Discord Group Slipped Into Claude Mythos on Day One

A private Discord group has been quietly using Anthropic's most restricted AI model since the hour it shipped. They got in with a stolen contractor badge and a URL guessed from the Mercor breach.

Elena Marchetti By Elena Marchetti 9 min read
Share
Discord Group Slipped Into Claude Mythos on Day One

The group didn't pick the lock. They walked up to the door, tried a contractor's stolen badge, read the room number off a note somebody left behind at Mercor three weeks earlier, and let themselves in. By the time anyone at Anthropic started looking, they had been using Claude Mythos Preview for two weeks, trading screenshots in a private channel and, per Bloomberg, building "simple websites" with the most dangerous model the company has ever built.

TL;DR

  • A private Discord group accessed Claude Mythos Preview the same day Anthropic announced its restricted launch on 7 April 2026.
  • Entry used a shared credential from a third-party Anthropic contractor, combined with a URL pattern reconstructed from the Mercor data leak three weeks earlier.
  • Bloomberg reported the access on 21 April 2026. Anthropic says there is no evidence the activity extended beyond the third-party vendor environment.
  • The group says they used the model for harmless tasks. The model itself can find thousands of zero-day vulnerabilities in live systems.

The breach isn't technically sophisticated. That's the point. A model Anthropic judged too dangerous to publish - one restricted under Project Glasswing to roughly forty approved organisations including Apple, AWS, Cisco, CrowdStrike, JPMorgan Chase, and the Linux Foundation - was reached through low-effort supply chain reconnaissance that any competent red teamer would have written up on a Thursday afternoon.

How They Got In

Two ingredients, both sitting in the open.

A shared credential. One member of the Discord group works as a contractor for a third-party vendor that does evaluation work for Anthropic. That contractor had legitimate access to a vendor environment connected to Mythos. According to Bloomberg's reporting, the credential was "shared" inside the group - a single login reused across an unknown number of Discord members, indistinguishable on the wire from the authorised contractor.

A guessable URL. The endpoint where Mythos actually lived wasn't public, but Anthropic's internal URL format was. Naming conventions for model deployments, vendor paths, and evaluation subdomains were among the metadata exposed in the March Mercor breach, where 4TB of data - contractor profiles, source code, API keys, and client-specific routing metadata - was auctioned on the dark web after an attack on the open-source LiteLLM project. Mercor's customers include Anthropic, OpenAI, and Meta.

The Discord group reconstructed the pattern, plugged in the variable part, and got a 200.

Put another way, in pseudocode:

# Ingredient 1: pattern recovered from Mercor leak
https://<vendor>.anthropic.<env>/models/<model-slug>/...

# Ingredient 2: credential shared from inside the contractor workforce
Authorization: Bearer sk-vendor-<redacted>

# Result
GET /models/mythos-preview/chat -> 200 OK

No zero-day. No exploit. No privilege escalation against Anthropic. A vendor environment that trusted a login and an address scheme that wasn't meant to be public but had already leaked.

Dark server rack in a dimly lit data centre The breach never touched Anthropic's core systems. It happened in the vendor environment, the blind spot where shared credentials and leaked naming conventions convert into working sessions. Source: unsplash.com

What the Group Actually Did

According to Bloomberg's original scoop, picked up by TechCrunch and CBS News, the Discord members say they used Mythos for "simple websites" and other harmless tasks, and gave Bloomberg screenshots plus a live demonstration as proof of access. They describe themselves, in the reporting, as "interested in playing around with new models, not wreaking havoc."

Take that at face value, but keep the accounting clean.

Mythos isn't an ordinary chatbot. In Anthropic's own description, it found "thousands of high-severity vulnerabilities" across every major operating system and web browser during internal evaluation. Mozilla shipped Firefox 150 on 21 April using an early Mythos build. It was gated under Glasswing exactly because Anthropic believes the model lowers the bar for sophisticated cyberattacks. Anyone with a working session has, in effect, rented a cybersecurity analyst with no conscience and no audit log.

"Harmless use" is a self-report. Bloomberg saw screenshots the group chose to share. What runs through the session between screenshots isn't visible to reporters and, until detection, wasn't visible to Anthropic either.

Fourteen days is a long time. Access began around 7 April and was publicly reported 21 April. Anthropic has not stated when, internally, it noticed the activity. If it found the traffic in that window and declined to cut it off, that's one story. If the company learned of it from Bloomberg, that's a different story.

Anthropic's Position

The company's statement, provided to Euronews, TechCrunch, Silicon Republic, and others, is narrow and deliberate:

"We're investigating a report claiming unauthorised access to Claude Mythos Preview through one of our third-party vendor environments."

Anthropic adds that there is "no evidence" the activity extended beyond the vendor in question, and no evidence Anthropic's core systems were impacted. Both clauses are true. Both clauses also frame the incident as a vendor problem, which is a legitimate legal and technical distinction and a less flattering operational one.

