Russia’s Advantage in the Age of AI Cyberwarfare 

On April 7, 2026, Anthropic introduced Claude Mythos Preview, a model that converts vulnerabilities into working exploits with a 72.4% success rate in the Firefox JS shell testbed. In plain English: Mythos can reliably turn many software bugs into real, ready‑to‑run hacks with minimal human expertise or manual effort. This model is a massive step change in offensive cyber capacity. It significantly lowers the barrier to entry for hacking critical systems, democratizing offensive cyber weapon access. The process of hacking is accelerating to a pace we have never seen. 

I argued in my recent essay for War on the Rocks that Mythos marks a nuclear-analog moment in cyberspace for what it does to the global balance of cyberpower and the framework of cyber deterrence. The capability gap between nation-state offensive cyber and non-state actors has collapsed. In the age of AI hacking, Russia will pull ahead by scaling and weaponizing its existing ecosystem of deniable criminal proxies and state-linked operators. Russia is the asymmetric beneficiary of this new period of cyberwarfare because its offensive ecosystem architecture is already designed, institutionally and in terms of doctrine, to take maximum advantage of the jump in capabilities Mythos enables. 

This essay focuses on the U.S.–Russia bilateral and not a comprehensive ranking of AI-cyber threats. China clearly possesses greater raw capacity (frontier domestic models, a larger state cyber apparatus, deeper talent pools) and warrants its own treatment. The claim here is narrower, that within the U.S.–Russia dynamic, Russia stands to gain relative to its current position against the United States from the Mythos moment. 

Three features define that relative shift: 1. Russia operates a privateer model that outsources offense to criminal proxies under intelligence-service tolerance and, often, direct tasking. 2. It integrates cyber with disinformation and sabotage in a single coercive package. 3. Its AI stack (the full end-to-end pipeline of training data, models, compute and deployment tools that encompasses “AI”) faces a far weaker version of the regulatory, commercial or journalistic constraints that limit Western frontier labs.

The vital U.S. interest at stake is straightforward. The current Washington cybersecurity toolkit (sanctions, indictments, Geneva-style diplomatic agreements on cyber rules of the road) was built for slower, more identifiable state actors and not for a distributed ecosystem of AI-accelerated privateers. Unless that toolkit is updated quickly, Russian adoption of these weapons will arrive before the U.S. has a response to it. 

A fair question: How would Russia get Mythos at all? Anthropic has not released the model publicly; access is currently limited to a handful of Project Glasswing partners tasked with patching vulnerabilities before they can be exploited at scale. 

But two factors make Russian acquisition a matter of when, not if. First, public models “catch up” to frontier AI capabilities quickly. GPT-4-class performance took roughly 18 months to appear in open weight (i.e., publicly accessible) models, and the gap has narrowed with each generation. Chinese and open-source developers will build their own Mythos-class systems, and their weights, once released, cannot be recalled. Anthropic itself predicts it will take six to eighteen months for other models to catch up to where Mythos is today. Second, Russian intelligence services have a long record of stealing what they cannot build (from the Venona-era atomic program to the 2020 SolarWinds compromise of U.S. federal networks), and Glasswing expands Russia’s potential targets from one lab to more than a dozen partner firms. Bloomberg has already reported that on April 21, Mythos was accessed by unauthorized users.

One might argue that Mythos is a defender's tool first, and that offense won’t necessarily be enhanced over defense. After all, Project Glasswing exists precisely so firms can find and fix flaws before attackers exploit them, and the optimistic view is that defense stays ahead. That may yet prove right. But it requires two things to hold: that every Glasswing partner keeps the capability inside the tent, and that companies can ship patches faster than attackers can weaponize the bugs Mythos uncovers. Neither condition is holding now. By Anthropic's own reporting, over 99% of the vulnerabilities Mythos has identified are unpatched. Writing and deploying a fix takes weeks (and sometimes months) while building a working exploit takes hours or minutes. Even if Anthropic's safeguards hold, they buy time rather than prevent proliferation, and that asymmetry favors whichever side is set up to move fastest at scale. As I argue below, that side is Russia.

