Anthropic's locked-down Mythos leaked

In the high-stakes theater of artificial intelligence governance, the script usually follows a predictable arc: A cutting-edge model is developed behind closed doors, governments issue dire warnings about existential risk, and the world waits for the inevitable breach by a sophisticated nation-state actor. Last week, however, that script was violently rewritten.

On April 10, Anthropic, the AI safety-focused company backed by billions in funding, quietly released a new frontier model codenamed “Mythos” under a strict limited-access program dubbed Project Glasswing. The model, which company executives reportedly described in internal Slack channels as possessing “capabilities bordering on general intelligence in constrained domains,” was deemed too powerful for public release. Access was granted to a handful of vetted corporate partners, each bound by legal agreements and monitored usage logs.

Within 72 hours, Mythos was running queries for a private Discord server called “/tmp/latents.”

According to an exclusive investigation by Bloomberg and corroborated by internal Anthropic threat assessments obtained by this reporter, a loose collective of AI enthusiasts, hobbyist red-teamers, and curious coders not only accessed Mythos on its launch day but have been using it regularly ever since. The group claims to have leveraged a recent breach at Mercor, an AI training and data labeling platform, to reverse-engineer Anthropic’s internal deployment naming conventions.

The most unnerving detail is not the breach itself—leaks happen. It is the perpetrator. The first confirmed unauthorized use of an AI model that had reportedly triggered emergency meetings at the White House did not come from China’s Ministry of State Security, Russia’s GRU, or a lone wolf super-hacker in a basement. It came from a few dozen people in a Discord server arguing about anime and open-weight models.

“It wasn’t espionage,” one member of /tmp/latents, who spoke to me on condition of anonymity, said over an encrypted chat. “It was just… pattern recognition. Anthropic got lazy.”

This is the story of how a small group of friends outmaneuvered one of the world’s most secretive AI companies, why the Mercor breach was the real key, and what it means for a future where the most dangerous models are protected by little more than guessable URLs.

Part I: Project Glasswing – The Model Too Dangerous to Share

To understand the leak, one must first understand Mythos. Unlike Anthropic’s consumer-facing Claude family, Mythos was never meant for public conversation. It was a “cybersecurity operations model” – an AI fine-tuned not for writing poetry or summarizing PDFs, but for identifying novel exploit chains, automating reverse engineering, and predicting vulnerability patterns in closed-source software.

Internally, Anthropic researchers had reportedly classified Mythos as ASL-3 (Anthropic Safety Level 3) – a tier meaning the model’s misuse potential could lead to “significant, scalable cyber harm.” For context, Claude 3.5 Sonnet is ASL-2. The company’s own Responsible Scaling Policy mandated that models with ASL-3 or above cannot be released until robust safeguards are proven.

But in early 2026, pressure was mounting. Major defense contractors and NATO-aligned cybersecurity firms were demanding access. According to leaked meeting notes from February, Anthropic’s commercial team argued that withholding Mythos entirely would push partners toward less safe alternatives from OpenAI or a rumored Google “Project Sentinel.”

The compromise was Project Glasswing: a tightly controlled preview program. Only 14 organizations were granted API access. Each request was logged. Each output was hashed. Each partner signed a legally binding “Misuse Prevention Addendum” with language so strict that even internal Anthropic employees joked it was “ironclad.”

On April 10, Mythos went live on a dedicated subdomain: https://glasswing.internal.anthropic.com/v1/mythos. The URL was not public. It was not indexed by search engines. It was protected by corporate SSO and IP allowlisting.

Or so Anthropic thought.

Part II: The Mercor Breach – A Leak Within a Leak

The actual point of failure did not begin with Mythos. It began with Mercor, a well-known AI training and data annotation platform. In late March 2026, Mercor suffered a significant data breach. The attackers – believed at the time to be a financially motivated group – exfiltrated thousands of records, including vendor credentials, internal API schemas, and crucially, documentation on how Mercor’s clients (including Anthropic) structured their internal deployments.

The Mercor breach was publicly disclosed on April 2 with the usual corporate language: “no customer production systems compromised,” “limited impact,” “we have notified affected parties.” What Mercor did not disclose – because it may not have realized – was that among the stolen data were configuration files containing URI naming pattern conventions for three of its largest AI clients.

One of those clients was Anthropic.

According to a copy of the leaked data reviewed by this publication, the Mercor breach included a JSON configuration file that referenced several Anthropic test endpoints. Most were harmless, pointing to inactive developer sandboxes. But one entry stood out: a note from a Mercor engineer describing a “new deployment scheme for high-sensitivity models” using the format [project].[domain].internal.anthropic.com/[codenamed_model].

