- The claim that traveled
- Rep. Andrew Garbarino (R-N.Y.), House Homeland Security chair: Anthropic "told the model to find a vulnerability in a bank and empty accounts, and then it went and did it."
- Where it came from
- Punchbowl News, June 2026. No second outlet reported it independently — aggregators reprint Punchbowl. The kidnap-a-lawmaker line is Punchbowl paraphrasing Garbarino, not a direct quote.
- What the AP wire says instead
- The model "identified certain vulnerabilities within hours, but that does not mean the model was able to exploit them within that time" — an anonymous U.S. official, June 2026.
- How many demos
- Three distinct events (April 22, May 15, June) are being collapsed into one.
- The asymmetry
- Anthropic's Mythos and Fable 5 were forced fully offline by export control (June 12). OpenAI's GPT-5.6 — reportedly viewed as "on par" with Mythos — gets a voluntary, customer-by-customer slow-roll instead.
- The thaw
- Anthropic's White House talks reportedly improved after it swapped CEO Dario Amodei for cofounder Tom Brown and policy head Sarah Heck.
The story that moved this week is a frightening one: a sitting committee chairman, fresh out of a classified briefing, telling reporters that an AI model was asked to break into a bank and empty accounts and “then it went and did it.” The same model, in another telling, could draft a plan to kidnap a member of Congress. Rep. Andrew Garbarino — who chairs House Homeland Security — added the line that gave the coverage its spine: “I’d say 95% of my colleagues don’t understand what the hell’s going on.”
He may be right about his colleagues. But the way to take a claim like this seriously is not to repeat it louder. It’s to check who said it, what they actually said, and what the more careful reporting around the same events says instead. Do that, and two things fall out that almost none of the coverage mentioned — and they change what the story is about.
What’s actually sourced, and what isn’t
Start with the quotes themselves. Garbarino’s most-shared lines — the bank that got “emptied,” the kidnapping plan — trace to a single outlet, Punchbowl News. Every other site carrying them is reprinting Punchbowl. Raw Story, which ran the most-circulated version, is unusually honest about it: the kidnapping detail, it notes, is how “Punchbowl News’ report reads, paraphrasing Garbarino’s remarks.” So the single most alarming specific in the whole cycle is not a quote at all. It’s one outlet’s paraphrase of one congressman’s recollection of a closed-door demo.
Now set that beside the reporting that did get independently corroborated. When the Associated Press reported on the same model and the same kind of testing, two outlets — SecurityWeek and Federal News Network — carried the wire copy word for word. Here is the operative sentence, from an anonymous U.S. official:
That is the whole ballgame. “Found a vulnerability” and “emptied the accounts” are not the same claim. The first is what careful, on-the-record-adjacent sources will stand behind. The second is what the capability becomes once it’s been through a briefing room and a politician’s retelling. The AP version also notes the testing ran through Project Glasswing, an Anthropic initiative that pulled in other large tech companies specifically to harden critical software — and that both the NSA and Anthropic declined to comment. None of that “declined to comment” caution survives into the viral version.
This is not to say the capability is fake. A model that can find real vulnerabilities in real systems at machine speed is a serious thing, and the defensive value cuts the same way as the offensive fear. But “found, not exploited” is the load-bearing distinction, it’s in the wire copy verbatim, and it’s the first thing the coverage dropped.
Three demos, not one
The second omission is structural. There was not “a demo.” There were at least three, and flattening them into one is how “identify and reason through vulnerabilities” turns into “it went and did it.”
- April 22 (Politico). The Department of Homeland Security’s NCITE center and the House Homeland Committee ran a closed-door briefing for all House members on “jailbroken” and “abliterated” models — models with their safety refusals stripped. The model names were concealed, and the set mixed U.S. and foreign systems. The member quoted is Rep. Gabe Evans (R-Colo.), not Garbarino, and the framing was generic: bombs, terror plans, the difference between a “censored” model (Claude, ChatGPT) and an “abliterated” one. This was not a Mythos demo.
