Podcast Summaries

← All summaries

The new AI model that could steal your life savings

The Indicator from Planet Money · Wailin Wong, Geoff Mock — Michael Moore (Anthropic), Rachel Greenstadt (NYU) · May 11, 2026 · Original

Most important take away

Anthropic’s new “Claude Mythos” model can chain together individually minor software vulnerabilities into full exploits at a pace that alarmed the Treasury Secretary, the Fed Chair, and bank CEOs enough to convene an emergency meeting. Anthropic responded by withholding wide release and giving a small group of institutions (JPMorgan Chase and Bank of America confirmed) early access through “Project Glass Wing” to patch holes first — but rival labs already have publicly released models with similar capabilities, so the window to fix decades-old vulnerabilities is closing.

Summary

Key insights

  • Claude Mythos is a general-purpose model, not a hacking specialist. It wasn’t trained on cybersecurity, yet it can identify thousands of software vulnerabilities and, more importantly, chain them into exploits — breaking the front gate, the lobby door, and the apartment lock in one sequence.

  • Banks are first in line because the risk is systemic. Treasury Secretary Scott Bessent and Fed Chair Jerome Powell called a special meeting with bank CEOs in April. Only JPMorgan Chase and Bank of America have been publicly named as early-access partners — two out of ~4,000 US banks.

  • Project Glass Wing is the mitigation playbook. Anthropic is keeping Mythos itself restricted while shipping a separate, less cutting-edge product called Claude Security to help organizations find and patch bugs (including a 27-year-old bug in core internet infrastructure that an open model already independently found).

  • The “Y2K analogy” is the optimistic case. Michael Moore (Anthropic’s cybersecurity products lead) hopes the rollout looks like Y2K — uneventful because everyone worked hard to make it uneventful. The pessimistic case is that vibe-coded software built by less-experienced developers using AI is introducing entirely new classes of bugs faster than they can be patched.

  • The competitive reality undermines the “safe rollout” narrative. OpenAI has since released a public model that appears to match Mythos’s capabilities. Anthropic’s restraint is meaningful only if peers exercise similar restraint — which they aren’t. The advantage of withholding Mythos is real but time-limited.

  • Skeptics see the “creates the lock and sells the key” pattern. NYU computer scientist Rachel Greenstadt notes the marketing is excellent — a model so dangerous only some can have it. The bugs are real, but the framing serves Anthropic commercially.

  • Threat actors named. US intelligence has flagged China, Russia, Iran, North Korea, and ransomware groups as ongoing critical threats — they will all eventually have access to comparable models.

Actionable insights

  • For consumers / depositors. The episode’s reassuring conclusion is that the financial system is being patched ahead of the public threat. There is no specific action recommended for individual depositors and no specific stock to trade. The realistic personal posture: assume “Y2K-like” outcome but don’t be complacent — keep good account hygiene, MFA on everything, and monitor for unusual activity.

  • For operators / engineers. Audit your codebase now, including legacy code. AI-powered bug discovery is here; the window to patch before adversaries scan you is short. The 27-year-old infrastructure bug story is the warning — old code is uniquely exposed because nobody has looked at it.

  • For people using AI to ship code (“vibe coding”). Greenstadt’s warning is the actionable one: developers are shipping software they don’t understand, written by AI that doesn’t fully understand it either. Treat AI-generated code with the same review rigor as human-written code, and prefer code-review and security-scanning tools (such as Claude Security or equivalents) before production.

Investments / specific mentions

  • Anthropic — private; new model Claude Mythos restricted release; new product Claude Security available now.
  • OpenAI — has reportedly released a public model with comparable vulnerability-discovery capability.
  • JPMorgan Chase (JPM) and Bank of America (BAC) — confirmed early-access partners under Project Glass Wing. The episode does not recommend trading them; the mention is context for why these large banks may be marginally better protected than smaller institutions during this transition.
  • No tickers are recommended as buys or sells. There is no direct “investment advice” beyond the implicit observation that cybersecurity products and the labs leading on safe rollout are positioned to benefit commercially.

Chapter Summaries

1. The emergency meeting. April 2026: Treasury Secretary Bessent and Fed Chair Powell convene bank CEOs over Anthropic’s announcement of Claude Mythos, framed as too dangerous for public release.

2. What Mythos actually does. A general-purpose model that, despite no specialized cybersecurity training, can chain individually minor vulnerabilities into working exploits at scale.

3. Project Glass Wing. Anthropic’s response — restricted access for select institutions (JPMorgan, Bank of America publicly named) to patch first, plus public conversation about the risks.

4. Claude Security as the patch-side product. A less-cutting-edge tool aimed at finding bugs in legacy codebases — including a 27-year-old bug in core internet infrastructure.

5. The “lock and key” critique. Skeptics, including NYU’s Rachel Greenstadt, raise the conflict of interest and warn that vibe-coded software is producing whole new classes of bugs.

6. Competitive realism. OpenAI’s publicly available model now appears to match Mythos. Anthropic’s restraint matters only if competitors do the same.

7. The Y2K hope. Anthropic’s optimistic framing: an uneventful transition because of intense remediation work — not because the risk was hype.