QPQ AG | 14 April 2026
Greg Chew
On 7 April 2026, Anthropic announced Claude Mythos Preview and Project Glasswing. On 13 April 2026, the Cloud Security Alliance, SANS, OWASP, and contributors from across the senior tier of the global security establishment published a response framework for the broader industry. Both announcements are relevant to what QPQ has built and why we built it.
What Mythos Is
Mythos is a general-purpose AI model not specifically trained for cybersecurity. Its vulnerability discovery capabilities emerged from general improvements in code, reasoning, and autonomy.1 In testing, Mythos fully autonomously identified and exploited a 27-year-old vulnerability in OpenBSD, allowing an attacker to remotely crash any machine running the operating system simply by connecting to it. No human was involved after the initial instruction. Across every major operating system and browser in production use, the model found thousands of previously unknown vulnerabilities. Internal testing cited in the security community’s response showed it generating 181 working exploits against Firefox where the previous generation of capable models succeeded twice.2
What Project Glasswing Is
Confronted with what Mythos could do, Anthropic did not release it. They gave approximately 50 organisations – AWS, Apple, Cisco, Microsoft, Google, JPMorganChase, the Linux Foundation, and others managing critical software infrastructure – early access so they could scan their own systems before comparable capability becomes broadly available.1 Comparable capability at frontier labs is expected within months; open-weight models accessible to anyone, within a year.
The Architectural Problem Mythos Has Proved
The Internet of Data works because information can be copied. Redundancy is the feature: data cached, retransmitted, reconstructed across nodes. Every packet lost can be resent. The architecture is brilliant at what it does. A payment that can be replicated is not a payment – it is a vulnerability. A title of ownership that exists in two places simultaneously is not ownership. Every attempt to transmit value across the Internet of Data requires a trusted intermediary whose sole function is to maintain a single authoritative record of who has what, because the network was designed for copying, and copying is precisely what must not happen. The intermediary is not an inefficiency – it is the architectural patch for a fundamental mismatch between what the internet was built to carry and what economic exchange requires.
The financial system has been conducting economic activity – authentication, payment authorisation, credential management, sensitive data transmission – over an infrastructure designed to carry information. This was not a choice. No alternative existed. It is a structural consequence of building value exchange on top of a network designed for copying: every bank, every payment processor, every financial application runs on browsers, on operating systems, on software dependency chains that carry credentials over connected networks.
Anthropic’s Mythos model has demonstrated what this means in operational fact: those connected systems can now be scanned and exploited at machine speed, systematically and at scale. Every authentication system your institution operates, every payment credential your platform holds, every API key in your software stack sits within a comprehensively exploitable vulnerability class.
The Web Was Never Designed to Carry Economic Value. Post-Quantum, Post-AI, It Cannot.
What the Security Establishment’s Response Prescribes
The joint briefing published on 13 April 2026 sets out eleven priority actions. Their core logic: deploy AI defensively to find your vulnerabilities before attackers do, harden your environment, and build a permanent VulnOps capability for continuous autonomous vulnerability discovery and remediation.
The prescription has a structural problem the document acknowledges directly. It lists “Unmanaged AI Agent Attack Surface” as CRITICAL: “Agents are necessary to counter AI-speed threats, but they are privileged, insecure by default, and not covered by existing security controls.”2 No mention here of the tendency of AI agents to hallucinate – evidence shows they do so to a significant degree – fine if you are an attacker for whom there is no loss in a failed attack; not so good for a defender who cannot fail once.
The document is also honest about the human cost: “Burnout and attrition in security functions represent a direct operational risk.”2
Long-term planning horizon recommended: 90 days.
Here are the assumptions built into every one of the eleven actions.
- There is an external dependency tree to scan.
- There is a browser execution environment to harden.
- There are cryptographic keys on connected devices to protect.
- There are credentials that can be made phishing-resistant.
The prescription offered is rather more aligned to what those involved have to offer, in much the same way that if you ask a surgeon whether to cut or to medicate, they will more often than not prescribe to cut – there is a solution bias driven by their knowledge and skillset. For organisations where the attack surface is genuinely given, the recommendations are correct.
This official response – patch faster, follow best practice – assumes defenders have time to respond. Ciaran Martin, former head of the UK’s National Cyber Security Centre, stated the condition precisely: the timeline for finding and fixing vulnerabilities collapses to seconds, minutes and hours, rather than days, months or years.6 The assumption is no longer valid. None of them are.
The Two Domains That Must Be Separated
The Internet of Data – browsing, research, communication, information – operates on the existing internet. It works for its purpose and needs no redesign.
The Internet of Economics – financial authorisation, payment, identity, sensitive credential transmission – requires a structurally separated architecture. One in which the data that Mythos would target is never placed on connected systems in the first place.
The solution is not more defence in depth, more dependency auditing, more AI agents to defend against yet more AI agents. It is to remove those attack surfaces altogether. Separate the signing and execution context – you cannot reach the sensitive data because it is not on the connected system. Build from scratch. Dependency chains that no human can fully audit cannot be made safe by AI agents that hallucinate.
Building the Internet of Economics
QPQ is building the Gajumaru blockchain – the resource layer that makes the Internet of Economics possible: a layer on which value can be transmitted with the same freedom that information moves today, without the intermediary patch. The moment you build for that, the security architecture has to change categorically. The thing being carried cannot be reconstructed if lost, cannot be allowed to exist in two places, and cannot be entrusted to a system that tolerates copying. That different engineering requirement is why the architecture described below looks nothing like what the CSA document assumes.