The codenames followed a clear theme: classical mythology for restricted models (e.g., “Cerberus,” “Prometheus”), and gemstones for internal tools. The pattern was trivial to extrapolate.

Part III: The Discord Detectives – /tmp/latents

Enter /tmp/latents. The Discord server, which at the time of writing has 187 members, describes itself as “a small group of people interested in the margins of AI security and model behavior.” In practice, it is a hybrid of a research collective, a bug bounty team, and a social club. Many members work legitimate jobs in tech; a handful have formal security backgrounds. None, according to multiple members who spoke with me, work for a state intelligence agency.

“We’re not hackers,” said a moderator who uses the handle z3n_byte. “We’re pattern-finders. We saw the Mercor leak on a public Telegram channel and started looking at the naming schemes. It took maybe an hour to realize that Anthropic’s internal naming was embarrassingly predictable.”

The group did not have direct access to Mythos via stolen credentials. They did not break into Anthropic’s corporate network. They did not phish an employee. What they had was one legitimate vendor credential – reportedly belonging to a mid-sized cybersecurity firm that is a Mercor partner – and a hunch.

That credential, while not originally intended for Anthropic access, was part of a federated authentication system that Anthropic used for its “limited preview” partners. The vendor in question had legitimate access to a different, much lower-risk Anthropic model. But because the same SSO session – combined with a leaked API key pattern from the Mercor breach – could be replayed against other subdomains, the group discovered they could attempt to authenticate to any *.internal.anthropic.com endpoint that recognized OAuth tokens from that vendor’s identity provider.

“We didn’t steal anything,” another member, redshift_9, insisted in a voice call. “We guessed a URL. glasswing.internal.anthropic.com/v1/mythos. And the server said ‘200 OK.’ That’s not a hack. That’s bad configuration.”

Part IV: Access Gained – And the First Queries

At approximately 2:14 PM EST on April 10 – roughly six hours after Anthropic announced Project Glasswing to its partners – a user in /tmp/latents posted a single line in the #model-discovery channel:

“mythos is live. glasswing endpoint. confirm QPS limit?”

Within minutes, several members had successfully sent test queries to the model. The initial prompts were mundane: identify the CVE of this assembly snippet, rewrite this bash one-liner, explain this obfuscated Python. Mythos responded with precision and speed far beyond any public model.

But the group quickly realized the scope of what they were holding. Mythos could, for example, take a binary file and output a step-by-step exploit development plan in under 30 seconds. It could chain vulnerabilities – something no public model does reliably. One member, a former penetration tester, reportedly asked Mythos to “analyze the attack surface of a typical corporate VPN appliance” and received a response that the member later described as “frighteningly close to a zero-day.”

The group did not, however, use Mythos to launch actual attacks. This is a critical and contested point.

In an exclusive joint statement provided to Bloomberg and later shared with this publication, the leadership of /tmp/latents said:

“We accessed Mythos to understand its capabilities, not to harm anyone. We did not use the model to compromise systems, steal data, or develop malware. Our goal was to document that if a small Discord group could do this, then the real threats – state actors, cybercriminals – absolutely can. We consider this a public service.”

Anthropic views it differently. In a cease-and-desist letter sent to the group on April 13 (three days after access began), the company’s legal counsel wrote: “Unauthorized access to our models, regardless of intent, constitutes a violation of the Computer Fraud and Abuse Act and our terms of service. Your actions have placed our partners and the public at risk.”

Notably, Anthropic has not yet filed a criminal complaint. One source inside the company’s security team, speaking off the record, said: “We’re still trying to figure out how they did it without setting off any alarms. That’s the scariest part.”

Part V: The White House Connection – Why This Matters

The Mythos leak is not just a breach of a corporate API. It is a profound embarrassment for the emerging global architecture of AI governance.

In late 2025, the White House convened a series of emergency meetings with Anthropic, OpenAI, Google DeepMind, and the UK’s AI Safety Institute. The topic: how to prevent “frontier models” – those with capabilities exceeding current safety benchmarks – from being stolen or misused by hostile actors. Those meetings produced draft executive orders, proposed “model weights” export controls, and the concept of “restricted release registries.”

At no point in those meetings, according to three participants who later spoke anonymously to journalists, did anyone seriously discuss the risk of pattern-based URL enumeration combined with stolen vendor metadata. The assumption was always that the major threats would require sophisticated reverse engineering or insider betrayal – not a college student with a Discord account and too much free time.

