‘Claude Mythos’ rattles the IMF

Anthropic’s new “Claude Mythos Preview” can find and exploit vulnerabilities in every major operating system and browser, even in the hands of non-experts. For the International Monetary Fund, that’s a wake-up call: cybersecurity must be treated as a systemic financial risk.

In a recent article, Tobias Adrian, Tamas Gaidosch, and Rangachary Ravikumar of the International Monetary Fund (IMF) warn that AI systems are fundamentally changing the risk landscape in the financial sector. While artificial intelligence helps to identify vulnerabilities faster and respond to incidents, it is also amplifying attack capabilities at a pace many defenders cannot match.

According to the authors, extreme cyber incidents could now trigger liquidity squeezes, raise solvency concerns at individual institutions, and disrupt entire markets. The reason lies in the architecture of the financial system itself. Banks, payment service providers, and market infrastructures largely share the same digital foundation of software, cloud services, and networks for payments and data. A single exploited vulnerability can therefore cause correlated failures across the sector.

Mythos as a wake-up call

As evidence of the changed threat picture, the IMF points to Anthropic’s controlled release of “Claude Mythos Preview”. The model is reportedly capable of finding and exploiting security flaws in every major operating system and web browser, including when used by people without deep security expertise. That significantly lowers the entry barrier for high-quality attacks.

The authors contrast this with a specialised, restricted cyber variant of OpenAI’s GPT-5.5, which is explicitly designed to equip defenders faster and at scale, flanked by governance requirements and trusted access models. Both examples mark the poles of a development that, according to the IMF, can no longer be halted.

Structural advantage for attackers

The report sketches an uncomfortable asymmetry. With AI support, finding and exploiting vulnerabilities is significantly faster than distributing and applying patches. In a financial system built on a handful of widely used software platforms and a small number of cloud providers, this can produce simultaneous vulnerabilities at many institutions at once.

Some mitigating factors still exist. Advanced AI cyber capabilities are not broadly available, and proprietary industry software is harder to attack than widely used open-source components. According to the IMF, however, these buffers are likely to erode quickly, for instance through growing training capacities, model diffusion, and leaks. This is not a durable strategy.

From an IT problem to a macro risk

From these points, the IMF derives a shift in perspective. Cyber risks are no longer primarily an operational or technical concern of individual institutions, but a potential macro-financial shock. Loss of confidence, payment disruptions, liquidity stress, and forced fire sales could cascade once several institutions are hit simultaneously.

There is also a cross-sectoral dimension. The financial sector shares its digital foundations with energy providers, telecommunications operators, and public administration. AI-supported attacks can propagate along this shared infrastructure, with feedback effects on the financial system.

Defending with the same tools

In the report, AI is not only a threat but also part of the solution. When attackers operate at machine speed, defenders must do the same. Financial institutions already use AI for threat detection, fraud prevention, vulnerability analysis, and incident response. The most effective use lies early in the development process. Avoiding security flaws before software ships reduces systemic exposure far more than patching after the fact.

The benefit only materialises, however, if institutions invest in integration, governance, and human oversight. According to the IMF, these areas increasingly need to move to the centre of supervisory reviews. This also includes business continuity, disaster recovery, and quality assurance, as well as basic cyber hygiene.

Resilience as a policy framework

The IMF recommends a resilience-oriented policy framework. Existing measures remain relevant but must be sharpened for a world of faster and more automated attacks. Specifically, the report names robust resilience standards, supervision focused on systemic transmission channels, and closer public-private collaboration on threat intelligence and incident response.

Because defensive lines will eventually fall, mechanisms that contain the spread of an incident must be prioritised. Cyber stress tests, scenario analyses, and board-level oversight are described in the report as indispensable components of future stability frameworks.

International coordination as a weak spot

A final point concerns governance. Cyber risks do not stop at borders, and inconsistent supervision in a globally interconnected system is itself a point of entry. Emerging and developing economies with tighter resources are disproportionately at risk because attackers actively look for weaker defensive lines. The IMF therefore calls for more information sharing, stronger international coordination, and expanded capacity building.

The authors close with a sober question for supervisors: can the financial system continue to function under severe stress? Answering it requires placing systemic risk at the centre of the AI-cyber debate, and no longer treating it as an appendix to IT security.