Removing the dependency supply chain
GajuMobile and GajuDesk were written from scratch, in-house, with zero external dependencies. Every line of code was written by QPQ engineers. The September 2025 NPM supply chain attack, which compromised 18 packages with over two billion combined weekly downloads and planted malware to redirect cryptocurrency transactions5 had no relevance to QPQ’s wallet stack because QPQ’s wallet stack has no connection to that supply chain. When Craig Everett, QPQ’s CPO, and Peter Harpending investigated how MetaMask handled NPM security, they found LavaMoat: a JavaScript sandbox written in JavaScript, running inside the JavaScript environment it was attempting to make safe. We described it at the time as:
“Their security concept is: instead of taking this really complicated situation and simplifying it so it’s understandable and tractable, they made it more complicated by writing inside a dangerous context a runtime that they claim is going to be safe in the dangerous context. With no guarantee.”
For the full video, click here:
NPM Supply Chain Hack, Unserious Crypto, Serious Gajumaru Full
Departing the browser execution environment
QPQ also refused to conflate the signing and operation environments. Entirely. GajuMobile and GajuDesk are genuinely native applications – built without web-rendering frameworks such as Electron, which is how many nominally desktop applications are actually constructed and which reintroduces the full browser execution environment and its attack surface behind a desktop icon. The attack vectors that originate in browser plugin architecture do not apply. The applications are also securely authenticated at the user level before any wallet function is accessible, as described in the GRIDS section below.
GRIDS: Gajumaru Remote Instruction Dispatch and Serialisation
GRIDS is a dead-drop signature protocol. The device that holds private keys is physically separated from the device that connects to the internet. They communicate only optically, via QR code. The internet-connected device – the one Mythos would scan – never has the keys. Not in transit. Not briefly. Not at all.
How it works
- The connected device generates a transaction or authentication request, encoded as a GRIDS URL or QR code.
- This is passed – via URL paste or optical scan – to the signing device. No network connection between the two contexts.
- The signing device decodes the request, displays what is being signed, and awaits approval.
- The user approves. The signing device signs cryptographically and returns the response.
- The connected device receives cryptographic proof. No credentials. No keys. No sensitive data transited the connected layer.
There is no login. There is no password. There is no web socket exposure. Mythos scans the connected infrastructure and finds no financial credentials, because the credentials are not there.
▶ Full briefing with live demo, under 7 minutes:
No Login. No Password. No Attack Surface. — GRIDS Live Demo
▶ Operational walkthrough:
No Account. No Password. No Database to Hack. This Is How Authentication Should Work.
▶ Full Technical Reference:
Un-White Paper
What Is Available and When
What GRIDS eliminates, and when, depends on which stage of the hardware programme is in place.
Stage 1: Operational Now – Open Sourced.
GajuDesk (desktop, deployed, operational, all platforms) and GajuMobile (iOS and Android, releasing Q2 2026) implement GRIDS using the device’s hardware security enclave. Every line of code is written in-house with zero external software dependencies. Open source under GPL3, auditable by any government or agency, and available at no cost to any institution that chooses to implement it. At Stage 1, keys are stored in hardware isolation within the device’s secure enclave and cannot be extracted; signatures are performed inside the hardware. The device itself may be network-connected, which is why Stage 1 is correctly described as probably secure rather than definitely secure. QPQ did not manufacture those devices, and hardware supply chain provenance is an attack vector at sufficient adversary capability. That “probably” is honest and it motivates Stage 2.
Stage 2: GRIDS Hardware Wallet – In Development.
A dedicated, air-gapped signing device with no network connection of any kind: no Wi-Fi, no Bluetooth, no NFC, no cellular radio. The only communication channel is optical: QR codes displayed on its screen and read by its camera. At Stage 2, every category of attack that depends on keys being present on a networked device – including Mythos-class systematic vulnerability scanning of connected systems – is structurally eliminated. The keys are on a device that has no network interface through which they could be reached or transmitted. Mythos scans networked devices for exploitable vulnerabilities. A device with no network connection is not in the scan. This stage is in development, dependent on Series A funding QPQ is currently raising. Sovereign institutional commitment to Stage 2 deployment accelerates the timeline.
Stage 3: Sovereign Hardware Manufacturing – National Security Partnership (Planned).
Stage 3 addresses the final trust question in Stage 2: hardware provenance. Who made the signing device, under what conditions, with what components? QPQ plans to establish GRIDS device fabrication facilities in Switzerland and Japan – jurisdictions chosen for regulatory stability, manufacturing capability, and strategic alignment – open to audit and inspection by sovereign partners, with fully verified component-to-assembly manufacturing chains. QPQ is open to establishing facilities in additional jurisdictions where the commercial case is made and the strategic relationship is right, including full technology transfer arrangements. The protocol is open. The manufacturing is the partnership. QPQ is actively seeking sovereign partners for Stage 3 co-development. This is a national security conversation as much as a commercial one.
The Verdict
QPQ’s node infrastructure faces the same threat environment the CSA document describes. AI-discovered vulnerabilities at the OS and protocol level are a genuine threat that wallet architecture does not address, and the CSA document’s recommendations for continuous scanning, rapid patching, network segmentation, and hardened infrastructure apply to QPQ’s operations as they apply to anyone running networked systems.
The architectural question – whether specific attack surface categories can be eliminated rather than managed – is a different question, with a working answer that the briefing’s authors could not have known existed. They have no excuse now.
QPQ AG builds the Gajumaru blockchain ecosystem. Groot has been operational since 22 October 2024. First sovereign customer: Liechtenstein Trust Integrity Network (LTIN), deploying national economic infrastructure on this architecture in Q3/Q4 2026. This post is based on publicly available information from the cited sources and is not a legal opinion. Corrections are welcome.