After writing Wargames almost a month ago, the release of Mythos has been delayed and relations appear to be mended with the Government after Anthropic hired a man simultaneously working for Ballard Partners and testifying about a FARA violation made by an American contractor in Venezuela before that operation. We didn't see this coming, but it's hard to overlook.
Then, on April 22, 2026, Bloomberg reported that a small group of users in a private Discord channel had been continuously accessing Claude Mythos Preview — the most powerful offensive cybersecurity AI ever documented — since the day Anthropic announced Project Glasswing. A different type of contractor involved here, with legitimate credentials, accessing systems.
This is the part everyone agrees to call a breach. The Discord group will probably be prosecuted. The contractor will probably be terminated. Anthropic will tighten partner agreements. Mercor will keep losing business and facing class actions. The word lands cleanly because everyone knows what the word means.
This article is about how to stretch the word into an advantage. The same technical action happens at every layer of the system. The word breach applies to some layers and not to others. When a government agency or a credentialed group has the advantage of which word applies, the leverage is locked in. Who that benefits may be classified information. Who it doesn't benefit is clear. Everybody else.
The Mythos Update — The Open Door
Wargames argued on April 7, 2026 that the insider threat question was the one no one was asking, and that the access boundary Anthropic had drawn — partner-vetted, scope-declared, revocable — would not hold against the actual surface area of human and supply-chain risk. The piece predicted a weak point. The weak point held — exactly as predicted, on exactly the side it was predicted on.
What is documented in the public record:
📋 The Chain — Documented in Public Reporting
- Mercor breach (earlier, 2026): The group Lapsus$ compromised Mercor — an AI training and recruitment company — through a third-party open source tool called LiteLLM. Approximately 4TB of data was exfiltrated. Among it: enough metadata about Anthropic's file systems and naming conventions to make unreleased model locations guessable.
- The contractor seat: A member of the Discord group that came to be known as TeamPCP worked as a third-party contractor for Anthropic. They had legitimate credentials issued through a vendor environment.
- The guess: Using Mercor-leaked naming conventions and the contractor's seat, the group inferred where Mythos Preview was hosted and accessed it on the day Project Glasswing was publicly announced.
- The session: The group used the model continuously for weeks before Bloomberg's report on April 22, 2026 surfaced the activity. Anthropic confirmed it was investigating "unauthorized access to Claude Mythos Preview through one of our third-party vendor environments."
The proprietary clearance system Anthropic built around Mythos did exactly what it was designed to do. The proprietary clearance system did not matter. Both statements are true. The reason both statements are true is that the boundary held against the partners it was designed to gate, but did not hold against the third-party vendor environment Anthropic itself had issued credentials into. Manufactured permission is only as strong as the weakest seat in the organization that issued it.
A pattern that works is worth repeating, and contractors take note. On May 4, journalist Drey published a thread observing that the donor list for what was being called the White House "ballroom" project read like a procurement order for a classified data center — Caterpillar, Booz Allen Hamilton, Blackstone, Union Pacific, Microsoft Azure Government, 320 MW combined power, 160 feet underground. The word that applied at the donor-list level was "ballroom." The word that applied at the procurement level was something else. Both words were operating on the same project, in public, simultaneously. Nobody had to lie. The vocabulary did the concealment.
The anatomy of a… ballroom?
— Drey (@thedreydossier) May 4, 2026
Back in October, I started pulling the donor list for Trump’s ‘ballroom’ expecting the usual suspects- luxury brands draining their marketing budgets for a White House photo op
But there was no Steinway. No Hermès. No Baccarat.
In their place were… pic.twitter.com/39hbxcXPt1
Identical Keystrokes
In each scenario, the technical action is functionally the same: someone with credentials queries a system and extracts data they were not supposed to extract. The legal status diverges completely. The reason for the divergence is not technical. It is who manufactured the permission.
◈ Scenario One — The Discord Group
A Discord channel uses a contractor's credentials and leaked naming conventions to locate and access Mythos Preview. They use the model. They have continuous access for weeks before discovery.
Word that applies: Breach. Legal status: Federal crime under the Computer Fraud and Abuse Act. Maximum penalty: ten years for a first offense involving access to a protected computer for commercial advantage or private financial gain. Could be charged today. DENIED authorization.
◈ Scenario Two — The Contractor Who Tested the Boundaries
A third-party contractor at Anthropic, with legitimate access to vendor environments, uses that access to locate and view a model that was not part of their declared work scope. Same technical action as Scenario One, executed through one of the credentials Scenario One borrowed.
