The COBOL Time Bomb: Why Anthropic's Mythos Has Banks Scrambling

Every central banker in the world is panicking right now. India, the US, the UK, Singapore, the EU. Emergency

meetings all happening within the same week about an AI model from Enthropic called Mythos. A model the public will

called Mythos. A model the public will never get to use. If you have used an Indian bank's website, you know the pain. You click transfer money, the page

pain. You click transfer money, the page takes 10 seconds to load. You hit

submit, session expired, the back button does not work. You all know it is bad.

Most people do not know why which is funny because Indian software engineers are everywhere. They run engineering

are everywhere. They run engineering teams at Google, Meta, JP Morgan, Goldman Sachs. They build the systems

Goldman Sachs. They build the systems the whole world uses. But the bank website back home is still stuck in 1990s. In this video, we are going to

1990s. In this video, we are going to break down what mythos actually is, why it has every central bank in the world panicking, why Indian banks and government systems are in the worst

position, and what you should be doing about it as a software engineer. Let's

get started.

Now to understand what is happening, we have to go back to 1959. That year, the US Department of Defense pulled together a committee to design a programming language. The lead engineer was a US

language. The lead engineer was a US Navy officer named Gracehopper. The

language they built was called Cobalt, common businessoriented language. Cobalt

had one job. Process huge volumes of business transactions very reliably.

Read a number, do some math, write the number back. Do it a million times a

number back. Do it a million times a night without a single mistake. It was

really good at this. So good that by the 1970s, banks all over the world started running their core systems on cobalt.

Then airlines, then insurance companies, then governments. Now fast forward to

then governments. Now fast forward to today. Cobalt is older than the

today. Cobalt is older than the moonlanding, older than the internet, older than your parents. And yet 43% of Indian banks still run their core

banking on Cobalt. Globally, Cobalt

still handles 95% of all ATM transactions. 44 out of the top 50 banks

transactions. 44 out of the top 50 banks in the world rely on mainframes. But why

is the technology that moves trillion dollars a day is still being used? Three

reasons. One, it works. These systems

have been running for 40 years without crashing. That kind of reliability is

crashing. That kind of reliability is hard to throw away. Number two, it is too risky to replace. In 2018, a UK bank

called TSB tried to migrate from Cobalt to a modern system. The migration broke.

Almost 2 million customers got locked out. Some logged in and saw other

out. Some logged in and saw other people's bank accounts. The total damage was over 300 million. And finally,

nobody fully understands it anymore. The

original cobalt programmers retired. The

documentation, if it ever existed, is mostly lost. So now you cannot rewrite

mostly lost. So now you cannot rewrite what nobody understands. So banks did the only sensible thing. They left the cobalt alone. And they built modern

cobalt alone. And they built modern websites and apps on top of it. So when

you log into your bank's website and click transfer money, your request travels through three different worlds built decades apart and never meant to talk to each other. The top layer is the front end, probably React. The button

you click, the form you fill, the loading spinner. The middle layer is the

loading spinner. The middle layer is the middleware written sometime in 2010s.

Its only job is to translate web requests into something the old system can understand. The bottom layer is the

can understand. The bottom layer is the main frame running cobalt since 1985.

The system that actually moves the money. Three layers, three generation of

money. Three layers, three generation of engineers, three completely different ideas of how computing should work. And

this is also why your back button does not work. Why your session expires for

not work. Why your session expires for no reason. Why drop downs hang the main

no reason. Why drop downs hang the main frame creates a stateful session every time you log in. Fixed time limit.

Strict step order. So if you take too long, it hangs up. If you press back, the browser and the main frame disagree on what step you are on. So the system kills the session for safety. The front

end engineers cannot fix any of this.

The slow part lives in a layer they are not allowed to touch.

Now if every bank in the world has the same cobalt at the bottom, why do Chase and Bank of America websites feel smooth and while ICICI feels like 1990s?

The cobalt is the same. Everything above

it is not. JP Morgan Chase has 50,000 engineers on staff. They literally call themselves a technology company. They

have spent the last 15 years rewriting their middleware layer, building proper APIs, adding caching, putting product engineers next to backend engineers. The

cobalt is still there at the bottom, but every layer above it is world class.

