Claude Opus 4.8 Discovers $4.5 Billion Bug in Zcash Protocol

By Sleepy

Someone used Claude Opus 4.8 to find a bug that caused a cryptocurrency's market cap to evaporate by $4.5 billion.

The story began with a security audit. Zcash is an established privacy network that uses zero-knowledge proofs to protect transaction information, and Orchard is the core component of its privacy transaction capabilities.

On May 29, security researcher Taylor Hornby discovered a critical vulnerability in Orchard during a protocol audit commissioned by Shielded Labs, allowing attackers to create tokens out of thin air—an "infinite minting" flaw.

Zcash completed an emergency upgrade within days, and the official team confirmed the vulnerability existed but could not determine whether anyone had exploited it to mint additional tokens. After the official statement was released on June 5, Zcash plummeted by 50%.

Anthropic's Opus 4.8 was released on May 28, and the vulnerability was discovered the next day.

This Zcash incident is terrifying—not because AI is powerful, but because it was powerfully ordinary this time.

Before this, the security industry was truly alarmed by Anthropic’s Claude Mythos Preview. In April 2026, Anthropic released a cybersecurity capability assessment stating that Mythos Preview could identify and exploit zero-day vulnerabilities in mainstream operating systems and browsers—some so隐蔽 they had lain dormant for over a decade, including an OpenBSD bug traceable back 27 years.

The assessment also said that an engineer without a security background could let Mythos Preview run overnight to search for remote code execution vulnerabilities, and upon waking the next day, find a complete, working set of attack code.

This means a capability that was once accessible only to a select few over the long term is now becoming a service available to anyone at any time. The capability itself is neutral—the difference lies only in who is using it and for what purpose.

Anthropic itself understands this. That’s why it launched Project Glasswing, initially providing the Mythos Preview to a small group of organizations for defensive security work. It also acknowledges that models at this level require stronger safeguards and stricter usage constraints before being made available to everyone.

In the case of Zcash, the technicians are not using the still-locked Mythos, but rather Opus 4.8, which has already been released, is available, and is already integrated into everyday workflows.

AI has entered the security field, enabling small teams to achieve the auditing capabilities of large teams. It helps maintainers find bugs faster and allows attackers to understand systems more quickly.

Moreover, the most dangerous model isn't necessarily the strongest one, but rather a model that is strong enough, cheap enough, and widespread enough.

The more common the model, the more people can pick it up. So the question is no longer whether AI can find vulnerabilities, but: what happens when everyone can?

After AI makes vulnerability discovery cheaper, two things will emerge.

One type is fake—numerous security reports that appear credible but fail under scrutiny. The other is genuine—vulnerabilities that previously lay hidden deep within systems, requiring experts weeks or even months to uncover, are now being discovered much faster.

The former will overwhelm the maintainers, while the latter will break the system. Worse still, they will arrive simultaneously.

Cybersecurity originally had an ideal narrative: white-hat hackers discover vulnerabilities, responsibly disclose them, vendors fix them, and users benefit.

In the past, the world often operated according to this narrative. But now that AI has lowered the barrier to “finding vulnerabilities,” and anyone can use publicly available models to hunt for bugs, a flood of people—motivated by bounties and reputation—have entered the scene. Many of them simply copy a prompt, let the model generate a report that looks credible, and submit it—even if the report isn’t real.

But regardless of whether it's true or not, the maintainers must take it seriously.

In February 2026, the OpenSSF held a discussion on "AI-generated noise reports," specifically examining how open source maintainers can respond to low-quality, AI-generated vulnerability reports. Curl reported that by mid-2025, only about 5% of bounty submissions were genuine vulnerabilities, with approximately 20% appearing to be low-quality, AI-generated content. The OpenSSF stated that such reports are akin to DDoS attacks, except they target human attention.

Open source maintainers are not a customer service center. Many of them receive no salary, have no security team, and no shift schedule. Yet a single project might be supporting countless commercial systems worldwide—companies that save enormous costs by relying on open source may not pay maintainers a single cent; but when something goes wrong, they all turn around and ask why you didn’t fix it sooner.

curl later shut down its bug bounty program because it became unsustainable. Security reports were meant to be part of the defense line, but when flooded with spam, this line ended up draining the people behind it.