If you can find a way in, take it. That's the implicit charter when testing a system — let the strongest get through. But what they win is more than the access itself. They're testing the reaction at scale. They're proving the product is battle-tested. They're generating a warning to everyone outside: not everyone gets in, but those who do get the upper hand, especially when contracts are at stake.
Word that applies: "stress test." "Research." "Independent validation." Notably not "breach," because the contractor's credential converts the same action that puts the Discord group in federal court into a competitive advantage at the next renewal. Legal status: Probably not a federal crime. Possibly a contract violation, an NDA matter, an internal investigation that resolves quietly. Same keystrokes. Different category because the credential was issued rather than borrowed. ACCESS — until revoked.
◈ Scenario Three — The DOGE Engineer
A young engineer with no traditional government clearance is granted administrative write access to Treasury payment systems, OPM personnel records, SSA databases, and IRS systems on January 20, 2025, through an Executive Order signed the same day. The order's three operative sentences grant "full and prompt access to all unclassified agency records, software systems, and IT systems," displace prior frameworks, and waive private right of action. The 17 Inspectors General are fired the same night. The Department of Justice later acknowledges in AFSCME v. DOGE court filings that some DOGE employees unlawfully accessed and misused Americans' Social Security data. The acknowledgment is real. The access continues.
Word that applies: "Modernization." "Efficiency." Notably not "breach," even after the DOJ's own admission of unlawful access. Legal status: Lawful at the moment of execution because the Executive Order constituted authorization. Some specific actions later determined unlawful retroactively. The actor faces no individual criminal liability of the kind a Discord user would face for substantively similar access. MANUFACTURED.
◈ Scenario Four — SolarWinds
Russian SVR operators (APT29 / Cozy Bear) compromise SolarWinds' Orion build server, push a poisoned update to roughly 18,000 customers, and maintain access inside Treasury, Commerce, DHS, parts of DOD, and thousands of private companies for at least nine months before FireEye discovers the intrusion in December 2020.
Word that applies: "Breach" — but applied to the company SolarWinds, not the perpetrators. Legal status: Indictable under federal law in theory. Unprosecutable in practice because the actors are state intelligence personnel of a non-extraditing power. The prosecution that does happen lands on SolarWinds itself and its CISO under SEC securities-fraud theories — most of which a federal court dismissed in July 2024. The actual perpetrators face zero consequences. The victim company's security officer becomes the named defendant. UNKNOWN — to U.S. courts.
When Does a Breach Get Called a Breach
Stack the four scenarios next to each other and a pattern emerges that is so consistent it has to be structural rather than coincidental.
The word breach tracks reachability, not action. When the actor is reachable — a Discord channel, a teenager, a low-level contractor — the word lands and the consequences follow. When the actor is institutionally protected — a presidential appointee, a state intelligence service, a credentialed corporate partner — the word slides off and a softer word takes its place. "Modernization." "Operations." "Incident." "Exposure." Each of these is the word someone with standing reached for when the legal category breach would have been politically inconvenient.
This is the loophole. Not in a single statute. In the language layer that statutes operate on top of. The Computer Fraud and Abuse Act, written in 1986, hinges on the word authorization and treats authorization as a binary that someone either has or lacks. The Act does not ask:
- Who issued the authorization
- Whether the issuer had standing to issue it
- Whether oversight was performed before or after issuance
- Whether the authorization is reversible, and by whom
- Whether an audit trail exists
- Whether the authorization was generated in real time to bless an action that had already begun
These are the questions that determine whether something is actually a breach in any meaningful sense. The statute does not ask them. So the statute treats Scenario Three — administrative write access to Treasury systems generated by Executive Order on day one with no IG review — as legally equivalent to the credential structure of any other federal employee, while it treats Scenario One — same level of access, generated by guessing — as a felony.
The difference is not technical. The difference is who manufactured the permission, and whether that manufacturer had standing. Borrowed credentials are a felony. Issued credentials with no oversight are a service. The keystrokes don't know the difference.
Manufactured Permission
Once you see the pattern, permission is being manufactured at every layer of the system, by actors whose standing to manufacture it ranges from constitutionally clear to entirely asserted.
📋 Where Permission Comes From
- Statutory: Congress passes a law. An agency promulgates a rule. A court adjudicates. Public audit trail. Reversible through legislative or judicial process. ACCESS.
