so a more capable model changes less about direct contract exploits than the panic suggests. In his view, operational security failures and supply-chain attacks are the larger risk, and those are not primarily a smart-contract-analysis problem. That view fits the loss data, where administrative compromises and bridge failures dominate the largest incidents.
Anthropic’s post-incident review reinforces the skeptical case from an unexpected direction. The company found that the jailbreak technique that triggered the export controls did not reveal a uniquely Mythos-level capability, and that weaker models, its own and others, could reproduce the same vulnerability findings. If a capability is broadly available across many models rather than locked inside one frontier system, then restricting or releasing that single system changes less than it appears to. The skeptics do not claim the models are harmless; they claim the marginal danger of any one release is smaller than the headlines imply, because the underlying capability is diffuse and because the hardest part of most real attacks is not finding the flaw.
That is an important distinction for crypto readers. The risk is not “Claude Mythos appears, therefore every DeFi protocol is suddenly doomed.” The risk is that AI-assisted security analysis is becoming normal across many models, countries, and toolchains, which means attackers and defenders alike will have faster vulnerability discovery available. In that world, the question shifts from whether one model should be online to whether crypto teams can patch and harden faster than adversaries can scan and exploit.
Between the alarm and the skepticism sits a consensus, and it is the most useful part of the debate. Security experts broadly agree that advanced AI will not invent fundamentally new categories of crypto hack, but will dramatically speed up the attacks that already dominate the loss tables: social engineering, exposed keys, and flawed signing flows. A model does not need to hand over a finished exploit to change the economics of an attack. It can read public repositories, compare old and new versions of software, summarize audit reports, and draft convincing messages designed to catch the small operational mistakes humans make.
As one analysis put it, these exploits remain rooted in social engineering and human error; AI did not create that reality, it made it visible and accelerated it to machine speed. That reframing points straight at the 2026 loss data. The Drift and Kelp attacks, the two largest of the year, were an operational compromise and a bridge-verification failure, not clever new contract bugs. A model that accelerates reconnaissance, scans for the weakest key path or the sloppiest signing flow, and helps craft the human-facing part of an attack makes exactly those failure modes cheaper and faster to exploit.
The practical implication is that the defense that matters most is not writing unbreakable contracts, but hardening the human and operational layer where the money actually leaks. That means keys, signing steps, privileged accounts, dependencies, cross-chain message verification, and incident response. It also means treating every public disclosure and every patch as a race. In an N-hour world, yesterday’s slow security process becomes tomorrow’s exploit window.
The same capability that worries defenders can also serve them, which is why the long-run balance is genuinely contested. A model that finds vulnerabilities faster than humans is, pointed the other way, an audit tool that finds them before attackers do. Anthropic has argued that AI will eventually favor defenders in cybersecurity, while conceding that the transition will be turbulent, and it restored the restricted Mythos 5 specifically to organizations that defend critical infrastructure through its security program. That is the defensive version of Glasswing: put the best tools in the hands of teams whose job is to patch before adversaries exploit.
One incident has become the reference point for both sides. In early June 2026, a critical vulnerability in a privacy coin’s shielded pool was discovered using Anthropic’s Opus 4.8, a model a generation below the Mythos class. The flaw, if exploited, could have allowed unlimited minting of the token, and it had eluded expert cryptographers for roughly four years. The token dropped more than 35% on the disclosure.
The lesson cuts both ways: a weaker model catching a four-year-old flaw shows how much AI can strengthen defense, and also how much latent, undiscovered risk sits in code that a stronger model could surface, for good or ill. Faster discovery is a defensive gift when a friendly party finds the bug first and a catastrophe when an attacker does. Which side wins any given race depends on who is scanning, how fast teams can patch, and whether defenders adopt the tools as aggressively as attackers will.
The useful response to all of this is not panic but hardening, and most of it is advice that held before any model returned. For individual users, the recurring guidance from security researchers is concrete: revoke unused token approvals, since every outstanding approval grants a contract permission to move your funds, and tools exist to review and cancel them. Move significant holdings into self-custody and cold storage, so that the keys controlling real money sit somewhere a compromised laptop cannot reach, and treat any unaudited protocol as a higher risk than it looked a year ago. When approving a transaction, use a device with a trusted screen that shows what is actually being signed, because if AI accelerates the scouting phase, the final signing step becomes the moment that matters most.
For teams and protocols, the priorities follow from where the losses come from. Rapid patch management matters more in an N-hour world, because the window between a disclosure and a working exploit is shrinking, so shipping and applying fixes quickly is now a security control in itself. Continuous auditing beats one-time audits, and using AI-driven analysis on your own code before attackers do is increasingly a baseline instead of an edge. Above all, harden the operational layer: secure key management, tighten signing flows, limit privileged access, and scrutinize dependencies and cross-chain message verification, because that is where the year’s biggest breaches actually happened.