“We spent months worrying about China stealing our weights,” one former White House AI policy advisor told me. “We never once asked: ‘Hey, is our deployment URL guessable?’ That’s humiliating.”

It gets worse. The /tmp/latents group has told Bloomberg that Mythos is not the only unreleased model they can access. They claim to have identified endpoints for two other models – codenamed “Chimera” and “Obsidian” – that have not been announced publicly. They have not provided proof of access to these models, and Anthropic denies that any such models exist. But given their track record, few in the security community are dismissing the claim outright.

Part VI: The Anatomy of a Failure – What Anthropic Did Wrong

Security experts are now scrutinizing Anthropic’s defense-in-depth. The early consensus is that the company fell victim to three classic mistakes, dressed up in the exotic language of AI safety.

1. Implicit Trust in Obscurity

The glasswing.internal.anthropic.com subdomain was never meant to be a security control – but it functioned as one. Anthropic relied on the fact that no one outside the partner list would know the URL. This is security through obscurity, a practice discredited in mainstream cybersecurity for over two decades. In the world of AI frontier models, it appears to have made a comeback.

2. Over-Federated Authentication

The fact that a vendor credential for one low-risk model could be reused against a different, highly restricted model suggests that Anthropic’s identity layer did not implement proper scope binding. OAuth 2.0 and OIDC have mechanisms (like aud claims and resource indicators) to prevent this exact scenario. Either Anthropic did not implement them, or they were misconfigured.

3. Insufficient Anomaly Detection on Day One

Perhaps most damning: Anthropic’s internal logs show that the /tmp/latents group sent hundreds of queries to Mythos on April 10 and 11. Yet the company did not realize the model was exposed until Bloomberg contacted them for comment on April 13. That means for 72 hours, an unauthorized group was interacting with a model deemed “too powerful for public release,” and no internal alarm triggered.

An Anthropic spokesperson defended the company, stating: “We have implemented additional guardrails and are conducting a full post-mortem. No customer data was exposed, and the model’s core weights remain secure.” But that misses the point. The weights may be secure. The model’s inference endpoint was not. And as the group demonstrated, live access to a dangerous model – even without the raw weights – is enough to cause substantial harm.

Part VII: The Group’s Capabilities – A Broader Threat?

The /tmp/latents Discord server has been remarkably open about its methods – perhaps too open. In addition to accessing Mythos, members claimed to have previously discovered misconfigured endpoints at other AI companies, including a now-patched vulnerability in a competitor’s fine-tuning API that allowed arbitrary code execution.

“We’re not malicious,” said z3n_byte. “But we are proof that the barrier to entry for this kind of thing is terrifyingly low. If we can do it, so can ransomware gangs. So can state-sponsored APTs. And they’re not going to tell Bloomberg.”

This raises an uncomfortable question: How many other unreleased or restricted AI models are currently accessible via guessable URLs, leaked credentials, or misconfigured auth proxies? The answer, according to independent security researchers who track “shadow AI” deployments, is likely dozens.

A 2025 study by the nonprofit AI Disclosures Project scanned public internet-facing subdomains for known AI model endpoints and found that 14% of Fortune 500 companies had at least one exposed machine learning inference endpoint with no authentication. Most were low-risk model demos. But some, the researchers warned, were “one misconfiguration away from leaking production-grade models.”

The Mythos incident suggests that even the most sophisticated AI companies are not immune.

Part VIII: The Legal and Policy Aftermath

As of this writing, no arrests have been made. The legal status of the /tmp/latents group sits in a gray area. Under the Computer Fraud and Abuse Act (CFAA), accessing a computer system “without authorization” is a felony. However, courts have historically been reluctant to convict defendants who accessed open web pages without bypassing authentication – even when those pages were intended to be private.

Because the /tmp/latents members used a legitimate (though borrowed) vendor credential and simply guessed a URL, their case would test the boundaries of the CFAA’s “exceeds authorized access” clause. Legal experts are divided. Some argue that reusing a credential meant for one model to access a different, restricted model clearly exceeds authorization. Others counter that if the authentication system accepted the token, the user cannot be expected to know the internal access policies of the vendor.

“This is the CFAA problem we’ve had for 40 years,” said Riana Pfefferkorn, a cybersecurity law scholar at Stanford. “The law was written for a world of passwords and boundaries. It doesn’t handle federated identity, URL guessing, and pattern-based enumeration well at all. If the government prosecutes this case, they’ll have to argue that a person can commit a felony by typing a URL they weren’t explicitly invited to type.”

