A group of amateur investigators on Discord gained unauthorized access to Anthropic’s Mythos Preview, a restricted AI model the company has closely guarded due to its reported capabilities in finding security vulnerabilities. The breach was reported by Bloomberg and occurred despite Anthropic’s efforts to limit who could use the tool.
The Discord users pieced together access through a combination of straightforward detective work: they examined data from a breach at Mercor, an AI training startup that works with developers, and made an educated guess about the model’s online location based on their knowledge of the URL format Anthropic has used for other models. At least one person involved also exploited existing permissions tied to their work for an Anthropic contracting firm, ultimately gaining access to Mythos and other unreleased Anthropic models. According to Bloomberg, the group has so far used the access only to build simple websites, reportedly to avoid detection by Anthropic.
In a separate development, Mozilla announced in April 2026 that it used early access to Anthropic’s Mythos Preview to find and fix 271 vulnerabilities in its new Firefox 150 browser release, underscoring the model’s stated capabilities in security research.
Elsewhere in security news, Citizen Lab researchers revealed that at least two for-profit surveillance vendors exploited weaknesses in Signaling System 7 (SS7) telecom protocols — and similar flaws in next-generation protocols — to track the physical location of targets’ phones. The firms did so by acting as rogue phone carriers, leveraging access to three small telecom companies: Israeli carrier 019Mobile, British provider Tango Mobile, and Airtel Jersey. Citizen Lab said “high-profile” individuals were among those tracked but declined to name the firms or their targets, and warned that the two identified companies are likely not alone in abusing these vulnerabilities.
The U.S. Department of Justice announced charges in April 2026 against two Chinese nationals, Jiang Wen Jie and Huang Xingshan, for allegedly helping manage a human-trafficking-fueled scam compound in Myanmar and seeking to open a second operation in Cambodia. Both men were arrested in Thailand on immigration charges earlier in 2026. Prosecutors say the operation lured victims with fake job offers and forced them to conduct cryptocurrency investment fraud targeting Americans. The DOJ said it restrained $700 million in funds tied to the operation and seized a Telegram channel used to recruit victims. Huang is alleged to have personally participated in the physical punishment of workers, and Jiang is accused of overseeing the theft of $3 million from a single U.S. victim.
Apple released an iOS and iPadOS security update — iOS 26.4.2 — to address a flaw in which notifications marked for deletion could be unexpectedly retained on a device. The issue became significant after 404 Media reported that the FBI obtained Signal message content from a defendant’s iPhone through an iOS push notification database, even after Signal had been removed from the device. Apple described the fix as addressing “a logging issue” with “improved data redaction.” Security experts note the case highlights that end-to-end encryption protects messages in transit, but physical access to an unlocked device may still expose content stored locally.
Three scientific research institutions were found selling British citizens’ health data on Alibaba, according to the UK government and nonprofit UK Biobank. Over 500,000 people have shared health information — including medical images, genetic data, and health records — with UK Biobank over the past two decades. The charity said the sales constituted a breach of contract, with one dataset believed to have included data on all half-million research subjects. UK Biobank has suspended the accounts of the organizations involved, and the listings have been removed from Alibaba.