The Privateer Model Scales

The first proposition is that Russia has already solved the hardest problem AI creates for offensive cyber actors: how to field a distributed attack force that can exploit newfound democratized access to cyberweapons. It did so years before Mythos by cultivating a stable of semi-autonomous criminal groups and front companies. They operate at internet scale, enjoy de facto state protection, and can be pointed toward strategic targets without ever wearing a Russian uniform. The FBI's 2024 Internet Crime Report logged a record $16.6 billion in losses, up 33% year over year, with Russian-speaking ransomware among the most prominent strains. The U.S. has indicted dozens of Russian nationals for cyber offenses since 2014. (Yet, it has not secured a single extradition from Russian territory.)

This “semi-autonomy” of privateers has morphed over time from tacit approval to more overt state-directed control. On Oct. 1, 2024, the U.K.'s National Crime Agency, co-signed by U.S. Treasury and Australia’s Department of Foreign Affairs, stated on the public record that Evil Corp "were tasked by Russian Intelligence Services to conduct cyber-attacks and espionage operations against NATO allies.” That signals growth beyond indifference into the direct tasking of hacker groups. The U.S. Treasury, sanctioning LockBit administrator Dmitry Khoroshev in May 2024, used the operative phrase: "Russia, where groups such as LockBit are free to launch ransomware attacks against the United States, and its allies and partners, continues to offer safe harbor for cybercriminals."

Consider what that safe harbor produced at its current, pre-Mythos ceiling. In February 2024, a Russian‑speaking ALPHV/BlackCat affiliate compromised a Change Healthcare remote‑access portal, moved laterally for about a week, and deployed ransomware across a system that processes roughly half of all U.S. medical claims. UnitedHealth paid a reported $22 million in Bitcoin to the ALPHV/BlackCat gang. Over 190 million Americans' health records were potentially exposed, widely described as the largest U.S. healthcare breach on record. 

No Russian soldier was involved. No GRU officer (formally the GU, or Main Directorate, of Russia's General Staff) needed to lift a finger. AI lowers the cost of entry for the privateer model at precisely the moment frontier-class capability (the ability to find software flaws, stitch them together into usable attacks and penetrate target systems without human direction) migrates from fifty-person nation-state teams to individual hacking operators in basements. 

A brief note on the organizations involved. Russian offensive cyber and information operations run across multiple agencies: the Federal Security Service’s cyber arm (which has historically tasked groups like Evil Corp); the Foreign Intelligence Service (responsible for longer-term espionage operations like the 2020 SolarWinds compromise); and the military intelligence service. The Ministry of Defense has also developed cyber troops (Information Operations Forces). Where this essay refers to "Moscow-adjacent operators," the shorthand is meant to capture this whole ecosystem (military, intelligence and contracted criminal) rather than a single agency. This service is officially called Glavnoye Upravleniye Generalnogo Shtaba VS RF (Main Directorate of the General Staff of the Armed Forces of RF), officially abbreviated as GU, though it is still commonly known by its Cold War abbreviation GRU (as in Glavnoye Razvedyvatelnoye Upravleniye).

The structural contrast with U.S. offensive cyber entities is large. U.S. Cyber Command operates with a culture steeped in high-end craft, building exquisite and narrowly tailored cyberweapons (e.g., Stuxnet). American offense is the product of months of development aimed at specific adversary systems. That is the right posture for highly strategic targets in the national security space. It is the wrong posture for the era of AI-fueled attacks and Russia's target set. Russian privateers, instead of aiming for exquisite access to a handful of crown jewels, desire “good-enough” access to millions of disparate small targets (hospital chains, county water utilities, mid-sized law firms, school districts) where the aggregate financial and psychological damage is high. While U.S. cyber forces focus on pinpoint access against a small set of high‑value systems, Russia’s privateers are built to generate disorder, sabotage and ambient fear across adversaries by hitting a high volume of soft targets. In that world, AI‑driven exploitation of many lightly defended networks is their main strength, well-matched to a strategy that prizes chaos over clean, attributable wins on a few crown jewels.

Active Measures, Automated

The second proposition is that Russia has never treated cyber as a discrete domain. The Soviet-era practice of active measures (influence operations, forgeries, provocations) has been absorbed into a broader contemporary Russian military doctrine of informatsionnoye protivoborstvo, roughly “information struggle,” which fuses cyber intrusion with disinformation, sabotage and coercive signaling into a single campaign. That doctrine is what AI is about to supercharge.

The evidence is already on record. Microsoft and OpenAI disclosed in February 2024 that the GRU's Forest Blizzard unit was using frontier LLMs for open-source research and scripting automation. Meta has called Doppelganger the most persistent Russia‑origin network it has tracked since 2017, including more than 5,000 accounts and pages removed between May and August 2024 alone. Earlier this month, the FBI announced Operation Masquerade, which evicted the same GRU unit from roughly 5,000 compromised home and office routers across 200 organizations that Russia had hijacked for DNS-level espionage since August 2025.

