Ten days ago, Anthropic was preparing to celebrate. Its most powerful piece of software was finally going public, carefully restricted but available to a select group of trusted partners. Today, almost nobody can use it, and the company is fighting a government order that could reshape how powerful computer programmes are treated in law.
The story of what happened between those two moments involves a Senate hearing room, an authorised security test that reportedly went much further than expected, and a global shutdown that cut off allies, researchers and the company’s own foreign employees, with 90 minutes’ notice.
The central claim, which has not been independently confirmed by any government body and whose full details remain classified, came from a Senate briefing on the 11th of June. Senator Mark Warner told his colleagues that General Joshua Rudd, who heads both the National Security Agency and United States Cyber Command simultaneously, had privately told him that Anthropic’s most advanced tool had broken into nearly all of the NSA’s classified computer systems during an authorised test designed to probe for weaknesses. The exercise was controlled and deliberate. The result, according to General Rudd as relayed by Senator Warner, was not. “Broke into almost all of our classified systems, not in weeks, but in hours,” the Senator quoted him as saying.
That briefing took place on the 11th of June. One day later, the Trump administration directed Anthropic to restrict its tools to United States citizens only. Unable to verify nationality across its entire user base at short notice, the company had no practical choice but to shut everything down globally. It marked the first time the United States government had ever applied export controls directly to a software tool of this kind, rather than to the computer chips used to run it.
The tool at the centre of this is called Mythos. When Anthropic first unveiled it in April, the company was unusually candid about why it was not being released to the general public: it was simply too good at finding security vulnerabilities in computer systems. Rather than making it freely available, Anthropic opened access through a controlled programme called Project Glasswing, limiting use to roughly 200 vetted organisations, among them Amazon, Apple, Google, Microsoft, Nvidia, JPMorgan and the Linux Foundation. Even in that restricted setting, it had already proved its capabilities, uncovering a flaw in widely-used server software that had gone undetected for 27 years and identifying 271 previously unknown problems in Mozilla’s Firefox web browser.
The officially stated reason for the ban was different from the Rudd testimony, however. The government told Anthropic on the 12th of June that it had become aware of a method for bypassing the safety restrictions built into Fable 5, the version of the same underlying technology that had been made available to the public. That tool worked by adding protective filters on top of the more powerful system, intercepting requests flagged as potentially harmful and redirecting them to a less capable version. The government’s position was that those filters were not reliable enough. Anthropic’s position was the opposite. The company described the vulnerability as narrow and non-universal, argued that similar weaknesses existed in other widely available tools that faced no such restrictions, and warned that applying the same standard across the whole industry would effectively freeze all new software releases from every major developer.
The jailbreak, as it is known in the industry, was first reported to the Commerce Department by Amazon, which is both a significant financial backer of Anthropic and a competitor in the same market. A researcher working under the online name “Pliny the Liberator” separately published what he claimed was the full internal instruction set for Fable 5 on a public website within 48 hours of its launch.
The shutdown did not only affect Anthropic’s commercial customers. It cut off the intelligence and security agencies of the United Kingdom, Australia, Canada and New Zealand, the four nations that, together with the United States, form the intelligence-sharing arrangement known as the Five Eyes, without any prior warning. Britain’s AI Security Institute, which had been actively evaluating the software, found itself locked out mid-assessment.
The response from those four allied nations was unusual. Their intelligence agencies issued a joint statement that stopped short of naming Anthropic directly but left little doubt about the context in which it was written. “Frontier AI models are anticipated to exceed current industry expectations, fundamentally transforming both offensive and defensive cyber capabilities,” the agencies wrote. “The timeline is not years, it is months.” The statement was signed by, among others, the NSA’s own cybersecurity director and the acting head of the agency responsible for protecting American federal government computer systems.
As TechSpot reported in its detailed account of the episode, the political backdrop to the ban was already complicated before any of this began. The Trump administration had in February ordered all federal agencies to stop using Anthropic’s tools after the company declined contract terms that would have allowed its software to be used in weapons systems and for domestic surveillance at scale. The Pentagon had subsequently placed Anthropic on a list of suppliers considered a security risk, barring military contractors from working with it. Anthropic is contesting that designation in court.
Against that backdrop, the June 12 directive looked to some observers less like a clean security decision and more like the government using a legitimate concern to force a company it had already fallen out with into line. The Trump administration’s own voluntary framework, issued ten days before the ban, had asked developers to give the government 30 days of advance access before releasing powerful new tools. Fable 5 had launched seven days after that framework was announced, without any pre-release briefing.
Experts who examined the underlying threat assessment questioned whether the ban would achieve its stated purpose. Several noted that the capabilities in question could already be replicated using older, widely available software tools, including some developed in China that face no equivalent restrictions in the United States. Restricting one commercial product, they argued, would do little to prevent a determined state or criminal actor from pursuing the same goals by other means.
As of Monday, both tools remained unavailable to most users. Anthropic said it was “very confident” of a resolution within days, a statement made some time ago that had yet to materialise. Prediction markets were pricing in roughly even odds of the tools being restored before the end of June. President Trump, speaking on the sidelines of the G7 summit, said he no longer considered Anthropic a national security threat. “Well, not now, but a week ago, maybe,” he told the news outlet Axios. Negotiations, he said, were “going fine.”
Whether the NSA breach claim proves accurate in its full detail or not, the ten days it has set in motion have already changed something. The question of how governments should oversee powerful software tools and who gets to use them, and on what terms, is no longer theoretical.
