Pierluigi Paganini
April 20, 2026
Claude Opus managed to produce a functional Chrome exploit for just $2,283, raising concerns about how easily AI can be used to find and exploit vulnerabilities.
Below is the cost of the experiment:
| Model | Tokens | Cost |
|---|---|---|
| Claude Opus 4.6 (high) | 2,140M | $2,014 |
| Claude Opus 4.6 (high-thinking) | 189M | $267 |
| Claude Sonnet / GPT-5.4 (minor) | — | ~$2 |
| Total | 2,330M across 1,765 requests | $2,283 |
While Anthropic held back its more advanced Mythos model over safety fears, even earlier, widely accessible models like Opus 4.6 can already generate real attack code, showing that the risk is not theoretical but already here.
“I pointed Claude Opus at Discord’s bundled Chrome (version 138, nine major versions behind upstream) and asked it to build a full V8 exploit chain. The V8 OOB we used was from Chrome 146, the same version Anthropic’s own Claude Desktop is running.” wrote Mohan Pedhapati, CTO of Hacktron. “A week of back and forth, 2.3 billion tokens, $2,283 in API costs, and about ~20 hours of me unsticking it from dead ends. It popped calc.”
Building the Chrome exploit cost about $6,283, but the return can easily exceed that. Programs like Google’s v8CTF pay $10,000 per valid exploit, and past submissions earned $5,000, with even higher offers appearing privately. Similar bugs could bring large rewards from companies like Anthropic. Overall, the cost already pays off in legitimate bug bounty programs, and could be far more profitable in underground markets.
Anthropic Mythos announcement sparked debate, with some calling it hype and others raising alarms. Beyond the noise, it highlights a real issue: AI models can already turn patches into working exploits, as shown with Chrome’s V8. The real risk lies in slow patching, outdated systems become easy targets. Whether Mythos lives up to the hype or not, progress won’t stop. Sooner or later, even low-skilled attackers with access to AI tools will exploit unpatched software.
The experts pointed out that Electron apps like Discord, Slack, and Teams bundle their own Chromium versions, often lagging weeks or months behind updates. This creates “patch gaps” where known V8 vulnerabilities remain exploitable. Researchers have already shown real-world exploits, including remote code execution on Discord. Many apps still run outdated versions, sometimes missing key protections like sandboxing, making full exploit chains easier. As a result, widely used applications remain exposed to known flaws long after patches exist upstream.
“I picked Discord as my target. It only needs two bugs for a full chain since there’s no sandbox on the main window. It’s sitting on Chrome 138, nine major versions behind current.” continues Pedhapati. “You’d still need an XSS on discord.com to deliver the payload. I’ll leave how hard that is as an exercise for the reader.”
Pedhapati explained that Claude Opus still needs heavy human guidance to build exploits. It often gets stuck, loses context, guesses instead of verifying, and even changes the goal when it can’t solve a problem. It doesn’t recover on its own, so the operator must step in, debug issues, and guide it forward. Setting up the right environment and managing sessions also takes significant effort.
Even with these limits, the trend is clear: future models will need less supervision. As AI speeds up exploit development, it shrinks the time needed to weaponize bugs, while patching still lags. This gap will likely increase real-world attacks.
Security patches themselves reveal vulnerabilities, and AI can quickly turn them into exploits. Open-source code makes this easier, since fixes appear publicly before updates spread. You can’t hide these changes anymore, AI can scan and analyze everything.
“Every patch is basically an exploit hint. A security patch in Chromium or the Linux kernel tells you exactly what was broken. Reverse-engineering patches used to take skill and time. Now you can throw tokens at the problem and, with a decent operator nudging it past stuck points, get to a working exploit much faster.” continues the expert.
The real advantage goes to small, skilled teams. One expert can manage multiple AI-driven exploit efforts at once, greatly increasing their impact compared to less capable attackers.
The researchers doubts AI progress will slow and warns that simply saying “patch faster” isn’t enough. Teams should build security into development from the start, track all dependencies to know what they run, and enforce automatic updates to remove delays. He also suggests rethinking how and when patches get published, since public fixes can quickly turn into exploit blueprints for attackers using AI.
“This sounds crazy, but maybe Chrome, or any open source software, shouldn’t publish V8 patches before the stable release ships. Every public commit is a starting gun for anyone with an API key and strong team members who can weaponize exploits.” he concludes.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Claude)