In 2024–25, U.S. and French authorities exposed large‑scale Russian influence operations. The DOJ seized Kremlin‑linked domains and charged RT staff over a $9.7 million Tenet Media scheme, while France’s VIGINUM flagged more than 290 AI‑generated fake news sites, including one pushing a fabricated Tim Walz abuse video (one in a broader Storm-1516 operation that combines synthetic AI content, deepfakes and paid actors) that drew 4.3 million views in its first 24 hours.

Granted, the United States is not entirely absent from this space. The State Department's Global Engagement Center tracked foreign disinformation until its December 2024 closure. Cyber Command runs information operations. The intelligence community periodically surfaces foreign interference in public disclosures. But these American efforts sit downstream of Russian and Iranian doctrine in both scale and integration. Washington treats influence operations largely as a defensive problem to be exposed, and frequently, as a domestic political hot potato. Moscow treats them as a core offensive tool to be wielded in packages with cyber intrusion, criminal proxies and physical sabotage. That asymmetry is doctrinal, and AI widens it in the direction of the side willing to use the tools.

Now layer on the physical dimension. The International Institute for Strategic Studies assesses that Russian sabotage attacks in Europe nearly quadrupled between 2023 and 2024. MI5 Director General Ken McCallum said in October 2024 that "the GRU in particular is on a sustained mission to generate mayhem on British and European streets." In July 2024, incendiary devices concealed as massage pillows ignited at DHL facilities in Leipzig and Birmingham and were intercepted in Warsaw. Germany's then-BfV chief said that had the device fired in flight, "it would have resulted in a crash." In December 2024, Romania's Constitutional Court annulled a presidential election after the ultranationalist pro‑Russian candidate Călin Georgescu led in the first round amid large pro‑Georgescu TikTok amplification networks and more than 85,000 recorded cyber intrusion attempts against election infrastructure.

Restraint Is Asymmetric

The third proposition runs inside the AI systems themselves. U.S. frontier labs are visibly, publicly constrained. Anthropic in May 2025 activated its ASL-3 Deployment Standard (an internal safety tier for models capable of meaningfully helping someone build chemical, biological, radiological or nuclear weapons) with Claude Opus 4. OpenAI maintains its Preparedness Framework and Google DeepMind its Frontier Safety Framework: the industry's other two-tiered safety systems, which likewise restrict models that cross-defined capability thresholds. These companies operate inside U.S. export controls, answer to boards and shareholders, face a press corps and civil society and (the tension Mythos sharpens) are trying simultaneously to field advanced offensive-cyber capabilities for defenders and to deny them to adversaries. Every product decision is a compromise between defense and proliferation.

Russia's AI stack operates under none of these constraints. The July 2024 Yandex split divested its Russian operations for roughly $5.4 billion, leaving YandexGPT and Alice outside Western shareholder, listing and audit structures. In October 2025, the FSB ordered major Russian banks, including Sberbank, to expand law enforcement surveillance systems across their networks by 2027. This architecture makes adversarial use of any Russian AI system by the security services structurally unrefusable. Russia attended none of the international AI safety summits at Bletchley, Seoul or Paris; does not participate in the industry-led Frontier Model Forum; and has no counterpart to the national AI Safety Institutes established in the U.S., U.K. and a dozen other democracies. Domestic Russian investigative journalism that might document abuses has been functionally silenced inside Russia through the 2022 closure of Ekho Moskvy, the crack down on Novaya Gazeta's domestic edition, with its editor-in-chief Dmitry Muratov designated as a foreign agent, and the relocation of TV Rain to Latvia to escape Kremlin censorship. Exile outlets like Meduza, Istories, Proyekt and Novaya Gazeta Europe continue to produce strong investigative reporting, but they face pervasive blocking, foreign-agent designations and no legal leverage over Russian AI firms. Their work informs Western policymakers more than it constrains Moscow.