Project Glasswing was announced on 7 April as a $100M defensive-security programme centred on Mythos and gated to a small pool of partners. The public threat model for that gating was state-level adversaries, advanced persistent threats, sophisticated cybercriminal groups. The actual first breach was a group of enthusiasts with a shared login and a URL they guessed from another company's leaked files.

Lines of code on a dark laptop screen The URL format was recovered from 4TB of Mercor data auctioned on the dark web in late March. Reconstructing the pattern required no offensive tooling. Source: unsplash.com

The Events, In Sequence

LiteLLM compromise (27 March 2026) - An attacker identified as TeamPCP, later claimed by Lapsus$, compromised two versions of the open-source LiteLLM routing library. Downstream users that pinned vulnerable versions were exposed. Mercor was one of them.

Mercor breach confirmed (31 March 2026) - Mercor acknowledged it was hit by a supply chain attack via LiteLLM. 4TB of data was exfiltrated, including contractor profiles, source code, API keys, and client routing metadata covering Anthropic, OpenAI, and Meta. The data was auctioned. Naming conventions for vendor environments were among the recovered artefacts.

Mythos Preview announced (7 April 2026) - Anthropic unveiled Claude Mythos Preview under Project Glasswing, describing it as capable of finding zero-days at scale and restricting access to about forty approved organisations. The public announcement confirmed the model existed, confirmed it was gated, and confirmed the partner list.

Unauthorised access begins (7 April 2026) - The Discord group, using a credential shared from a contractor and a URL reconstructed from the Mercor metadata, obtained a working session to Mythos on the day of the public announcement. They kept the access and used it regularly.

Bloomberg publishes (21 April 2026) - Bloomberg reported the unauthorised access, citing screenshots and a live demonstration. Anthropic confirmed it was investigating. The door had been open for fourteen days.

Mozilla credits Mythos in Firefox 150 (21 April 2026) - The same day the breach became public, Mozilla shipped Firefox 150 and credited an early Mythos build for helping patch a share of the release's vulnerability backlog. The cat was provably out of the bag in both directions: inside the authorised perimeter, and outside it.

What Has Not Been Answered

The public record still has holes.

The contractor's employer hasn't been named. The shared-credential handling - whether the login was multi-party by policy, by habit, or by accident - is not documented. Anthropic hasn't said how it learned of the activity, whether detection happened before Bloomberg's enquiry or after, or whether the credential has now been revoked. The company has not said whether other Glasswing partners share vendor tooling with the affected environment, or whether any other unauthorised sessions have been observed elsewhere.

Nor has Anthropic disclosed what the Discord group's sessions produced. "Simple websites" is what the group told a reporter. What actually ran through the endpoint during fourteen days of use is, as of publication, unknown.

What Glasswing Partners Should Do Now

If you're a named partner - AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, Nvidia, Palo Alto Networks, or one of the approximately twenty-eight other approved organisations - the relevant action list is narrow and urgent.

  1. Rotate every credential that reaches any Anthropic-adjacent environment your organisation uses, including credentials issued to third-party vendors performing work on your behalf. Assume Mythos-adjacent naming conventions are public.
  2. Pull the vendor list for anyone who has ever had evaluation, routing, or infrastructure access to Anthropic resources. Cross-check it against Mercor's published customer list and the LiteLLM dependency graph. Vendors shared between AI labs are now a primary lateral-movement surface.
  3. Audit session logs for the 7-21 April window, looking specifically for successful requests to Mythos endpoints from IPs outside your allow-list. Detection may need to come from the customer side because the vendor environment, by Anthropic's framing, is where the gap sat.
  4. Assume naming conventions are permanently burned. Do not design future gating around URL obscurity. Treat every externally reachable model endpoint as public-address, private-credential, and enforce accordingly.
  5. Reassess Glasswing itself. The programme's value proposition is that a tightly held, defensive-use-only model stays held. That claim is now contingent on vendor hygiene that Anthropic does not directly control.

None of this requires Mythos to be exfiltrated in full, to be jailbroken, or to be used for an attack for the damage to already be done. Availability to the wrong party of a model Anthropic itself calls dangerous enough to justify a NDA-gated launch is the damage. The rest is accounting.

The model Anthropic would not publish was accessed, on day one, through a front door they did not know was unlocked. Whatever else Project Glasswing is for, it is also now a worked example of the surface area that opens when frontier AI is distributed through vendors, contractors, and evaluation partners - each of whom is one Mercor-style compromise away from becoming an ingredient in the next incident.

Sources:

Tagged
Anthropic Claude Cybersecurity AI Safety Data Breach Security Supply Chain Attack
Discord Group Slipped Into Claude Mythos on Day One
About the author Senior AI Editor & Investigative Journalist

Elena is a technology journalist with over eight years of experience covering artificial intelligence, machine learning, and the startup ecosystem.