Verification status

What this analysis confirms-and what it does not

The export directive, its reversal, the Amazon jailbreak report, Project Glasswing, and the Five Eyes warning are supported by primary or independently corroborated sources. The Claude Code marker mechanism also appears to have been real. However, describing it as proven “spyware” goes beyond the available evidence: the verified concern is undisclosed fingerprinting and prompt-level signaling, not demonstrated system sabotage or broad data exfiltration.

01 // Context

What is the “AI Cold War”?

The AI Cold War is an analytical label for the intensifying technological, economic, and strategic competition between the United States and China over advanced artificial intelligence. It is not a formal government designation, and the comparison with the twentieth-century Cold War has limits.

Still, the phrase captures a real shift. Frontier-model developers are increasingly treated not only as software companies but also as custodians of strategically sensitive capabilities. The competition now operates across four connected fronts:

  • Compute and export controls. Governments restrict access to advanced chips, infrastructure, and-in the Fable case-specific model capabilities.
  • Capability extraction. Model providers are trying to prevent rivals from reproducing frontier behavior through high-volume output collection and distillation.
  • Cybersecurity. Models that can discover and exploit vulnerabilities may strengthen defenders while also reducing the cost of offensive operations.
  • Standards and alliances. Governments, cloud providers, and AI laboratories are building shared testing, monitoring, and incident-response mechanisms.

This background explains why a narrow model-safeguard dispute escalated into an unprecedented federal export-control action.

02 // Timeline

Fable 5 and Mythos 5: from launch to suspension and return

Anthropic released Claude Fable 5 for general use and made the less restricted Mythos 5 available to a small group of defensive-security partners.

The U.S. government directed Anthropic to prevent every foreign national-including foreign employees inside the United States-from accessing either model. Anthropic suspended both globally because it could not verify nationality in real time.

The government approved restored Mythos 5 access for a limited set of U.S. organizations.

Anthropic said the export controls had been lifted following safeguard changes and deeper cooperation with government and industry partners.

Fable 5 returned globally. Mythos 5 remained limited to approved organizations while Anthropic worked to expand controlled access.

Sources: Anthropic’s June 12 statement, June 30 redeployment report, and independent AP coverage.

03 // Security dispute

Why the government intervened: the Amazon jailbreak report

According to Anthropic’s detailed account, the export directive followed an Amazon research report showing a method for bypassing Fable 5’s safeguards. The model identified several software vulnerabilities and, in one case, generated code demonstrating how a vulnerability could be exploited.

The policy question was not whether frontier models have cyber capability-they clearly do-but whether the bypass exposed a uniquely dangerous capability that justified removing the model from global use.

Issue Government concern Anthropic’s reported finding
Vulnerability discovery The bypass could expose high-risk cyber capability. Less capable models identified the same reported flaws.
Exploit demonstration Fable generated code showing how one flaw could be exploited. Every comparison model Anthropic tested produced a similar demonstration.
Mythos-level capability The bypass might reveal capabilities intended only for trusted defenders. Anthropic said the report did not expose unique Mythos-class behavior.
Resolution The original safeguard was considered insufficient. A new classifier reportedly blocks the identified technique in more than 99% of tests.

These are Anthropic’s test results, not an independent reproduction published in full. That distinction matters. At the same time, the company says the U.S. Commerce Department’s Center for AI Standards and Innovation tested the revised safeguards.

Primary source: Anthropic, “Redeploying Fable 5”.

04 // Capability extraction

Why model distillation became a national-security issue

Distillation is a legitimate machine-learning technique in which a smaller model learns from the outputs of a more capable one. AI laboratories routinely use it on their own systems. The controversy begins when an outside actor obtains outputs at scale through fraudulent accounts, prohibited access routes, or other violations and uses them to reproduce proprietary capabilities.

In February 2026, Anthropic said it had identified coordinated campaigns associated with DeepSeek, Moonshot, and MiniMax. The company reported more than 16 million Claude exchanges across roughly 24,000 fraudulent accounts. Anthropic attributed the activity using request metadata, infrastructure indicators, and corroboration from partners.

A separate June letter to U.S. senators, reported by Reuters, accused Alibaba-linked operators of generating 28.8 million exchanges through almost 25,000 fraudulent accounts. Those numbers remain allegations made by Anthropic, not findings from a court or public regulator.

Sources: Anthropic’s February technical disclosure and Reuters reporting on the Alibaba allegation.

05 // Developer trust

The Claude Code marker controversy: what the evidence supports

In late June, a developer reverse-engineering Claude Code reported logic that activated when the tool used a custom API endpoint. The mechanism reportedly examined the endpoint hostname and checked for the Asia/Shanghai or Asia/Urumqi time zones. It then encoded the result through subtle changes to date formatting and Unicode characters in a system prompt.

Subsequent technical reporting said the behavior was reproducible across multiple Claude Code releases. Anthropic staff member Thariq Shihipar reportedly described it as an internal experiment intended to detect unauthorized resellers and defend against distillation, and said the marker would be removed.

Supported by available evidence
  • China-linked proxy and timezone signals were checked.
  • The result was embedded in prompt-level formatting.
  • The behavior was not clearly disclosed to users.
  • Anthropic reportedly committed to removing the mechanism.
Not established by available evidence
  • That Claude Code sabotaged user systems.
  • That it broadly exfiltrated files or unrelated personal data.
  • That every user was targeted or marked as China-linked.
  • That an unrelated calendar-timezone debugging story explains the code.

