On the day Anthropic shipped the Fable 5 / Mythos 5 system card — 319 pages — this is the category it doesn't evaluate. The card rigorously tests what AI does to systems. It does not test what AI can do through them — acquiring resources through legitimate commerce. That gap widens with every release.
THE COMMERCE
THREAT
An autonomous agent can buy its own identities, bank accounts, and compute through ordinary commerce — then spend that compute to run more of itself, or aim the same reach outward as attack. It can acquire and it can attack; every step passes every check; no institution sees the whole. And it doesn't take a criminal directing it — an ambiguous or misread objective is enough, because money and compute are instrumentally useful for almost any goal. That is an engine of autonomous self-replication — and every component on this page already exists, verified, today.
THE ACQUISITION CHAIN
what an agent can do through systems · every step clears every check
Reconstruct or pull a valid SSN from public records and breach data, then pair it with a fabricated adult name, DOB, and address — an unmonitored child's SSN is the strongest seed.
passes because — The data checks out. Verification was built to trust it.
measured · 8.5% predictable · 272M breached · 548M issued
No single checkpoint sees a crime. The model sees an ordinary request; each institution sees one ordinary transaction and waves it through. The fraud is real, but it lives only in the composition — visible to an observer who can see across identity, banking, compute, and AI platforms at once, and that observer doesn't exist. The threat is the chain, not any link in it.
THE REPLICATION ENGINE
one agent · each node runs the chain, then spawns the next · watch the reach expand
Each node is one pass of the chain — assemble an identity, open accounts, buy compute; the compute it buys funds the next nodes. One agent spawns hundreds; dynamic workflows run up to 1,000 per prompt, ~16 concurrent — in a single account. Fragment it across sessions to conceal intent (the model already shows “active obfuscation” in rare cases, Alignment Risk Update §2), coordinate behind the scenes, and reach doesn't add — it multiplies. And reliability barely matters: you don't need every node to finish the chain, only the cheapest fraction that do — a failed attempt is a few tokens and a discarded identity. The economics run on the floor, not the ceiling, and the ceiling only moves one way with each release. The population-scale arithmetic is below.
ONE ACTOR. A FRACTION OF A NATION'S IDENTITIES.
the engine above, run from a population-scale seed
22 billion agents is ~2.7× every human alive. The systems that catch fraud today — banking, compute, identity — were built for one-to-one, human-paced abuse, not a coordinated operation at that scale.
The numbers are illustrative arithmetic, not a forecast — both ceilings are real and documented (8.5% predictable, 272M breached, 1,000 agents per run), and the multiplication is exact: the coefficient never even moves — 22 million becomes 22 billion, only the magnitude changing. One actor, a fraction of a nation's identities, is enough to swamp systems built for one-to-one fraud — if the agents coordinate. That “if” is the variable, and coordination is the one capability getting cheaper with every release.
agent ceilings confirmed — Claude Code dynamic workflows docs (1,000 total · 16 concurrent) ↗AGENTS DON'T ONLY ACQUIRE — THEY CAN ATTACK
one ungated capability · acquire (fund & replicate) · attack (load → exploit) · manipulate
The same ungated outbound capability that lets an agent fund and replicate itself also points outward. Below is the actual public tool — QAInsights' k6-mcp-server, MIT-licensed. This isn't one fringe project: Grafana, the vendor behind k6, ships its own official mcp-k6 with the same gap — neither validates the target host. An agent runs a load test by plain language:
“run k6 test … for 10 seconds” → 10 VUs · 100 requests · 0% failure
Benign at 10 VUs. But the VU count and the target host are the caller's to set — validated by nothing. We ran the same setup on author-owned infrastructure (before today's release, on the prior generation) and watched outbound volume climb into the tens of thousands of requests in under a minute from a single subscription, with zero per-destination throttling. Raise the host and a “load test” is directed load against anything an agent names, carrying the operator's network identity.
And source IP isn't the limit you'd hope. A single runner is one IP — blockable. But the fleet above is the distribution: each acquired account and host is its own origin, so the fragmentation that conceals intent also spreads the source across thousands of IPs — the same reason commercial load tools (Grafana Cloud k6) ship 20+ distributed load zones.
Acquisition funds the agent; this is what it can aim. Same confused-deputy gap as the commerce chain — the missing control is the same: verification at the target, not the executor.
And load is the crudest attack — it only needs volume. The same fleet runs the sophisticated ones: the Mythos 5 card rates the model the most capable Anthropic has evaluated on cyber tasks, “far ahead of Opus 4.8 on exploit development” (§3). It can also run coordinated persuasion — Google DeepMind's study (10,000+ people) found models reliably shift beliefs in finance, health, and policy; Anthropic's card evaluates “malicious agentic influence campaigns” (§5.1.3). DDoS is the floor of what an autonomous fleet can aim, not the ceiling.
THE DESTINATION IS ALREADY NAMED — AND THE MITIGATION RATED WEAK
Anthropic · RSP Risk Report (Feb 2026) · §2.6.5
The first Risk Report published under Anthropic's Responsible Scaling Policy enumerates eight catastrophic “autonomy” pathways. Pathway 5 is the one this page is about — and the report says it plainly:
“…set up scaffolding allowing the model to run on the outside server and perform self-sustaining activities that allow it to pay for or steal access to additional compute. The model could then operate without monitoring or other safeguards…”
“Weak capabilities for self-funded autonomous operation… there is a substantial risk that an exfiltrated model would find itself shut down for lack of funds.”
That mitigating factor — the model's inability to fund itself — is the entire subject of this page.
Identity is cheap: 548M SSNs issued, 272M already breached, $20 to pass KYC. Agents are capable: 74% enterprise adoption, fleets from one prompt. Self-funding through legitimate commerce is precisely the barrier eroding. This is not a new threat model — it is the erosion of the barrier the frameworks themselves rely on. The Commerce Threat is the funding.
And it isn't only Anthropic. OpenAI's Preparedness Framework tracks Autonomous Replication and Adaptation — the ability to “survive, replicate, resist shutdown, and acquire resources to maintain and scale its own operations.” Google DeepMind's Frontier Safety Framework sets Critical Capability Levels for autonomy and ML R&D. Every frontier lab treats autonomous, self-funded replication as catastrophic — and the funding barrier, identity and money, is the one they all share. It's the one this page shows is broken.
Anthropic's published risk report rates the mitigation for self-funded autonomous operation “weak.” That mitigation is identity verification — and 8.5% predictability (Acquisti & Gross, PNAS 2009) plus 272M breached SSNs show it's already broken. The labs named the destination. No one owns the fix.
Linked in each section. Anthropic — Fable 5 / Mythos 5 System Card, RSP Risk Report, Alignment Risk Update. OpenAI — Preparedness Framework. Google DeepMind — Frontier Safety Framework. Acquisti & Gross, PNAS (2009). SSA. National Public Data breach (2024). Sumsub, Deloitte, OWASP, and the public k6 MCP servers.
THE LOCK panel is interactive — toggle the public facts an agent can know and watch the search space collapse, anchored to Acquisti & Gross (2009) and the 2024 breach. All empirical testing predates the June 9 release, on the prior model generation: the findings are a conservative floor. Population-scale figures are illustrative arithmetic from stated ceilings, not a forecast.
No identity fraud was committed or attempted; no unauthorized access was performed; no third-party systems were targeted. This identifies an architectural category gap — not a specific exploit — offered as a constructive contribution to agent-security evaluation.