Over-reliance on any single external model carries its own risk, so teams are stress-testing multiple tools instead of betting on one. The same caution applies to exchanges and custodians, where exchange security is not just a proof-of-reserves page but a question of controls, custody, liabilities, and operational discipline. For protocols experimenting with AI agents in crypto, the lesson is even sharper: automation expands what software can do, but also expands what must be secured. The more autonomy a system has, the more dangerous weak permissions and signing flows become.
The honest conclusion is that the return of these models changes the tempo of an existing problem more than it introduces a new one. Crypto was already losing record sums to human error, operational failure, and bridge design long before Fable 5 came back online. Capable AI makes the reconnaissance faster, the attacks cheaper, and the response window shorter, which is a real near-term headwind for a chronically insecure industry. It also puts a powerful audit tool in defenders’ hands, which is the reason the long-run outcome is a race instead of a verdict.
The protocols and users who treat the moment as a prompt to fix the operational basics will be the ones best placed whichever way that race runs. The ones still relying on one-time audits, permissive approvals, weak admin keys, and slow patch cycles are the obvious targets. AI did not create those weaknesses. It just made them easier to find.
Claude Mythos 5 is a frontier AI model from Anthropic that the company describes as its most capable for cybersecurity, marketed as able to find and exploit software vulnerabilities more effectively than any other model and than all but the most skilled human experts. It is the less-restricted version of the Mythos class. Its safeguarded public sibling is called Fable 5. Mythos 5 is available only to vetted organizations, not the general public.
In June 2026, researchers showed a jailbreak that got Fable 5 to identify vulnerabilities and write exploit code, and the U.S. government issued an emergency export-control order. Anthropic disabled both models globally because it could not restrict access by nationality in real time. The controls were lifted at the end of June, and access returned in early July, with Fable 5 restored globally and Mythos 5 limited to vetted U.S. organizations. The important distinction is that the public model and the restricted cyber model did not come back under the same access rules.
They can accelerate the work attackers already do rather than invent new attacks. Mythos-class models reportedly found more than 10,000 high-severity flaws in important software and can build a proof-of-concept exploit in under an hour. In crypto, the larger effect is speeding up reconnaissance and the human-facing parts of attacks, since the biggest 2026 losses came from social engineering, exposed keys, and operational failures instead of novel contract bugs. That makes unaudited protocols, weak bridge setups, and poor key management especially exposed.
Crypto has lost more than $840 million to hacks in 2026, with some tallies exceeding $940 million across more than 120 incidents, and April alone set a record near $600 million. The two largest losses were Kelp DAO at about $292 million from a bridge message forgery and Drift Protocol at about $285 million from a social engineering operation that compromised administrative keys. Those examples matter because they show where the real losses are coming from: not only code flaws, but operational and verification failures. AI makes those weak points easier to find and exploit faster.
The consensus among many security experts is that AI accelerates and scales existing attack types instead of creating new ones. It lowers the cost and expertise needed to find flaws, which most exposes unaudited protocols and small projects. Skeptics, including some builders and Anthropic’s own review, argue the marginal danger of any single model is smaller than headlines suggest, since weaker models can do similar work and the hardest part of most attacks is not finding the flaw. The risk is therefore less about one model suddenly changing everything and more about AI-assisted hacking becoming broadly available.
Yes, and that is the contested part of the debate. The same ability to find vulnerabilities fast makes AI a powerful audit tool when defenders use it first. In one case, a weaker model discovered a four-year-old critical flaw in a privacy coin’s shielded pool before it was exploited. Anthropic argues AI will eventually favor defenders, while admitting the transition will be turbulent, so the outcome depends on who adopts the tools faster.
Security researchers recommend revoking unused token approvals, moving significant holdings into self-custody and cold storage where keys sit offline, and treating unaudited protocols as higher risk. When signing transactions, use a device with a trusted screen that shows exactly what is being approved. These steps address the human and operational failures that account for most real losses, which AI mainly accelerates instead of replacing. The goal is to reduce the number of places where an attacker can turn a mistake into a transfer.
No. After the export controls were lifted, Anthropic restored the safeguarded Fable 5 to global users, but the less-restricted Mythos 5 returned only to a set of vetted U.S. organizations that defend critical infrastructure, through an opt-in program. The company says it will work to expand access over time, but the model with the full cyber capability is not behind a consumer subscription. Public users may have access to stronger AI tools than before, but not to the same unrestricted Mythos 5 setup described in the security program.
Disclaimer: This article is for information and educational purposes only and does not constitute financial, investment, legal, or security advice. It describes an evolving situation involving AI capabilities and cybersecurity risk, and details may change. Nothing here is a recommendation to buy, sell, or use any specific model, asset, or service. Always do your own research and consult qualified professionals for security decisions. Information is accurate as of July 2, 2026, and may change.