- Executive — MANUFACTURED: A president signs an order. The order generates authorization in real time. Standing is constitutionally defensible but contestable, especially when the order displaces prior frameworks. The DOGE Executive Order: four pages, three operative sentences, signed January 20, 2025, generating administrative access to federal systems on day one with no IG review (the 17 IGs were fired the same night), no congressional notification, and no private right of action. The provenance is presidential. The audit trail is the order itself.
- Corporate — MANUFACTURED: A company asserts a clearance regime over a capability with national security implications. Standing exists by default because no statute prohibits it. Project Glasswing: Anthropic vets partners. Anthropic declares scope. Anthropic revokes access. Anthropic decides what gets disclosed, when, and to whom. No statute authorizes the structure. No agency adjudicates participation. Forty-plus companies accept the regime because the alternative is no access at all.
- Adversary — UNKNOWN: A state intelligence service compromises a software supply chain. Standing is asserted unilaterally by the adversary's own legal framework, which U.S. law does not recognize. The provenance is, from the U.S. perspective, fictional — but operationally identical to the other layers. The keystrokes execute. The data moves.
- Improvised — DENIED: An individual without institutional standing accesses a system through guessing, social engineering, or borrowed credentials. The Discord group is the example. No issuer. No audit trail. No reversibility because there was nothing to reverse. The legal system has its clearest grip here.
Now stack them by how the legal system actually treats them, and the inversion is stark:
The Asymmetry the Statute Cannot See
Statutory permission — high oversight, low risk, lawful by default.
Executive manufactured permission — no pre-issuance review, high risk, lawful unless enjoined.
Corporate manufactured permission — single point of failure, high risk, lawful by default because no statute applies.
Adversary permission — operates undetected, highest risk, illegal but unprosecutable.
Improvised permission — limited capability, lowest systemic risk, felony.
Punishment intensity is inversely correlated with actual systemic risk. The Discord group goes to prison. The state actor faces no consequences. The corporate clearance regime operates without oversight. The executive-order access continues during litigation. The teenager who got into NORAD is the only one whose permission the statute can reliably touch.
This is not a flaw in the statute. This is the statute working as designed. The Computer Fraud and Abuse Act was built to criminalize trespass — the act of crossing an authorization line — not to evaluate the authorization itself. When authorization is the contested object, the CFAA is the wrong instrument. There is no right instrument, because no statute exists that takes who manufactured the permission as its subject.
The Cases Where Nobody Said Breach
The shape repeats once you start looking for it.
DOGE accessed Treasury, OPM, SSA, IRS. The DOJ admitted unauthorized access in court filings. No press release used the word breach. The administration's word was modernization. Career civil servants, inspectors general before they were fired, and several federal judges raised exactly the framing this article is making. Multiple lawsuits argued the access pattern violated the Privacy Act, the Computer Fraud and Abuse Act, and various agency-specific statutes. The litigation continues. The access continued during the litigation. MANUFACTURED.
SolarWinds compromised the federal civilian executive branch for nine months. The word breach applied to SolarWinds the company. The actual perpetrators — Russian SVR — were not the named defendants in any U.S. court case. The CISO of the victim company was. The intelligence community's term of art for tolerating useful intrusions is "intelligence gain/loss calculus" — meaning you don't always burn an adversary's operation if exposing it costs you more than tolerating it. UNKNOWN — to the public record, by design.
The Glasswing contractor environment was used continuously for weeks. Anthropic's word was "investigating." Press release language was "unauthorized access" rather than "breach." The framing distinction matters because breach implies a defensive failure; unauthorized access implies a perimeter that held. The perimeter did not hold. The contractor's credential held the door open. The legal category that applies to the contractor — assuming they kept their NDA-bounded relationship technically intact — is "policy violation," not "breach." The same keystrokes the Discord group is being prosecuted for were performed by someone with a credential that converts the same action into an HR matter.
The Mercor breach was called a breach. Lapsus$ are extraditable in theory; class action lawsuits hit the company; Meta paused contracts. The word landed because the actor was reachable enough to make consequences flow. The 4TB of data that flowed out into the world, however, became the raw material for the next layer of access — and the next layer was not called a breach, it was called "investigating."
The Question Nobody Is Asking
Wargames asked what happens when the government realizes it cannot take back what it tried to punish. Wargames II asks the question one layer down: what happens when the same technical action is treated as a felony, a service, a tolerated foreign operation, and a private contract matter — depending entirely on who issued the credential?
