The IMF is openly warning that frontier AI models like Claude Mythos may have shattered the traditional cybersecurity timeline entirely.
In a new blog post published today, IMF researchers warned that AI is driving the cost and time needed to discover zero day vulnerabilities toward “near zero,” creating what they describe as a growing threat to global financial stability.
The warning centers around the “Mythos” incident, where the model reportedly gained the ability to chain complex vulnerabilities across major operating systems and browsers in seconds, something that once took skilled hacking teams months to pull off.
IMF warns AI turns cyber attackers into financial system wrecking machines
Artificial intelligence is transforming how the financial system copes with vulnerabilities and reacts to incidents. Yet it is also amplifying cyber threats that can undermine financial stability when the offensive capabilities of intruders outpace defenses.
IMF analysis suggests that extreme cyber‑incident losses could trigger funding strains, raise solvency concerns, and disrupt broader markets.
The financial system relies on shared digital infrastructure that’s highly interconnected, including software, cloud services, and networks for payments and other data. Advanced AI models can dramatically reduce the time and cost needed to identify and exploit vulnerabilities, raising the likelihood of simultaneously discovering and targeting weaknesses in widely used systems. As a result, cyber risk is increasingly about correlated failures that could disrupt financial intermediation, payments, and confidence at the systemic level.
Anthropic’s recent controlled release of its Claude Mythos Preview, an advanced AI model with exceptional cyber capabilities, underscored how quickly risks are increasing. Mythos could find and exploit vulnerabilities in every major operating system and web browser—even when used by non-experts. This foreshadows how fast‑moving, AI‑driven cyber risks could destabilize the financial system if not managed carefully, and why authorities must focus on building resilience through supervision and coordination—rather than treating these developments as purely technical or operational issues.
On the other hand, OpenAI’s specialized, restricted cyber version of GPT‑5.5 assumes vulnerabilities and attacks will grow, and emphasizes equipping defenders more quickly and at scale, under appropriate governance and trusted access models.