Claude Mythos Just Made Web3’s Security Model Obsolete

Claude Mythos can chain four vulnerabilities overnight. Anthropic’s Project Glasswing signals that Web3’s security model is already obsolete.

Anthropic quietly confirmed something the blockchain industry should have been dreading. Its unreleased frontier model, Claude Mythos, has crossed a threshold that security researchers spent years hoping would never arrive. Engineers with zero security background can now prompt it overnight and wake up to a working remote code execution exploit.

That is not a warning about the future. It already happened.

According to alicharts on X, Mythos identified a 27-year-old bug in OpenBSD that had been missed by human auditors for decades. The same model chained four separate vulnerabilities to escape a browser sandbox. That task typically takes elite human teams months to pull off.

The Thing Web3 Refuses to Admit

Anthropic published the details directly. The language was deliberate and stark. Mythos Preview had already found thousands of high-severity vulnerabilities, including some in every major operating system and web browser. Blockchain protocols, which depend on periodic human audits, sit squarely in that crosshairs.

Project Glasswing is the response. Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorganChase, Microsoft, NVIDIA, Palo Alto Networks, and the Linux Foundation joined the effort. Anthropic committed up to $100 million in usage credits for defensive deployment of the model. Another $4 million went directly to open-source security organizations.

The framing from Anthropic was clear. AI capabilities like Mythos will proliferate, and they will reach actors who are not committed to deploying them safely. The fallout for public safety and national security could be severe.

Exploit revenue from AI-assisted attacks on blockchain smart contracts has been doubling roughly every 1.3 months. That trajectory predates Mythos going public.

Periodic Audits Are Already Dead

As alicharts noted on X, the traditional model of periodic security reviews is finished. Blockchain protocols that do not build autonomous AI shielding into their stack will get picked apart by the next generation of adversarial agents. The X post described Mythos as a category-killer specifically because of its multi-step attack chain capability.

That lines up with what Anthropic’s own research PDF shows. The Mythos Preview research flagged the acceleration as steep enough to require action now, not after the next major protocol breach.

The Glasswing preview page framed the core problem plainly: AI coding capability has surpassed all but the most skilled humans at finding and exploiting vulnerabilities. Web3 protocols, many of which still rely on infrequent third-party audits, were not built with this threat model in mind.

The Moonwell DeFi lending protocol lost approximately $1.78 million in a separate but related incident tied to AI-assisted code. Smart contract auditor pashov flagged on X what he described as possibly the first exploit directly tied to vibe-coded Solidity. The human reviewer still signed off. That is the gap Mythos exploits. The full picture of how Claude is already reshaping Web3 code auditing has been developing for months.

$100M Defense Effort, Zero Guarantees

Forty additional organizations building or maintaining critical software infrastructure got early access to Mythos Preview for defensive scanning. Anthropic was explicit. No single organization can solve this alone. Frontier AI capabilities are likely to advance substantially over just the next few months.

Web3 is not included in the initial Glasswing coalition by name. That absence is telling.

The race between AI-assisted attacks and AI-assisted defense is now the only audit that matters. Blockchain protocols relying on manual security reviews are working with a model that was already obsolete before Mythos was announced.