Germany’s banks review Anthropic Mythos risks, fear AI-powered cyberattacks

German banks and regulators were confronting a new kind of AI problem: not whether to adopt frontier models, but whether those models could materially widen the cyberattack surface. The German Banking Association had been in contact with cyber experts at member banks, Germany’s finance ministry, the Deutsche Bundesbank and BaFin as concern grew around Anthropic’s new Mythos model and its ability to help identify weaknesses in older banking systems.

What made Mythos different was not simply its scale. The model’s advanced reasoning and code-related abilities raised alarms that it could speed malicious automation, lower the bar for criminals already operating at scale and expose brittle legacy technology that banks cannot harden quickly. Cybersecurity experts have long warned that large lenders still depend on older stacks that are expensive to replace, and BaFin signaled that firms need to be ready for weaknesses to be found soon and addressed rapidly.

The pressure was not confined to Frankfurt. European Central Bank supervisors were set to quiz bankers about the risks, underscoring how quickly the issue had moved from product launch to supervisory concern. BaFin’s 2026 risk agenda has already kept cyber threats high on the watchdog’s list, and the authority said it would continue regular exchanges with national, European and international stakeholders on cyber-related issues.

Anthropic’s own materials helped explain why the model drew such attention. On April 7, the company said Claude Mythos Preview was its most capable frontier model to date and that, because of the size of the capability jump, it would not be made generally available. Instead, Anthropic said it would use the model in a limited defensive cybersecurity program with partners. In a companion security post, the company called Mythos Preview “strikingly capable” at computer security tasks and said it had launched Project Glasswing to help secure critical software and prepare the industry for cyber defense practices it expects to become necessary.

Anthropic also said the model had been able to identify and exploit zero-day vulnerabilities across major operating systems and browsers during testing, and that more than 99% of the flaws it found had not yet been patched at the time of publication. That kind of capability is exactly what has regulators worried: a tool useful for defense can also become a multiplier for offense.

The concern had already reached Washington. On April 7, Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell held an urgent closed-door meeting with major U.S. bank chiefs to discuss the cyber risks posed by Mythos. Jamie Dimon did not attend, while Brian Moynihan, Jane Fraser, David Solomon, Ted Pick and Charlie Scharf were present. Anthropic said it was also in ongoing discussions with U.S. agencies including the Cybersecurity and Infrastructure Security Agency and the Center for AI Standards and Innovation. For banks on both sides of the Atlantic, the message was clear: the next AI wave is not just about productivity, but about control, testing and cyber resilience before frontier systems move deeper into finance.