Back to Home

ECB warned banks about cyberattacks by AI model Mythos

The European Central Bank warned eurozone banks of the urgent need to prepare for cyberattacks using the advanced AI model Mythos by Anthropic, despite European institutions lacking access to it. The statement reflects the regulator's structural weakness and growing asymmetry in global cybersecurity, where banks in the US and Japan gain an advantage. The article analyzes hidden factors, the economics of AI attacks, and provides a forecast for the coming months.

ECB: European banks defenseless against cyberattacks by AI model Mythos
Advertisement 728x90

ECB Warns Banks of AI-Powered Cyber Threats

The European Central Bank has issued an official warning to all eurozone banks, urging them to strengthen defenses against cyberattacks generated by advanced artificial intelligence models.


The 'Mythos' Myth: How Lack of Access to AI Became the Main Systemic Risk for the European Banking Sector

Frank Elderson, Vice-Chair of the European Central Bank's Supervisory Board, issued a warning on May 13, 2026, that would have made headlines under any other news backdrop: European banks must immediately, "right now," prepare for cyberattacks using Anthropic's Mythos-level AI model, despite the fact that they do not and will not have access to this model. The statement came in an interview for the internal ECB Supervision Newsletter—and it is precisely this almost invisible format that reveals the true nature of what is happening. The regulator is not so much informing the market as documenting its position for future proceedings.

The Essence: What Is Really Happening

Formally, the ECB is warning banks about a new class of cyber threats. Executive Board member Frank Elderson stated literally: "Lack of access [to Mythos] does not justify inaction. On the contrary, it makes it critically important that banks step up and act right now." The regulator notes that major US banks that received early access to Mythos are already fixing vulnerabilities in their data centers identified by the AI model. Japan is expected to gain access for its three largest banks within two weeks. Europe remains on the outside.

Google AdInline article slot

But the real essence of Elderson's statement is not about cybersecurity per se. It is an act of regulatory outsourcing of responsibility. The ECB cannot protect European banks from a threat it cannot even assess. So it shifts the burden onto the banks themselves: prepare for what you cannot see, and if something happens—we warned you.

This pattern is familiar to anyone who has followed European banking supervision during crisis moments. When the regulator lacks direct tools, it creates a paper trail. May 2026 is such a moment: Mythos can autonomously identify and exploit vulnerabilities at a speed unattainable by existing tools, and reverse-engineer software patches into exploits much faster than before. European banks, denied access to this tool, watch as US competitors patch holes—and can only guess how vulnerable they themselves are.

Timeline and Context

The chain of events leading to Elderson's statement unfolded rapidly. In April 2026, Reuters reported that the ECB supervisory authority intended to ask banks for information on their readiness for a new source of risk—AI-enhanced cyberattacks. That same month, data emerged that major US banks with early access to Mythos were urgently fixing dozens of vulnerabilities in their data systems. Anthropic provided access only to a few US organizations—Amazon Web Services, Microsoft, Nvidia, Linux Foundation, and JP Morgan—as part of the Project Glasswing initiative.

Google AdInline article slot

By early May, the situation had escalated. ECB President Christine Lagarde stated that the central bank was studying defense mechanisms against Mythos-driven attacks but was at a disadvantage due to lack of access to the model. On May 12, information emerged that Japan's three largest banks would likely gain access to Mythos within two weeks. Europe remains the only major financial bloc cut off from the tool.

Then on May 13, Elderson's interview was released. He describes Mythos as a "turning point in cybersecurity"—a tool capable of combining seemingly minor vulnerabilities into serious attack vectors. And at the same time, he acknowledges that European banks cannot not only use Mythos for defense but even assess the scale of their own vulnerability to it.

Who Wins and Who Loses

US banks win—but not as it seems at first glance. JP Morgan and other Project Glasswing participants gain not just a defense tool but an asymmetric information advantage. They know their vulnerabilities, know how Mythos finds them, and can model attack vectors. European banks lack this information, making them more vulnerable to attacks from adversaries who—let me emphasize—may use Mythos or similar models regardless of whether banks have access to them.

