FinDev Guide to Mythos

Recent news coverage of the new artificial intelligence (AI) model called Mythos has raised alarms in many circles about increasing cybersecurity risks, especially for the financial sector. At FinDev, we have been following the news and trying to determine what implications there could be for financial inclusion. So far, there are more questions than answers. However, we’ve gathered what information is publicly available to provide an initial guide to the concerns raised by Mythos and what it could mean for inclusive finance. Keep in mind that AI models are evolving rapidly and there will likely continue to be more questions than answers for some time.

What is Mythos? 

Mythos is an AI model developed by US company Anthropic, announced on 7 April 2026. What makes it different from other general purpose language models like Claude or ChatGPT is its reported ability to find and exploit something called "zero-day" vulnerabilities. These are undetected weaknesses in software which can be exploited before anyone even knows they're there.  

In controlled evaluations, Mythos executed “multi-stage attacks on vulnerable networks and discovered and exploited vulnerabilities autonomously –  tasks that would take human professionals days of work,” according to the UK's AI Security Institute. Up until today, Mythos has not been released publicly. However, Anthropic has recently given preview access to several major US tech and financial firms including Microsoft, Google, Apple, Amazon Web Services, JPMorgan Chase, allowing them to scan their networks and address problems before the vulnerabilities are exposed to the public.

What are the main concerns about Mythos? 

The main concern is not about Mythos specifically, but what these types of AI models could mean for future cyber-attacks. Mythos is showing that the same technology that helps organizations find vulnerabilities can also be used to exploit them before they are patched. The worry is that models like this will not stay restricted forever. If they end up in the wrong hands, attacks which once required highly elite hacking skills and days of work could increasingly be carried out faster, at greater scale, and by far less sophisticated actors.

Most experts agree that AI-enabled cyber-attacks represent a serious and growing threat and there is broad consensus that threats from models like Mythos should be taken seriously. However, not everyone agrees on the level of alarm that needs to be raised, with some security experts arguing that the new AI model represents the expected next step of AI abilities as opposed to an existential threat.

Who could be impacted by this type of AI model?

The risks posed by AI models like Mythos could impact every sector, but in different ways. Governments are worried about national security. Critical infrastructure like power grids, water systems, and other public services all run on software, making them vulnerable to AI-enabled cyber-attacks.

Financial regulators are worried about systemic risk. Banks and other financial institutions are especially at risk because many of them still run on decades-old software that was built long before the internet existed and which now sits alongside modern systems that are connected to the outside world. The places where old and new connect are where security weaknesses tend to hide and those are the kinds of vulnerabilities a tool like Mythos can find and exploit. In addition, the banking sector relies on a small number of consolidated cloud providers which means that if those providers are subject to a cyber-attack, the impact could cascade across the financial system.

For consumers, cyber-attacks on banking and payment systems could mean frozen accounts, failed transactions or exposed personal data. That kind of disruption can erode consumer trust which takes years to build.

What do these growing cybersecurity risks mean for the financial inclusion sector?

The cybersecurity risk in financial inclusion was already growing before Mythos. In July 2024, a ransomware attack on a single technology provider that served hundreds of small banks across rural India disrupted the payment systems for nearly 300 institutions, preventing customers from making digital transactions or withdrawing cash. Though no financial losses were reported, the incident was a stark illustration of how a breach at one point in a connected financial system can ripple outward, hitting the institutions that serve the poorest and most vulnerable communities. What Mythos changes is the scale and sophistication of what becomes possible.

A framework developed by MITRE, a US-based non-profit cybersecurity research organization, maps how attacks on financial systems typically unfold as a chain of sequential steps – finding a weakness, moving through connected systems, accessing accounts, and eventually extracting funds or disrupting operations. Tools like Mythos could make it possible to automate that chain. The UK's AI Security Institute, which independently evaluated Mythos, found that the model could execute this kind of multi-stage attack autonomously at great speed. The concern for financial institutions – including the smaller banks, microfinance institutions, fintechs and mobile money operators that serve low-income populations – is attacks that move faster, hit more institutions simultaneously, and are significantly harder to detect before the damage is done.

The IMF has found that financial sector cybersecurity frameworks in emerging and developing economies are frequently inadequate. Many countries still lack a dedicated national strategy or regulations specifically covering cybersecurity in financial services. The emergence of models like Mythos will likely put developing countries further behind in their abilities to address cyber risks.

What is being done to address the increased risk?

Anthropic launched Project Glasswing to give major tech companies and financial institutions a head start in identifying and addressing vulnerabilities before tools like Mythos reach wider circulation. Regulators in the US, Europe, Asia and Australia have all signaled concern, but a coordinated global response has not yet taken shape.

Given that the organizations involved in Project Glasswing are predominantly large US technology companies and major financial institutions, it remains unclear how or whether the protections being developed will extend to smaller institutions like MFIs, fintechs, mobile money operators and community banks that serve low-income populations in developing countries, many of which lack the resources to build equivalent defenses independently. 

The IMF had already noted strong demand from member countries for support in building cybersecurity frameworks for their financial sectors. The emergence of models like Mythos makes that work more urgent. What this means specifically for developing countries and the financial inclusion sector – and how the international community intends to respond – is not yet known. 

Stay tuned

Mythos may be the most visible example of increased cybersecurity risks, but it is unlikely to be the last. The World Economic Forum has noted that while defensive capabilities are improving, they are doing so unevenly, and that a period of heightened risk lies ahead. FinDev Gateway will continue to monitor developments in this space and provide updates as the picture becomes clearer.

We would like to hear from practitioners working in financial inclusion. Do you see AI-enabled cybersecurity threats as a real and growing concern for your organization or the sector? Are you already taking steps to address them, and if so, what? Where do you think the most significant vulnerabilities lie for the institutions and communities you work with? Share your thoughts in the comments below.