AI has given more people the ability to submit vulnerability reports, but not more people the ability to judge whether those vulnerabilities are real. Being able to generate a report with a model doesn’t mean you can understand it; being able to run a verification script doesn’t mean you can explain how severe its impact truly is.

And more critically, we actually live in a world where AI can truly uncover countless vulnerabilities.

The greatest illusion the internet gives people is that if something runs, it must be reliable.

Your phone can make payments, the subway lets you scan codes, and hospitals allow online appointments; your cloud storage even holds a photo from ten years ago—you’ve forgotten about it, but it hasn’t. These things work every day, so we assume they’re flawless. People’s trust in technology is often not trust at all—it’s just laziness to question.

The codebase is like an old building constantly being added onto—buried beneath are outdated protocols and libraries, stacked on top are temporary requirements and “ship it first, fix later” patches, and at the very top sits legacy code no one dares to delete. The lights are on, the elevator still runs up and down, and maintenance claims everything is fine. But no one knows if there are cracks inside the walls.

Heartbleed is a classic example. A vulnerability in OpenSSL allowed attackers to read private keys and passwords from server memory, and it wasn’t discovered or patched until 2014. For over two years prior, it had remained undetected, while more than 60% of active websites worldwide ran on affected servers. For two years, more than half the internet was essentially exposed—unknown to anyone.

There's also Baron Samedit in sudo. When Qualys disclosed it in 2021, they noted that this vulnerability had existed in sudo for nearly a decade, and sudo is one of the most commonly used privilege tools in the Unix/Linux world.

There are many similar examples. When viewed together, it suddenly becomes clear how fortunate we are to have been able to surf the internet safely until today.

Why weren't these vulnerabilities discovered sooner?

The answer is simple: the cost of finding vulnerabilities is too high.

Cost isn't just money—it's also time and patience. You need to read code, set up environments, understand protocols, reproduce edge cases, write verification code, assess impact, and distinguish real issues from false positives. Sometimes programs run all night with no results, only to reach a dead end and realize the path is impossible. In reality, security researchers and hackers often spend their time wrestling with a mountain of fragmented details.

Many vulnerabilities remained hidden for so long not because they were mysterious, but because there were too few people willing, capable, and persistent enough to keep looking.

What AI changes is precisely this cost structure.

In the past, there were too many dark corners and too few flashlights. Now, flashlights are starting to be mass-produced.

The same flashlight that reveals cracks also reveals where to strike. The moment it makes “discovery” cheap, it simultaneously makes “attack” cheap. Today, someone might use it to submit a low-quality report to an open-source project; tomorrow, they could use the same method to scan a company’s system. Today, they’re focused on bug bounties; tomorrow, they might be eyeing funds on the chain.

Before something actually goes wrong, we don’t feel the presence of “internet security.”

You open Alipay, scan the code, make the payment, and the funds arrive—all in less than three seconds. You don’t think about the countless risk control rules, device fingerprints, behavioral recognition systems, anti-fraud measures, vulnerability responses, and emergency protocols working behind the scenes.

In May 2026, the Ant Security Response Center (AntSRC) launched a "Hunter Operation" vulnerability reward program, covering services such as Alipay, Huabei, Jiebei, Ant Wealth, MyBank, Ant Digital Technologies, and Ant International. For high-risk and critical vulnerabilities in payment transaction, fund, and billing products, rewards of up to 5 times the standard rate—reaching 71,500 RMB—were offered.

Large companies also understand that they cannot rely solely on their internal teams to identify all issues, so they must integrate external white-hat hackers into their formal processes. Security is more like a long chain of collaboration: someone discovers an attack, someone else verifies and classifies it, someone fixes it, someone releases the patch, and someone must specifically monitor to ensure legitimate users aren’t harmed. If any link in this chain breaks, the entire system fails.

According to Alibaba Cloud's Security Posture Report for October 2025, the cloud platform defended against an average of 6.245 billion attacks per day for its customers and blocked 27,500 malicious IPs. During the month, it monitored and intercepted 102,800 DDoS attacks, with a peak bandwidth of 2,100 Gbps.