Most Indian banks run on package products. Finacle from Infosys or Flex

products. Finacle from Infosys or Flex Cube from Oracle. They are good products, but they are products, not a 50,000 person engineering team. So when

ICCI wants to add a new feature, they file a ticket with a vendor. When Chase

wants to add a new feature, they walk over to the next desk. And there is one more reason Indian banks have to deal with regulations. US banks do not.

with regulations. US banks do not.

Two-factor authentication on every transaction. Aadhaar verification, UPI

transaction. Aadhaar verification, UPI integration on top of legacy core banking. Each one is a good idea on its

banking. Each one is a good idea on its own, but each one adds a layer on top of an already heavy stack. Same cobalt,

different outcomes. But the smooth Chase front end does not protect Chase from a bug Mythos finds in the 1985 mainframe.

And that is what is keeping central bankers up at night. Now, before we get into the panic, let me quickly explain what Mythos actually is. Because a lot of you are probably hearing about this

for the first time. Mythos is an AI model built by Enthropic, the same company that makes cloud. You have

probably used cloud for coding or writing. But Mythos is not a chatbot.

writing. But Mythos is not a chatbot.

You cannot use it to write an email or fix your code. Mythos has one specific job. It reads code and find security

job. It reads code and find security bugs. Think of it like this. A regular

bugs. Think of it like this. A regular

AI like Cloud is a generalist. It can do a thousand things all reasonably well.

Mythos is a specialist. It does one thing, but it does that one thing better than almost any human security engineer alive. On April 7, 2026,

alive. On April 7, 2026, Anthropic announced Mythos. And along

with the announcement, they said they were not going to release it to the public because in internal testing, Mythos did things no AI had ever done before. Anthropic pointed it at OpenBSD,

before. Anthropic pointed it at OpenBSD, an operating system that is famous for being secure. Some of the best security

being secure. Some of the best security engineers in the world have audited it for decades. Mythos found a security bug

for decades. Mythos found a security bug that had been hiding inside it for 27 years. And then it found another one in

years. And then it found another one in a video software called FFmpeg in a single line of code. Automated bug

finding tools had checked that exact line 5 million times without spotting it. But the scary part is what happened

it. But the scary part is what happened when Anthropic asked Mythos to not just find bugs, but to write code that exploits them. Their previous best AI,

exploits them. Their previous best AI, Cloud Opus, could do this about 0% of the time. Mythos did it 72% of the time.

the time. Mythos did it 72% of the time.

One enthropic engineer with no security training asked Mythos to find a remote code execution bug overnight. He woke up the next morning to a complete working exploit sitting on his screen. Now watch

what happened around the world.

Midappril the CEOs of every major US bank are called in for an emergency meeting in Washington. Late April, the Bank of England starts running EI risk test. German banks bring in cyber

test. German banks bring in cyber security experts. Early May, the EU

security experts. Early May, the EU demands access for European banks.

Singapore central bank meet with their bank chiefs. India's finance minister

bank chiefs. India's finance minister holds emergency meetings with the heads of every major Indian bank. And this

week, RBI from India is figuring out what to do. Every central bank in the world is having emergency meetings about an AI model they cannot even use. I

believe there are three reasons banks are scared. Number one, they have the

are scared. Number one, they have the largest amount of old code on Earth. A

single big bank has more lines of cobalt than most countries have lines of any code. Some of the largest banks have

code. Some of the largest banks have over 300 million lines of cobalt at the core. Every line is a possible bug.

core. Every line is a possible bug.

Mythos does not get tired. Mythos does

not retire. It just keeps reading. Now,

when Mythos found that 27-year-old bug in OpenBSD, that was an operating system built for security public source code that thousands of people had reviewed.

