SEOUL, April 17 (AJP) — Claude Mythos, an artificial intelligence model developed by Anthropic to autonomously detect and potentially exploit critical software vulnerabilities, is another new import challenging South Korea’s lagging regulatory response to rapid technology advances.
Experts in Korea are already raising concerns over the lack of legal and ethical accountability.
“If such technology is misused, the developer must bear responsibility,” said Kwon Hun-yeong, a professor at the School of Cybersecurity at Korea University, warning that the exploitation of software vulnerabilities could carry serious legal consequences.
South Korea’s Ministry of Science and ICT convened a meeting with major cybersecurity firms on Wednesday morning to assess the impact of global AI-driven security projects and explore ways to safeguard local industry.
On Tuesday, the government separately held an emergency review with the country’s three major telecom operators and leading platform companies, including Naver and Kakao.
Mythos is a tightly controlled preview system, available only to a limited number of partners through Anthropic’s “Project Glasswing” program, which provides early access to advanced AI models for cybersecurity research.
It is reported to autonomously detect software weaknesses at an advanced level, a capability that can also be misused for malicious attacks and potentially pose risks to the global financial system.
In just two days, using around $20,000 in computing power, it uncovered a previously unknown flaw in OpenBSD, a highly secure open-source operating system, that had gone undetected for 27 years.
Park Choon-sik, a professor of information security at Ajou University, said such tools could help identify and fix weaknesses but could also provide attackers with a clearer map of system vulnerabilities.
“If these capabilities fall into the wrong hands, hacking could become faster, easier and far cheaper,” he said. “This kind of capability should not be allowed to evolve into a weapon.”
Beyond detecting vulnerabilities, Mythos is believed to map attack paths and minimize traces after execution, compressing tasks that once took years into hours. Such speed makes it difficult for traditional security systems to keep up.
South Korea’s ICT sector is stepping up its defenses. Following Tuesday’s emergency meeting, companies scrambled to strengthen internal security protocols and expand AI-based threat monitoring.
Naver is closely tracking global security developments linked to Mythos, stepping up real-time monitoring and analyzing AI-driven attack patterns while deepening cooperation with government authorities.
Kakao is also reinforcing its security posture, reviewing internal information protection systems and expanding monitoring to prepare for potential risks.
Toss is strengthening core security practices, including asset management, vulnerability scanning and access control, while enhancing intrusion detection, log management and backup systems.
The telecom sector is tightening defenses, with SK Telecom, KT and LG Uplus expanding vulnerability analysis and continuous monitoring, strengthening anomaly detection and upgrading AI-based threat response capabilities.
Park noted that organizations are already capable of identifying vulnerabilities with precision, but the core issue lies in how quickly they respond.
“Organizations will need to eliminate weaknesses through patches before they are exploited,” he said. “In many cases, the problem is not detection but the failure to respond once weaknesses are identified.”
Despite stepped-up defenses, some experts point to the need for broader governance.
Kwon said the focus should not be limited to restricting the technology, but also on how it can be used to strengthen defenses, noting that developers could build systems to counter the very threats their models create.
“Rather than treating all uses as inherently illegal, there needs to be a framework that allows responsible use while preventing abuse,” he said, warning that the issue could have significant legal and societal repercussions if left unaddressed.
In the cybersecurity industry, such risks have traditionally been managed through coordinated vulnerability disclosure, where vulnerabilities are reported privately and disclosed publicly only after patches are developed.
The speed and scale of AI-driven discovery, however, are outpacing existing frameworks, compressing the window between discovery and exploitation.
Kwon stressed that rather than imposing legal prohibitions on the exchange of vulnerability information, “we need to focus on how it can be used constructively,” emphasizing that the discussion must be translated into action quickly.
Copyright ⓒ Aju Press All rights reserved.