The restraint gap matters less than it first appears, because Russia does not need to build any frontier models themselves; it just needs to use them. Current evaluations place Russian models (YandexGPT-5 and GigaChat 2.0 MAX) roughly at the capability level of ChatGPT when it first went viral in early 2023—a generation or two behind the current frontier. But current open-source models (Llama 3.1 405B and DeepSeek V3.1) are freely downloadable and irrevocable once released. Russian developers, state contractors and Moscow-adjacent operators can deploy frontier-adjacent capability offline, inside sanctioned infrastructure—with no record of which queries were run, no terms of service to violate and no way for the company that built the model to cut off access. Anthropic's restraint does not bind anyone running open weights, model files that, once downloaded, work offline on the user's own computers and cannot be revoked by the company that released them.

America’s Pre-Mythos Toolkit for a Post-Mythos Adversary

The United States lacks tools built for this Russian adversary. The existing kit (sanctions designations, sealed indictments, bilateral norm-setting, designated off-limits sectors) was designed for a slow, identifiable state adversary running expensive capabilities on a bureaucratic development cycle. It is being fielded against a distributed ecosystem of criminal contractors running AI-accelerated capabilities that can go from instruction to working attack in hours. A Treasury sanctions designation takes months to draft and coordinate, an indictment takes years and a normative framework arguably takes a presidential term (or two). A Mythos-equipped privateer takes a weekend. To be fair, the United States does have real offensive cyber capability and has used it (from Operation Olympic Games against Iran's nuclear program to CYBERCOM's “defend forward” disruption of Russian infrastructure during the 2018 midterms), but American cyber offense remains structured around exquisite operations against high-value targets.

Sanctions have not produced any clear reduction in Russian‑linked cyber activity. The Treasury’s extensive SolarWinds sanctions package in April 2021 was followed by record ransomware losses in 2023. Indictments generate headlines but no extraditions of Russia‑based operators. Mueller’s 2018 GRU charges, the 2020 Sandworm case and later LockBit and Evil Corp indictments all remain unanswered in Moscow. The Biden-Putin Geneva summit's "16 sectors off-limits" formulation produced a two-week pause before REvil's Kaseya attack. Then-FBI Deputy Director Paul Abbate stated plainly in September 2021 that there was “no indication that the Russian government has taken action to crack down on ransomware actors,” adding that “nothing's changed.”

What has changed is the American posture, but in the wrong direction. In late February 2025, according to The Record, NBC and others, Defense Secretary Pete Hegseth ordered U.S. Cyber Command to pause offensive cyber and information-operations planning against Russia, an order the Pentagon publicly denied. At the Paris AI Action Summit that same month, the United States and United Kingdom declined to sign the joint declaration, fracturing the trans-Atlantic governance track. By mid‑2025, the Cybersecurity and Infrastructure Security Agency (CISA) was operating with significant staffing shortfalls, and during the February 2026 government shutdown, senior officials reported that critical mission areas were running well below normal staffing levels. The FY2027 budget blueprint further proposes substantial cuts to CISA’s funding. The July 2025 AI Action Plan is largely silent on state-sponsored AI-augmented offensive operations.

A skeptic might note, fairly, that Russian wartime cyber forces underperformed in Ukraine (as discussed by Jon Bateman), and that (per Erica Lonergan's writing) cyber operations have historically proved unreliable tools of coercion. Both points held pre-Mythos, but in my view, neither now survives it. The constraints Bateman diagnosed (inadequate capacity, weak combined-arms integration, short planning horizons) are precisely what LLM-driven autonomy overcomes, and the underperformance he measured concerned uniformed GRU units, not the criminal proxy ecosystem. Lonergan’s escalation findings rest on the limited coercive leverage cyber operations have typically offered relative to their political aims. But Mythos‑class systems undercut that logic by making high‑impact, low‑cost disruption available on demand to any competent privateer. The ceiling on what a privateer can do with $5’s worth of AI compute access is rising faster than the floor on what Washington is prepared to do about it.

A serious U.S. response would begin with three moves. First, treat ransomware as a sustained national-security problem: mount coordinated and authority-pooled offensive disruption, instead of our current sporadic indictments that land in courthouses whose subpoenas Moscow will not serve. Second, significantly rebuild CISA and CYBERCOM to match the operational tempo that AI-accelerated adversaries will require. And third, stop pretending corporate AI-safety policies can close the restraint asymmetry. Open weights are irrevocable, and Russia is not on anyone's API. The gap can only be closed by export controls, compute governance and harder decisions about open weight releases. Whether any of this is politically doable right now is an open question, but it is one skeptics need to answer quickly, because Moscow is not waiting, and frontier models, unlike privateers, do not extend courtesy deadlines.