Korean financial firms brace for AI-driven cyber risks from Mythos

The Anthropic logo is seen in this illustration from March 1. Reuters-Yonhap

Financial authorities and industry players have stepped up vigilance following reports that Mythos, a next-generation artificial intelligence (AI) model developed by U.S. firm Anthropic, can independently detect and exploit security flaws, officials said Friday.

While the reports have prompted swift responses from governments and corportations worldwide, concerns are particularly acute in the financial sector, where highly interconnected systems handling payments, transfers and asset management could be severely disrupted if compromised.

Experts warn that the risk is amplified by the structure of financial IT environments, in which advanced technologies coexist with decades-old legacy systems, leaving potential gaps in security.

“The risks span the entire IT stack, as vulnerabilities could emerge not only in installed applications but also at the operating system level,” a financial industry official said. “Despite differences in network environments, Korea cannot be considered immune, given its heavy reliance on foreign-developed software.”

Anthropic recently unveiled Claude Mythos Preview, an autonomous agent-based model believed to be capable of dissecting complex software structures, pinpointing security weaknesses and charting its own paths for infiltration.

It has reportedly identified a design flaw in security-focused operating system OpenBSD that had remained undiscovered for 27 years, and used it to execute a denial-of-service attack. This suggests the model has evolved beyond a supportive coding tool into one capable of independently carrying out cyberattacks.

Amid escalating cyber threats, Korea’s financial sector is moving to strengthen its defenses by advancing AI-driven threat detection, conducting comprehensive vulnerability assessments and upgrading real-time monitoring systems.

Officials are seen at the Financial Services Commission within Government Complex Seoul. Korea Times file

The Financial Services Commission (FSC), the country’s top financial regulator, held an emergency review meeting Wednesday led by Vice Chairman Kwon Dae-young, bringing together senior officials from the Financial Supervisory Service and Financial Security Institute, along with chief information security officers from major banking and insurance institutions, to coordinate a unified response.

“Korea is actively engaging in international discussions to align regulatory standards and is formulating comprehensive countermeasures,” an FSC official said.

The Ministry of Science and ICT has also stepped up its response, launching a comprehensive review of AI cybersecurity preparedness earlier this week. The ministry has held a series of emergency meetings involving the country’s three major telecommunications carriers — SK Telecom, KT and LG Uplus — as well as leading platform companies such as Naver and Kakao, and key players in the information security sector.

ICT Minister Bae Kyung-hoon stressed the need to reinforce national cyber defenses, warning that both corporate systems and critical infrastructure must be protected from emerging threats.

“Advancing the domestic cybersecurity ecosystem will require close coordination between the public and private sectors,” he said.

The sense of urgency is mirrored globally. In the United States, the U.S. Department of the Treasury and the Federal Reserve have recently convened top executives from major banks to discuss response strategies.

Leading financial institutions, including Goldman Sachs, Citigroup, Bank of America and Morgan Stanley, are reportedly seeking early access to the Mythos model to better understand its capabilities and strengthen their defenses.

Authorities in Canada and the United Kingdom have also begun assessing the potential risks to their financial systems.

Amid mounting concerns over misuse, Anthropic has decided against a full public release of Mythos. Instead, the company plans to limit access to a select group of major technology firms and vetted organizations, aiming to reduce the risk of the technology being exploited for malicious purposes.