Google AdInline article slot

European banks lose—structurally and possibly irreversibly. It's not just about lack of access to a specific model. Binance Research data shows that AI-enhanced attacks yield 4.5 times more funds per attack and generate 9 times more transaction activity than traditional methods. In 2025, the number of impersonation cases rose 1400% year-over-year, with 88% of all deepfake fraud cases linked to crypto assets. Although these are crypto industry data, the attack methodology is universal—and European banks remain without a tool that could detect them.

The European regulator loses as an institution. Elderson's statement is an admission of structural weakness. The ECB cannot force Anthropic to provide access. It cannot conduct its own testing. It cannot assess the scale of the threat. All it can do is tell banks "prepare." This is not regulation; it is exhortation.

What the Media Is Not Saying

The first and most critical untold story: the ECB warning came three months after a massive bank data breach in France through a state registry—1.2 million accounts were compromised via stolen credentials of a government employee. This was not an AI-enhanced hack but a classic attack using social engineering and compromised credentials. If the European banking system could not defend against an attack of this level, how will it prepare for Mythos, which can "autonomously identify and exploit vulnerabilities at a speed and scale beyond existing tools"?

The second hidden factor: the problem is not only or even primarily with the banks themselves, but with their contractors. Elderson specifically emphasized that critical infrastructure and external service providers used by banks are at risk. This means the vulnerability perimeter is much wider than the banks' own balance sheets. Processing companies, cloud providers, SWIFT gateway systems, data centers—all could be compromised through vulnerabilities that a Mythos-like AI will find faster than humans can close them. And while US counterparts are tested through Mythos, European ones remain "blind."

The third underreported aspect: the economics of AI attacks make defense fundamentally more expensive than offense. Binance Research notes that AI-enhanced exploits currently cost about $1.22 per contract, and this cost is expected to drop by 22% every two months. This is a radically asymmetric economy. With an attack cost of $1.22, a bank must spend millions on defense. With falling attack costs, this gap will only widen. And while US banks, by testing Mythos, at least know which vulnerabilities to patch first, European banks are forced to defend against everything at once—which is impossible.

Forecast: Next 30 Days and 90 Days

30 days (by mid-June 2026):

The trigger will be Japanese banks gaining access to Mythos—expected within the next two weeks. When Mitsubishi UFJ, Sumitomo Mitsui, and Mizuho begin testing, the first real benchmark will appear: how many vulnerabilities Mythos finds in major Asian banks. This information will likely remain confidential, but the market will learn the scale through indirect signs—emergency system updates, unscheduled audits, rising cybersecurity spending.

The ECB, as planned in April, will begin formal collection of information from supervised banks on their readiness for AI attacks. I expect the survey results to be alarming, and the regulator may issue additional directives. It is also likely that the ECB will intensify diplomatic efforts to gain access to Mythos for European banks—but this will not happen quickly.

90 days (by mid-August 2026):

By the end of summer, the structural inequality that is now only emerging will become apparent. Banks with access to advanced AI tools (US and likely Japanese) will have a fundamentally different cyber risk profile than European ones. Rating agencies may begin to factor this into credit ratings—especially if at least one high-profile incident involving an AI-enhanced attack on a European bank occurs.

Quorum Cyber's 2026 report already notes that average ransom demands in the financial services sector have risen 179%, and the number of new ransomware groups has increased by 30%. One nation-state actor demonstrated the ability to automate up to 90% of the intrusion process using AI. If these trends continue, by August some European bank will almost inevitably become a victim—and then the question the ECB is now trying to preempt with its warning will arise: why did the bank not prepare for a threat the regulator warned about back in May?

Insider takeaway: Elderson's May 13 statement is not so much a recommendation as the creation of a regulatory alibi. When (not if) a European bank suffers a successful attack using Mythos-class AI tools, the ECB will be able to say: we warned you, the bank should have prepared. But the underlying problem remains unsolved: the European banking system has been cut off from a key defensive tool at a time when the economics of cyberattacks have radically shifted in favor of attackers. This is not a technology gap—it is a structural vulnerability embedded in the architecture of global financial regulation.

— Editorial Team

Advertisement 728x90

Read Next

Partner News