Last month, Anthropic said its new artificial intelligence model, Mythos Preview, had discovered thousands of vulnerabilities in “every major operating system and web browser.” About 40 tech firms and institutions have initial access to Mythos to bolster their systems, but these do not include most central banks and governments, leaving much of the rest of the world vulnerable, and dependent on companies such as Anthropic, OpenAI, and Google to secure their systems.
Access to Mythos is crucial because cyberattacks are surging worldwide. AI-enabled entities increased attacks by 89% in 2025 from a year earlier, according to cybersecurity firm CrowdStrike. AI agents can find and exploit software vulnerabilities better than most humans, and are arming even unskilled criminal and foreign actors with the means to target people, companies, and national infrastructure more easily and cheaply than before — and the effect is not equal.
“The rise of AI systems that are highly capable in cybersecurity poses a real challenge for companies and countries without many resources,” Nick Srnicek, a senior lecturer in digital economy at King’s College London, told Rest of World. “Widely used — often American — software is likely to be patched quickly and is less at risk, but more proprietary offerings, those typical of digital sovereignty initiatives, for instance, will struggle to see and patch vulnerabilities with the necessary speed.”
“Cybersecurity is never an isolated problem”
Since the launch of OpenAI’s ChatGPT, criminals have quickly adopted AI tools to boost their operations — including creating phishing emails, deepfake videos, voice clones, and malware. They also use AI to search for vulnerabilities and exploit them faster and more cheaply. A North Korean hacker group used AI tools from OpenAI and Cursor to steal as much as $12 million in cryptocurrency from victims in just a few months.
Lots of companies, including your dentist’s office, are going to have to deal with new bugs. It’s an AI bugocalypse.”Alex Stamos
In 2018, the median time from a vulnerability being disclosed to the first exploitation was 771 days, so organizations had over two years to fix it. By 2024, that window had reduced to four hours; last year, most exploited vulnerabilities were weaponized before they were even publicly disclosed, according to Zero Day Clock, a website that tracks the time between the public disclosure of a software vulnerability and its exploitation.
Now, when a software firm releases a security patch, “AI can reverse-engineer that patch, identify the vulnerability it fixes, and generate a working weaponized exploit in minutes,” wrote Sergej Epp, founder of Zero Day Clock. “Attacks can begin propagating across the world within hours.”
An AI model like Mythos is a “structural advantage,” Chandramouli Dorai, chief evangelist of cyber solutions at Zoho Corporation, an Indian software services firm with more than 1 million local and global clients, told Rest of World. “When access to such a powerful model is restricted to only a handful of institutions, the organizations that most need it may be exactly the ones excluded from it.”
But when a small business, a hospital, or government organization is breached because they could not afford the right security solution, the damage spreads to their customers, partners, and supply chains, Dorai said.
“Cybersecurity is never an isolated problem; it’s a shared one,” he said. Security “has to work for everyone, not just at the top of the market.”
Anthropic’s warning
A 2024 cybercrime index listed Russia, Ukraine, China, the U.S., and Nigeria as the top sources of crimes including malware coding, ransom, data theft, and scams. Americans also lost at least $10 billion to cyber scams originating in Southeast Asia in 2024, according to a U.S. government estimate. Scam centers in Myanmar and Cambodia are using AI to find more victims, mainly in the U.S. and Europe.
Security should not be a luxury. If the technology giants treat it as one, everyone will pay the price.”Chandramouli Dorai
Days after Israel and the U.S. began attacking Iran, cyberattacks linked to Iran hit companies across the Middle East. An Iran-linked group also claimed responsibility for a cyberattack on American medical technology company Stryker on March 11, causing disruptions worldwide. Cyber actors affiliated with the Iranian regime have also gained access to systems used by American critical-infrastructure sectors — including municipal energy, water, and wastewater agencies, the Cybersecurity and Infrastructure Security Agency has said.
Even Mythos is vulnerable, with a group of Discord users gaining unauthorized access to the model. OpenAI has launched its response to Mythos, and Chinese AI companies are developing their own models with capabilities similar to the model.
“Given the rate of AI progress, it will not be long before such capabilities proliferate, potentially beyond actors who are committed to deploying them safely,” Anthropic said during the launch of Mythos. “The fallout — for economies, public safety, and national security — could be severe.”
You “cannot patch your way out”
Rapid advances in AI come amid a massive shortage of cybersecurity professionals, with estimates ranging from 5 million in 2024 to nearly 85 million by 2030. The gap is widest in the Asia-Pacific region, where the Philippines, Taiwan, and India are frequent targets.
Between nations, there is a “real gap in capacity — talent, tools, and budget — to build cyber resilience,” Dorai said. “That gap will compound over the years.”
Even well-resourced companies have not had to deal with new bugs in recent years, Alex Stamos, chief product officer at AI and cybersecurity firm Corridor and a former director of the Stanford Internet Observatory, told Rest of World. With AI used to code, as well as to find vulnerabilities, “lots and lots of companies, including your dentist’s office, are going to have to deal with new bugs. It’s an AI bugocalypse,” he said.
Organizations have to assume their systems can be compromised, build necessary protections, and plan for resiliency, including backups, Stamos said. “We’re going to have to collectively spend billions of dollars actually rewriting software,” he said. “Organizations are going to have to prepare for the fact that they cannot patch their way out.”
Nor can one AI company or its tool, no matter how sophisticated, solve the problem. AI developers, software companies, security researchers, open-source maintainers, and governments across the world “all have essential roles to play,” Anthropic said. “The work of defending the world’s cyber infrastructure might take years.”
The White House has shot down a plan to expand access to Mythos to about 70 additional companies and organizations — still just a small fraction of those in need.
“Security should not be a luxury,” Dorai said. “If the technology giants treat it as one, everyone will pay the price.”