The answer that current law gives is: nothing happens, because the categories are doing the political work the law refuses to do. The Discord group is the felony. The contractor is the policy violation. DOGE is the service. SolarWinds is the unprosecutable foreign operation. Glasswing is the private contract. The technical reality underneath all five is the same. The political reality on top of all five is: the people who can be punished are the people who borrowed the keys; the people who issued the keys, however dubiously, are the people who get to decide what to call what happened.
This is the loophole stated plainly. Not provenance. Not technical. Breach is what they call it when they can punish you. Something else is what they call it when they can't, or when they don't want to. The leverage is the difference between those two sentences. Whoever holds the leverage decides which sentence applies.
What Closing the Loophole Would Require
- Standing to issue access cannot be self-asserted: If the executive layer or the corporate layer wants to manufacture permission to high-stakes systems, they should have to demonstrate standing rather than assume it. This is the move from sovereign immunity logic to administrative law logic, applied to access.
- Audit trail as a precondition of recognition: Manufactured permission that lacks an audit trail should not be legally recognized as permission. This would have prevented the DOGE access at the moment of execution rather than retroactively in court.
- Reversibility by an independent body: Manufactured permission that can only be reversed by the same actor who issued it is not permission, it is fiat. Glasswing, DOGE, and any future structure of the same shape should have to submit to external reversibility or operate as the private arrangements they actually are.
- The same word for the same action: When a Discord user does it, when a contractor does it, when a presidential appointee does it, when a foreign service does it — if the keystrokes are equivalent, the word should be equivalent. Either it is all breach or none of it is. The current selective application is what allows the asymmetry to persist.
- None of the above currently exists in U.S. law. The opening is real. The frameworks have not been written. Laws that haven't been written haven't been captured yet.
The Companion Frame
Wargames argued that the only winning move was not to play, and that the U.S. government played and played itself. Wargames II argues that the rules of the game — selective application of the word breach based on who issued the credentials — were written long before this administration and will outlast it unless the rules themselves are rewritten.
The Discord group will be prosecuted. The contractor will be terminated. Anthropic will tighten partner agreements. None of these outcomes will touch the structural condition that produced the breach, because the structural condition is not at the layer the prosecution operates on. The structural condition is at the layer of the word. Breach is a word that selectively applies based on whose permission was crossed and who is doing the crossing. Until the word applies symmetrically, the asymmetry will reproduce itself at every layer where permission can be manufactured.
Mythos showed us the corporate layer. DOGE showed us the executive layer. SolarWinds showed us the adversary layer. Mercor showed us the supply chain layer. The Discord group showed us the layer the word reliably reaches. Five layers. One pattern. One word that only applies to one of them.
That's the loophole. Now everyone has the language for it.
This article was developed in conversation with Claude (Anthropic) following the April 22, 2026 Bloomberg report on the Mythos breach. The four-scenario comparison and the asymmetry-of-language frame emerged from working through the documented record alongside the question of why identical technical actions generate non-identical legal categories. All facts cited are sourced from public reporting and court filings; the analytical frame is Kaleido's. The loophole was not invented here. It was already operating. The article gives it a name.
The Documented Facts — May 2026
- The Mythos breach was disclosed publicly on April 22, 2026, three weeks after Project Glasswing was announced. Bloomberg, Euronews, Fortune, CBS News, Tom's Hardware, KQED.
- The mechanism involved a third-party contractor at Anthropic, naming conventions exposed in the earlier Mercor breach (perpetrated by Lapsus$ via LiteLLM, ~4TB exfiltrated), and a Discord group called TeamPCP.
- Anthropic confirmed the investigation. Reportedly contained to third-party vendor environment.
- The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, hinges on "authorization" as a binary and does not distinguish between manufactured and adjudicated authorization.
- The DOGE Executive Order signed January 20, 2025 generated administrative access to federal systems through three operative sentences with no IG review, displacing prior frameworks.
- The Department of Justice acknowledged in AFSCME v. DOGE court filings that some DOGE employees unlawfully accessed and misused Social Security data.
- SolarWinds (APT29, December 2020) operated inside federal systems for at least nine months. The actual perpetrators face no consequences. The SEC's case against SolarWinds and its CISO was largely dismissed in July 2024.
- Project Glasswing operates as a private clearance regime over a capability with documented national security implications. No federal statute authorizes the structure.
- There is no comprehensive federal AI law. There is no federal statute that treats access provenance as its subject.