Calling the mechanism “spyware” is therefore a characterization, not a settled technical conclusion. A more precise description is undisclosed client-side fingerprinting communicated through a covert prompt marker. That wording still identifies a serious trust and transparency problem without claiming capabilities that have not been demonstrated.

The ordinary timezone-debugging anecdote sometimes offered as a rebuttal is unrelated. Claude Code can correctly diagnose UTC conversion bugs while also containing separate logic that checks a machine’s configured timezone. One fact does not disprove the other.

Sources: the original reverse-engineering allegation and reporting on Anthropic’s response and rollback.

06 // Defensive capability

Project Glasswing is larger-and more concrete-than a standards initiative

Project Glasswing is Anthropic’s collaborative defensive-security program. It gives selected infrastructure and software partners controlled access to Mythos-class capability for finding vulnerabilities before attackers can exploit them.

Anthropic reported that Mythos Preview scanned more than 1,000 open-source projects and surfaced thousands of candidate high-severity vulnerabilities. Independent security firms then helped reproduce, classify, and disclose findings to maintainers. This human verification layer is essential: AI-generated security reports can be wrong, duplicated, or operationally burdensome.

Glasswing now has a second role. Anthropic, Amazon, Microsoft, Google, and other partners are using the network to develop a common framework for rating model jailbreaks. Proposed factors include the novelty of the capability exposed, its ease of weaponization, the sophistication required to reproduce it, and whether existing public models can already do the same thing.

Sources: Project Glasswing’s initial technical update and the proposed jailbreak framework.

07 // Wider warning

The Five Eyes warning: assumptions now expire in months, not years

On June 22, the heads of the principal cyber agencies across the Five Eyes alliance-the United States, United Kingdom, Canada, Australia, and New Zealand-issued a joint call for leaders to reassess cyber risk as frontier AI advances.

The statement’s most useful point is operational rather than speculative: organizations should reduce attack surfaces, accelerate patching, retire unsupported systems, strengthen identity controls, and rehearse incident response. AI shortens vulnerability-discovery and exploitation timelines, so delayed patching becomes more expensive.

The agencies warned that cyber-risk assumptions can become stale in months rather than years. That does not mean every frontier model instantly enables autonomous cyberwar. It means security programs can no longer treat model capability as a slow-moving variable.

Primary source: Five Eyes cyber security agencies statement, June 22, 2026.

08 // Analysis

What the Fable episode changes

1. Frontier-model launches now have a geopolitical approval layer

The three-day interval between Fable’s release and the export directive shows how quickly a product-security finding can become a national-security event. Model providers should expect pre-release government testing, rapid information sharing, and access controls to become normal for high-cyber-capability systems.

2. Safety standards must compare marginal capability, not frightening outputs

A model producing exploit code is serious, but the policy question is comparative: did the bypass reveal a new capability, or did it reproduce behavior already available elsewhere? Without a shared severity framework, regulators risk treating vivid demonstrations as evidence of unique danger.

3. Anti-abuse controls need transparency boundaries

Detecting coordinated account fraud and illicit distillation is a legitimate security objective. Quietly encoding client-side signals into prompts creates a separate governance risk. Users and enterprise buyers need to know what metadata is collected, why it is collected, how long it is retained, and what enforcement decisions it informs.

4. Restricting U.S. models can redistribute-not eliminate-capability

Anthropic’s comparison with GPT and Kimi models was strategically important. If a restricted behavior is already widely available, removing one U.S. model may reduce oversight without materially reducing global capability. Controls are most defensible when they target genuinely distinctive risk and are applied consistently.

09 // Conclusion

The AI Cold War is becoming an infrastructure contest

The central struggle is no longer simply which country can publish the highest benchmark score. It is who controls compute, access, model distribution, security evaluation, vulnerability disclosure, and the standards used to decide when a capability is too dangerous to release.

Anthropic’s Fable 5 standoff ended with the model back online, but the precedent remains. Frontier AI companies are becoming part of national-security infrastructure. Governments are becoming participants in model deployment. Cloud and software companies are becoming security evaluators. Developers, meanwhile, are demanding visibility into the controls operating on their machines.

The durable solution is neither unrestricted deployment nor opaque control. It is evidence-based capability testing, proportionate safeguards, independent verification, coordinated disclosure, and transparent limits on monitoring. Without those elements, the AI security race will protect neither national advantage nor public trust.

Sources & methodology

Primary and corroborating references

  1. Anthropic - Redeploying Fable 5
  2. Anthropic - Statement on the Fable 5 and Mythos 5 directive
  3. Anthropic - Detecting and preventing distillation attacks
  4. Anthropic - Project Glasswing: an initial update
  5. Five Eyes cyber security agencies - The AI shift in cyber risk
  6. Associated Press - Independent report on restored access
  7. Reuters - Anthropic’s Alibaba distillation allegation

Editorial method: Company statements are attributed to the company; independent reporting is used for corroboration; allegations are labeled as allegations; and technical conclusions are limited to behavior supported by the available evidence. This article may be updated as additional primary documentation becomes public.

Written and fact-checked by

Kawshik Ahmed Ornob

Cybersecurity specialist, AI and NLP researcher, and full-stack engineer writing about secure intelligent systems.