ECB Mythos Inquiry | European Central Bank Probes Anthropic Claude Systemic Risk

The European Central Bank has launched a formal inquiry into the systemic risks posed by Anthropic's Claude Mythos model, joining a coordinated global push to safeguard the financial sector from a new generation of AI-driven cyber threats. The ECB's move follows emergency briefings in Washington D.C. and London , signaling that regulators now view autonomous AI exploit generation as a clear and present danger to the global economy.

Unlike the high-profile summons issued by the U.S. Treasury, the ECB is currently using its regular supervisory dialogue to gauge bank preparedness. Major Eurozone lenders, including Deutsche Bank, BNP Paribas, and Santander, are being questioned on their ability to defend against what regulators are calling “autonomous discovery” of legacy software flaws, a capability Mythos has demonstrated at a pace and depth that no prior tool has matched.

ECB Focus | Europe's Hybrid Banking Infrastructure

Regulators are particularly concerned about the structural character of European banking technology, which commonly layers modern digital interfaces over decades-old COBOL and mainframe systems. These hybrid architectures were built during successive waves of IT modernization that prioritized customer-facing upgrades over backend replacement, leaving intact millions of lines of legacy code that have not been materially audited in 20 or more years.

Mythos has demonstrated an ability to parse and reason across precisely this kind of heterogeneous stack. The model reportedly uncovered a 16-year-old flaw in the FFmpeg library and a 27-year-old bug in OpenBSD , proving that security through obscurity, long the implicit posture of institutions running unpatched legacy systems, is no longer a viable strategy. For European banks with mainframe cores dating to the 1970s and 1980s, this is an existential audit problem.

Cybersecurity experts including TJ Marlin of Guardrail Technologies have been direct about the exposure. “Mythos doesn't just find new bugs; it uncovers the skeletons in the closet, vulnerabilities in infrastructure that haven't been touched in 20 years,” Marlin told Reuters. “European banks have some of the oldest core systems in the world. That is not a comfortable position right now.”

Coordinated Global Response | US, UK, EU, IMF All Move in Parallel

The scale of the institutional response is without modern precedent. No single AI system has previously triggered simultaneous regulatory action across multiple sovereign jurisdictions and international financial bodies. The coordinated nature of the inquiry suggests regulators have been sharing intelligence and risk assessments through existing supervisory channels since at least early April 2026.

The current regulatory posture across major jurisdictions breaks down as follows:

• United States: Treasury Secretary Scott Bessent summoned CEOs of JPMorgan Chase, Goldman Sachs, and Citigroup to discuss national security implications of Mythos. The Federal Reserve is separately reviewing whether AI exploit capabilities constitute a material risk under existing stress testing frameworks.
• United Kingdom: The Bank of England held urgent talks with the National Cyber Security Centre to assess vulnerabilities at systemically important institutions. The NCSC briefings focused on Mythos's ability to chain together multi-stage exploits across interconnected clearing and settlement infrastructure.
• European Union: The ECB and EU AI Office are jointly probing whether Mythos qualifies as a High-Risk system under the EU AI Act, a designation that would trigger mandatory conformity assessments, incident reporting obligations, and strict deployment controls on any entity using the model within the EU.
• International Monetary Fund: Managing Director Kristalina Georgieva warned that AI-boosted attacks could lead to catastrophic operational compromise at a global scale, describing the scenario as a plausible tail risk that now requires active scenario planning rather than theoretical modeling.

Project Glasswing | Banks Turn Mythos Against Itself

The most consequential development in the response timeline is not the regulatory inquiries but the decision by JPMorgan Chase and a group of other systemically important banks to deploy Mythos offensively against their own infrastructure under Anthropic's controlled Project Glasswing initiative. The program turns the model's exploit-discovery capabilities inward, using it to locate and document vulnerabilities before hostile actors can exploit the same techniques.

As of late April 2026, the global consensus among regulators is that the era of manual vulnerability management is functionally over. What once took specialist security teams months to find and catalog, Mythos can surface in hours across codebases that span millions of lines. The question is no longer whether financial institutions can prevent AI-assisted attacks. It is whether they can use AI defensively fast enough to stay ahead of adversaries who have access to the same underlying capabilities.

The ECB's inquiry is expected to conclude in Q2 2026, with supervisory guidance on AI cyber risk disclosure to follow. Whether that timeline holds will depend in part on how quickly the picture clarifies through Project Glasswing's early findings, and whether those findings are ones regulators can share publicly.