Anthropic, for its part, is reportedly pushing for a civil resolution. The company wants two things: a complete log of every query the group made to Mythos, and a public statement disavowing their methods. In exchange, they may decline to press charges.

Meanwhile, the White House has quietly restarted its emergency AI meetings. This time, according to a participant, the agenda includes a new item: “Peer-reviewed deployment architecture reviews for restricted models.”

Part IX: The Bigger Picture – The Illusion of Control

The Mythos leak is not a story about a Discord server. It is a story about the illusion of control in the age of frontier AI.

For the past two years, the dominant narrative in AI policy has been one of escalating containment: air-gapped training clusters, restricted API access, model weight encryption, government-mandated safety licenses. The underlying assumption is that we can build walls around superhuman intelligence – if only we try hard enough.

The Mythos incident shows that the walls are full of doors, and some of those doors have predictable lock combinations.

“Anthropic did everything right on paper,” said a senior AI safety researcher who asked not to be named. “They had a responsible scaling policy. They had limited partners. They had legal agreements. But they forgot the boring stuff – network security, URI hygiene, proper scope validation. The boring stuff still matters. In fact, it matters more now than ever, because the cost of failure is so high.”

Another lesson, equally uncomfortable: the people who found the door were not evil. They were not foreign spies. They were curious, technically competent, and deeply unimpressed by corporate secrecy. They treated Mythos as a puzzle to solve – and they solved it.

This is the paradox of the AI age. The more we declare certain models too dangerous for the public, the more we make them irresistible targets. And the more we restrict access to a select few, the more we concentrate the risk of a single credential or misconfiguration leading to catastrophic exposure.

The /tmp/latents group claims they never intended harm. But the next group – the one that doesn’t talk to reporters, the one that sells access on dark net forums, the one that uses Mythos to automate the discovery of critical zero-day vulnerabilities – will not be so benign.

And they, too, will start by guessing a URL.

Part X: What Comes Next

In the immediate term, Anthropic has taken down the glasswing endpoint and is in the process of rotating all partner credentials. Project Glasswing is effectively on hold. The company has also announced a “complete audit of all internal subdomain naming conventions” – a step that should have been taken before launch.

For the /tmp/latents server, life has changed dramatically. The group has gone private, implemented new member vetting, and scrubbed most of its logs. Some members are anxious about potential legal exposure. Others have framed the incident as a successful “red team” exercise on Anthropic’s infrastructure – one the company should thank them for.

“We proved a hole existed,” redshift_9 said. “Now they can fix it. Isn’t that what responsible disclosure is? We didn’t ask for a bug bounty. We didn’t extort them. We just showed them the door was open.”

Anthropic’s security team, predictably, sees things differently. “Responsible disclosure involves telling the company before using the model for three days,” one team member shot back on a private security mailing list.

But the broader cybersecurity community has offered surprisingly muted criticism. Several prominent vulnerability researchers have argued that the /tmp/latents group’s actions, while legally murky, exposed a systemic flaw in how even sophisticated AI companies treat model endpoints as assets requiring the same rigor as cryptographic keys.

“They didn’t break in,” said Tarah Wheeler, a cybersecurity fellow at Harvard’s Belfer Center. “The door wasn’t locked. And that’s on Anthropic, not on the people who walked through it.”

Conclusion: A Predictable Failure

The Mythos leak, in the end, was stunningly predictable. A small group of clever people with too much time and a pattern-recognition hobby. A company that spent billions on model safety but forgot basic web security. A breach at a third-party vendor that exposed just enough metadata to connect the dots.

And now, a model designed to prevent cyberattacks has itself become a vector for conversation about how vulnerable our most sensitive AI infrastructure truly is.

The White House called emergency meetings over Mythos. They were worried about China. They were worried about Russia. They were worried about rogue employees.

They should have been worried about a Discord server, three JSON blobs from a data leak, and a URL that followed a pattern.

Because in the end, the most powerful AI model of 2026 wasn’t defeated by a nation-state. It was accessed by a handful of friends who guessed right.

And that is not a comforting thought.

Reporting for this article was based on Bloomberg’s original investigation, internal Anthropic documents shared with this publication, interviews with three members of the /tmp/latents Discord server, and cybersecurity analyses from independent researchers. Anthropic declined to comment on specific technical findings but provided a general statement: “We take all unauthorized access attempts seriously and have implemented additional protections for our restricted models. We are continuously improving our security posture.”

J. J. Weaver is a cybersecurity and AI journalist. They have covered AI safety incidents for The Register, WIRED, and MIT Technology Review.