Cybersecurity Today
Host: David Shipley
Episode: "Banks Panic As Anthropic Mythos Exposes Software Vulnerabilities"
Date: April 13, 2026

Episode Overview

This week’s episode centers on the widespread alarm triggered by Anthropic’s release of Mythos, a generative AI model capable of finding and chaining together software vulnerabilities. David Shipley explores the ripple effects throughout the global financial sector, the shrinking window for patching vulnerabilities, new phishing tactics targeting C-suites, payroll fraud targeting Canadian employees, and a major law enforcement bust of crypto fraud. The episode captures the heightened urgency and evolving tactics facing cybersecurity teams worldwide.

Key Discussion Points

1. Anthropic Mythos: Global Financial Sector on Alert

[00:19 – 07:00]

• Emergency Meetings Across Financial Powerhouses:

  • The release of details about Anthropic’s Mythos AI model led to urgent meetings among U.S. regulators, top banking CEOs, and Canadian banking authorities.
  • U.S. Treasury Secretary Scott Besant and Fed Chair Jerome Powell convened with CEOs of major banks (Bank of America, Citigroup, Goldman Sachs, Morgan Stanley, Wells Fargo).
  • Canadian Financial Sector Resiliency Group and UK financial regulators held similar risk assessment meetings.
  • Notable Quote:
    David Shipley [01:53]: “The fact that it was called at all reflects how seriously the financial sector is taking this moment.”

• Mythos Capabilities:

  • Mythos can identify and chain vulnerabilities on every major operating system and web browser.
  • Already uncovered thousands of previously unknown zero-days.
  • Access is restricted via "Project Glasswing" to select critical infrastructure organizations and tech giants, not public release.

• Wider Implications:

  • Governments and banks worry not just about Anthropic, but the possibility of even more advanced, clandestine actors using similar AI.
  • Mythos is a wake-up call about decades-long technical debt and insecure code.
  • Notable Quote:
    David Shipley [03:16]: “We didn’t get here overnight. This is the bill coming due on technical debt that has accumulated over decades due to a culture of ship it and patch it later or never.”

2. Vulnerability Exploitation Speed Is Accelerating

[07:00 – 10:58]

• Case Study: Marimo Notebook Flaw

  • Critical authentication bypass in open-source Marimo notebooks patched in version 0.23.0.
  • Within 9 hours and 41 minutes of public disclosure, attackers had exploited a monitored honeypot.
  • Methodical and targeted exploitation observed.

• Shrinking Window for Defense:

  • "Zero day clock" site statistics:
    • 2018: Average of 771 days from disclosure to first exploit.
    • 2021: Down to 84 days.
    • 2023: Only 6 days.
    • 2025: Most vulnerabilities exploited before public disclosure.
  • AI-generated exploit code is now possible within 10–15 minutes and at low cost ($1 per vuln); 130+ new CVEs are published daily.
  • Notable Quote:
    David Shipley [09:50]: “The zero day clock puts the broader problem plainly: Organizations take an average of 20 days to test and deploy a patch. Attackers are now inside the window within hours.”

3. Sophisticated Phishing-as-a-Service: "Venom"

[10:58 – 14:28]

• Targeting Executives, Beating MFA:

  • “Venom” is a phishing-as-a-service (PhaaS) campaign targeting C-suite execs (CEOs, CFOs, VPs; 60% of targets hold senior titles).
  • Attack starts with a precise SharePoint-like email and a QR code designed to be opened on personal devices, bypassing corporate security controls.

• Multi-layered Defense Evasion:

  • QR code directs targets through anti-researcher checks, spoofing of corporate branding, and MFA interception.
  • On successful phish, attacker enrolls a new device on the victim’s account.
  • Venom is distributed privately, not sold on public dark web forums.

• Vulnerabilities in Executive Behavior:

  • Executives are most likely to skip phishing training; attackers design campaigns for this specific weakness.
  • Notable Quote:
    David Shipley [13:35]: “Participation in this kind of training and simulations isn’t just good practice for rank and file. It matters for the people attackers are highly motivated to reach.”

4. Payroll Fraud Targeting Canadian Employees

[14:28 – 16:35]

• Microsoft Tracks Ongoing Campaign:

  • Group “Storm 2755” uses fake Microsoft 365 pages to harvest employee credentials and session cookies.
  • After stealing credentials, attackers set up inbox rules to intercept HR emails and change payroll direct deposit info, redirecting paychecks to criminal accounts.
  • FBI recorded over 24,000 business email compromise incidents ($3B+ lost in the US last year).

• Defense Recommendations:

  • Block legacy authentication, enforce phishing-resistant MFA, and require direct employee-verification before changing bank details.
  • Notable Quote:
    David Shipley [16:03]: “If your organization can scale this, make sure you pick up the phone and talk to the employee.”

5. Major International Crypto Fraud Bust

[16:35 – 17:47]

• Operation Atlantic:

  • Joint law enforcement operation across the UK, US, and Canada targeting crypto investment fraud.
  • Over 20,000 victims identified; $12M frozen, $45M in stolen assets identified.
  • “Approval phishing” scams dupe victims into granting access to their wallets.
  • Operation Level Up (FBI) found 8,000 more victims since 2024.

• Crypto Fraud is Soaring:

  • FBI received over 61,000 crypto fraud complaints in 2025, $7B in losses (25% increase).
  • Three quarters of victims were unaware they’d been scammed.
  • UK will expand its public-private partnership approach against fraud.
  • Notable Quote:
    David Shipley [17:17]: “If someone you’ve never met in person is encouraging you to invest in cryptocurrency through a platform they recommend, that is a serious red flag.”

Notable Quotes and Memorable Moments

• [03:16] David Shipley: “This is the bill coming due on technical debt that has accumulated over decades due to a culture of ship it and patch it later or never.”
• [09:50] David Shipley: “Organizations take an average of 20 days to test and deploy a patch. Attackers are now inside the window within hours.”
• [13:35] David Shipley: “Participation in this kind of training and simulations isn’t just good practice for rank and file. It matters for the people attackers are highly motivated to reach.”
• [16:03] David Shipley: “If your organization can scale this, make sure you pick up the phone and talk to the employee.”
• [17:17] David Shipley: “If someone you’ve never met in person is encouraging you to invest in cryptocurrency through a platform they recommend, that is a serious red flag.”

Timestamps for Key Segments

• Anthropic Mythos and Financial Sector Alarm: 00:19–07:00
• Collapse of Patch Window/Marimo Exploit: 07:01–10:58
• "Venom" Phishing-as-a-Service: 10:59–14:28
• Payroll Fraud in Canada: 14:29–16:35
• International Crypto Fraud Bust: 16:36–17:47

Tone & Closing Thoughts

Host David Shipley maintains a tone of sober urgency throughout, blending clear technical breakdowns with pragmatic security advice. He closes the episode with a reminder to “stay safe out there, stay patched and pour one out for the OS teams frantically patching” critical systems this week, reflecting both appreciation for defenders and the scale of challenges raised by generative AI like Mythos.

This summary covers the episode’s structure, insights, and essential details—providing value for listeners seeking to understand the rapidly evolving risks in cybersecurity.