Now imagine pointing it to a million lines of private cobalt written in 1985, never reviewed since the original author left the company. Code the bank's own security team is not even allowed to

read because it belongs to an outside vendor. Number two, banks cannot patch

vendor. Number two, banks cannot patch fast enough. When an EI finds a bug, it

fast enough. When an EI finds a bug, it takes a few hours. When a bank fixes a bug, it takes months. approval

committees, regulator signoffs, testing cycles, deployment to thousands of branches and ATMs. The attacker has hours, the defender has months. The math

just doesn't work. And here's the part that should worry Indian government. Jay

has 50,000 engineers to throw at this problem. A bank like ICIC in India has a

problem. A bank like ICIC in India has a few hundred plus a vendor contract. Both

are exposed. Only one has the firepower to respond fast. And number three, banks cannot even see their own attack surface. The same reason your bank's

surface. The same reason your bank's website is clunky, undocumented systems, retired engineers, three layers nobody fully owns, that same reason means the bank security team genuinely does not

know everything that is running inside their own network. Their own list of what they own is incomplete.

Mythos does not need an accurate list.

It scans everything. The clunky UI and the security panic are the same disease.

and Indian banks have it in a much worse form. Now you might be thinking okay but

form. Now you might be thinking okay but Anthropic is not releasing Mythos so we are safe right not really and here's the part that almost nobody is talking about

anthropic shared mythos with about 60 trusted partners under a program called project glasswing AWS Google Microsoft Apple JP Morgan Cisco the idea was let

the good guys patch their systems before the bad guys catch up on April 21st Bloomberg broke a story that an unauthorized group already got access to Mythos. On the same day, Enthropic

Mythos. On the same day, Enthropic announced it. They won. And the way they

announced it. They won. And the way they did it is the part every engineer needs to hear. They did not hack Enthropic.

to hear. They did not hack Enthropic.

They did not break into AWS or Apple or any of the big partners. What they did was much more boring. They guessed the URL. Anthropic uses a predictable naming

URL. Anthropic uses a predictable naming pattern for their model endpoints. The

group recognized the pattern from earlier models. They typed in what they

earlier models. They typed in what they thought the mythos URL would be and they were right. They also used API keys and

were right. They also used API keys and login credentials shared by an authorized contractor. Some of those

authorized contractor. Some of those credentials had leaked in an unrelated breach at a different company called Murder and an employee at one of Anthropic's third party vendors helped

them get in knowingly or not. So even

with 60 handpicked partners, Anthropic could not keep mythos contained for one day. The model is already in the wild.

day. The model is already in the wild.

And on top of that, Anthropic itself estimates that within 12 to 18 months, similar models will be available as open source. Open AI has already said they

source. Open AI has already said they have won in development. If you are a senior engineer at a bank, a fintech, a government project, or any company running old code, audit yourself before

someone else does. Run modern security tools plus an AI code review on your own systems today. Reduce your attack

systems today. Reduce your attack surface. Every old API exposed to the

surface. Every old API exposed to the internet is now a target. If it does not need to be public, take it off the public internet. Compress your patch

public internet. Compress your patch cycle. The committee that takes 3 months

cycle. The committee that takes 3 months to approve a patch is now your biggest security risk. AI found bugs are going

security risk. AI found bugs are going to start landing every week. Map your

vendors because the mythos leak happened through a contractor. The next breach in your company will too. If you cannot list every vendor with access to your systems, you are already losing. Stop

adding features to the legacy core. The

strategy is something called the strangler pattern. New features go to a

strangler pattern. New features go to a new modern service. The old systems get slowly drained one capability at a time.

You build a second engine alongside and you slowly shift the load. And invest in observability before you need it. When

the first AIdriven attack hits, the difference between catching it in minutes and catching it in days will come down to one thing. How good your logs are. Anthropic is holding mythos

logs are. Anthropic is holding mythos back today but they have said similar models will be open source in 12 to 18 months. So that is the window 18 months

months. So that is the window 18 months to fix what nobody has fixed in 30 years. If there is one skill I would

years. If there is one skill I would tell every senior engineer to invest in right now it is cyber security. It is

evergreen. It is not going away. And

with models like mythos changing the thread landscape every 6 months the engineers who understand security are going to be the most valuable people in any company. That is exactly why I built

any company. That is exactly why I built the cyber security for developers course on bitemunk academy and why I'm encouraging every one of my students to take it. Beta is live with this video.

take it. Beta is live with this video.

Link in the description. Start now and subscribe so you do not miss it. I'll

see you in the next one.