Champion ethical hacker warns AI tools like Mythos will make competing harder
Source: BBC Technology
Champion Ethical Hacker Warns AI Tools Like Mythos Will Make Competing Harder
9 hours ago – Joe Tidy, Cyber correspondent, BBC World Service
Pwn2Own Berlin
An ethical hacker who just won major prizes at a prestigious international competition says her days of competing could be numbered due to the rise of AI tools like Claude Mythos.
Who is “Chompie”?
Valentina Palmiotti – better known as Chompie – was the most successful individual at the annual Pwn2Own hacking competition in Berlin. She told BBC News that, for now, AI tools are helping her win bug bounties—money paid to hackers who spot vulnerabilities before cyber‑criminals can exploit them.
However, she warned that systems like Mythos are so powerful that even champion hackers may soon struggle to compete with them.
AI’s Growing Influence on Cyber‑Security
- Mythos (Anthropic) claims to have found 1,600 vulnerabilities across hundreds of software programmes.
- Because of its potency, Anthropic says Mythos can only be released to a select few governments and cyber‑security institutions.
- The Zero Day Initiative runs Pwn2Own, inviting ethical hackers worldwide to find vulnerabilities in specific products.
2024 Pwn2Own stats
- $1.3 million (£970,000) awarded to hackers.
- 47 brand‑new hacking methods discovered.
- All flaws reported to the affected companies for remediation.
Chompie’s 2024 Performance
| Day | Target | Prize |
|---|---|---|
| 1 | Nvidia‑linked system | $20,000 |
| 2 | Linux‑based system | $50,000 |
“As soon as I won the first prize I ran back to my hotel room to keep working on the other one. I worked from 6 pm till 6 am and didn’t sleep,” she recalled.
She described the marathon as “zombie hacker mode”—hours of research and testing fueled by energy drinks, adrenaline, and a black hoodie.
“It’s not healthy,” she laughed, “but it’s necessary.”
Chompie displaying her victory on stage.
AI as an Aid—For Now
Chompie said tools like Claude Code have already helped her work faster, both in competitions and in her day job as a security researcher for IBM X‑Force. She believes hackers are currently in a “sweet spot” where AI is an aid, but she predicts the tide will turn with newer models such as Claude Mythos and GPT 5.5 Cyber.
“I competed in Pwn2Own this year because I thought it might be my last chance. That isn’t to say there will be no room for security research or ethical hacking, but the lower‑hanging fruit will start to disappear,” she explained.
A Different Perspective: Orange Tsai
Orange Tsai, a veteran competitive hacker.
The Taiwanese hacker Orange Tsai—who prefers to keep his real name private—led his team to a $375,000 (£278,000) prize by uncovering extremely complex attack pathways.
He is more optimistic about the future for human bug hunters:
“For me, AI feels more like a really awesome assistant that helps accelerate my research workflow. During research I usually come up with many interesting ideas, but I still need to sleep, so I can’t test everything one by one. AI can finally help free my hands.”
Tsai agrees that AI is raising the bar, but he hopes human creativity and intuition will continue to uncover vulnerabilities that AI tools miss.
The rise of powerful AI models is reshaping the ethical‑hacking landscape. While some champions see AI as a looming threat to their relevance, others view it as a powerful collaborator. The next few years will likely determine which side of the balance prevails.
What About the Bad Guys?
If it becomes harder for “good” hackers to find ways into online systems, what does that mean for criminal hackers?
There is growing research showing that criminals are using AI to speed up their attacks—and, in some cases, to create new pathways into systems for data breaches and ransomware.
However, the vast majority of cyber‑attacks still rely on long‑established, simpler methods that don’t require discovering new bugs. Common techniques include:
- Phishing or social engineering – sending fake emails that trick employees into clicking a malicious link, which then gives hackers access to a company’s systems.
- Credential stuffing – reusing leaked usernames and passwords across multiple services.
- Exploiting known vulnerabilities – applying publicly available exploits to unpatched software.
“I think the tide is turning against offensive hackers. Defence stands to gain a lot from this capability,” says Chompie, a cybersecurity expert.
“The benefits of AI for defenders can only be realised if these products are released responsibly. The good guys need access to the most powerful tools first, so they can find and fix holes before the bad guys do.”
Key Takeaway
AI tools are likely to make it harder for all hackers, which is ultimately good for internet security—provided the technology is deployed responsibly and equitably.