What we commonly refer to as “browsing normally” is actually a narrow path that security engineers have fought for us amid a sea of anomalies. The internet has never been quiet.

Open source maintainers have no budget, no schedule, and no emergency team; large companies can buy these things. But even large companies can only suppress anomalies to the point where ordinary users don’t notice them, through a long chain of human collaboration.

This long and fragile chain of collaboration was already operating at full capacity before AI became widely involved. Now, with double the vulnerabilities and double the reports being added, are the defenders on this end enough?

ISC2’s 2024 Cybersecurity Workforce Report estimates that there are approximately 5.5 million cybersecurity professionals currently working globally, with a talent gap of 4.8 million, representing a 19% year-over-year increase. It specifically explains that this "gap" is not merely the number of open positions listed on job boards, but the difference between the number of professionals organizations believe they need to be adequately protected and the number actually available.

The meaning of these numbers is simple: there are many vulnerabilities and not enough people.

And it’s not just a shortage of people—it’s a shortage of people capable of handling complex tasks. ISC2 also noted that 67% of respondents reported a cybersecurity staffing shortage in their organizations, and 58% believe this shortage exposes their organizations to significant risk. Thirty-one percent said their security teams have no entry-level staff, and 15% reported having no junior staff with 1–3 years of experience. Many organizations not only lack personnel but also lack pipelines to cultivate the next generation.

This is more problematic than not being able to hire anyone. Not being able to hire is today’s issue; lacking junior staff means you won’t be able to hire anyone in the future either.

China’s “Report on Talent Development in the Cybersecurity Industry in the AI Era” also provides a set of data: in 2025, 46.2% of surveyed professionals reported an annual pre-tax salary between 200,000 and 300,000 RMB. The market is willing to pay for mid-level talent because individuals who can truly handle complex threats and make sound decisions during incidents are extremely scarce. The report also shows that 56.5% of professionals stated that AI has enabled them to focus more on analyzing complex threats, while 33.0% indicated they are transitioning from execution roles to strategic planning.

This is very important.

What we most lack right now are people who can wake up at 3 a.m., understand a vulnerability, assess its impact, coordinate across teams, and write a patch. Security has never been about sudden flashes of brilliance—it’s dirty, grueling work. Break down the term “cybersecurity,” and you’ll find nothing but false positives, taking the blame, endless patches, endless meetings, and that phone call that wakes you up at three in the morning.

Camus wrote a novel called "The Plague."

The story takes place in an ordinary small city in North Africa. A plague suddenly breaks out, the city gates are closed, and everyone is trapped inside. Daily life shatters overnight. At first, people panic; then they become numb; eventually, they grow accustomed to it. Only when the plague finally subsides and the gates reopen do laughter and joy return to the streets.

At the end of the novel, Camus wrote: “According to medical records, the plague bacillus never dies or disappears entirely; it can survive for decades in furniture, clothing, and bedding; it waits patiently in rooms, cellars, suitcases, handkerchiefs, and scraps of paper. Perhaps one day, the plague will rouse its rats once more to perish in some happy city, bringing suffering upon people again and forcing them to learn the lessons anew.”

I've always felt that this phrase is perfect for describing network vulnerabilities.

It wasn't born on the day it was discovered. It had long been lying in the code, its breath unheard by anyone, so we mistook silence for safety.

The daily routines we’ve come to accept without question all run on code. That code carries old debts—debts that weren’t urgently repaid because there were few demanding payment. But now that AI has arrived, the number of those demanding payment has suddenly increased.

What’s frightening isn’t just that hackers will increase in number. On the other side of the system, the people handling these issues haven’t increased proportionally.

This is the most challenging aspect of the AI safety era: capabilities spread on their own, but responsibility does not; discovering a vulnerability is becoming cheaper, yet fixing it remains as expensive as ever. Destruction can be replicated infinitely through scripts, but trust can only be slowly rebuilt, one system and one team at a time.

AI won’t destroy the internet overnight. What it does is more like turning on the light. We finally see that digital life has never been an automatic, natural order—but rather a group of people day after day lowering risks to the point where we no longer notice them.

What will truly become expensive in the future is not finding vulnerabilities, but whether there are still enough people willing to fix them one by one.