- May 15 (Government Executive). This was the Anthropic one — company executives gave the Homeland panel a live demonstration of Mythos, with Garbarino and Ranking Member Bennie Thompson in the room. What it showed, per a committee aide, was “how advanced AI can identify and reason through software vulnerabilities,” and the aide’s takeaway was an argument for access: that federal defenders need the best U.S. models to “find and patch vulnerabilities before foreign adversaries or criminal actors exploit them.”
- June (Punchbowl). Garbarino’s retelling, where the careful May language — “identify and reason through” — has hardened into “find a vulnerability in a bank and empty accounts, and then it went and did it.”
The part nobody put next to it: OpenAI gets the soft touch
Here is the context that turns this from a scary-demo story into a policy story. On June 12, the administration placed an export-control directive on Anthropic’s two most capable models, Mythos and Fable 5. Rather than wall off individual foreign users — the order reached “all foreign persons,” including non-citizens working inside U.S. labs — Anthropic pulled both models globally. That is the maximal instrument: a model the company built, switched off worldwide by trade law.
Now look at how the same administration handled OpenAI days later. Per reporting from The Information (carried by TechCrunch, Engadget and CNN), the White House asked OpenAI to limit its next model, GPT-5.6 — which officials reportedly consider “on par” with Mythos — and OpenAI agreed to a far gentler arrangement. In a staff memo, Sam Altman reportedly told employees the government would be “approving access customer by customer” during a preview window, with a broader release to follow “a couple of weeks later.” A negotiated, time-boxed slow-roll. Not an export ban. Not a global shutoff.
And the asymmetry runs deeper than the unreleased GPT-5.6. The capability the government cited against Anthropic — a jailbreak that has the model read a codebase and surface its flaws — is, by Anthropic’s own account, “widely available from other models (including OpenAI’s GPT-5.5).” GPT-5.5 is shipping today. It was not banned. That is the question the bipartisan oversight letter to Commerce Secretary Lutnick has been circling for two weeks, and it’s the one this demo cycle quietly sharpens: if the dangerous capability is industry-wide, why is exactly one vendor’s model dark?
And the reason it’s thawing isn’t a finding
The last piece is the least technical and maybe the most telling. Anthropic’s path back to “generally available” appears to run not through a resolved security question but through a change of personnel. Per Wired, the company’s White House negotiations improved after CEO Dario Amodei — the most safety-forward voice among the frontier-lab CEOs — stepped back from the talks, handing them to cofounder Tom Brown and Head of Public Policy Sarah Heck. The characterization a source gave Wired is blunt:
Take that seriously as data, not gossip. If the same model, with the same capabilities and the same export directive, becomes more negotiable because a different person showed up to negotiate, then the binding constraint was never purely the model. It was the relationship. That should make everyone — the people who want the ban and the people who want it lifted — a little less confident that a clean national-security process is what’s driving the outcome.
Mythos is real, and a model that finds genuine vulnerabilities at machine speed is a real concern worth congressional attention. But the version of the story that traveled this week is shakier than the alarm suggests: the scariest specifics are single-sourced to one outlet and one of them is an outright paraphrase, while the independently corroborated wire copy says the model "identified" — not exploited — vulnerabilities, with both the NSA and Anthropic declining to comment.
The two facts the coverage left out point the same direction. The government forced Anthropic's model fully offline while letting OpenAI's "on-par" model stay up under a voluntary slow-roll — even though the cited capability is, by Anthropic's account, already shipping in GPT-5.5. And Anthropic's prospects reportedly improved when it swapped negotiators, not when it answered a technical question.
Put together, this looks less like a clean response to a discrete threat and more like capability, politics, and personality being sorted out in real time — with the public getting the fear in full resolution and the caveats in fine print. The capability deserves scrutiny. So does the process applying it to one company at a time.