Anthropic’s controlled-distribution playbook hit a concrete limit on June 3, when a red team participant resold access to claude-oceanus-v1-p, an unreleased checkpoint in the Mythos family, through a Chinese API proxy service within hours of the program opening. The incident forced Anthropic to pause the red team program. Public launch timing for the model is now unclear.
The leak was first reported via a public thread on X, archived by Thread Reader App, and subsequently covered by Cybersecurity News and Tom’s Hardware on June 4. The model identifier began appearing in the Claude Console and in unauthorized API listings the same day access was granted to vetted evaluators.
The proxy service priced access at $16 per million input tokens. Chinese API proxy networks of this type, sometimes called “transfer stations,” operate across GitHub, Taobao, and Telegram. Their pricing is sustained through a combination of stolen credentials, model substitution, and harvesting users’ prompts and outputs for resale as training data. Getting access to a restricted frontier model accelerates all three revenue lines.
Oceanus is believed to be the next generation in the Mythos line, building on Mythos Preview, the model Anthropic described as capable of identifying and exploiting zero-day vulnerabilities across major operating systems and browsers. That makes the leak more than an embarrassment: a model with advanced offensive security capabilities circulating in proxy ecosystems is exactly the scenario Anthropic’s restricted-distribution architecture was designed to prevent.
That architecture is Project Glasswing. Earlier this week we covered Anthropic’s expansion of Glasswing to 150 partner organizations, framed as a controlled route for getting frontier capabilities to vetted security researchers and enterprise partners before public release. The premise behind that expansion was that vetting at intake is sufficient to govern access downstream. The Oceanus incident tests that premise directly: the leak did not come from an outside attacker bypassing controls, it came from inside the program.
Vetting at intake and runtime behavior are two different things. A person can pass a vetting process honestly and then face an economic incentive after access is granted. At $16 per million tokens, reselling a single day of restricted access to a model of this capability profile is worth real money to the right buyer. Anthropic has not disclosed whether the program included technical controls, such as output watermarking or audit logging, that would deter or detect resale. The absence of any statement on those controls is itself information.
The question for Anthropic’s distribution team is whether the Glasswing model can scale without adding runtime enforcement. Tightening vetting requirements filters for intent at the start; it does not change the payoff calculation once access is live. Technical controls, audit trails tied to individual API keys, and watermarking that survives proxy stripping are the mechanisms that would. Whether Anthropic builds those into Oceanus before any public or partner launch is the signal to watch.
Teams currently planning integrations against Mythos-family capabilities should factor a possible launch delay into their roadmaps, and should ask whether their own access agreements include controls adequate for a model in this capability range.
Public threads on X via Thread Reader App; also covered by Cybersecurity News and Tom’s Hardware, June 4, 2026.
