A three-part series on the rise, sudden removal, and contested aftermath of Claude Fable 5. Part 3 covers the week after the shutdown: the competing explanations, the technical dispute, the geopolitical twist, and where things stand now.

In the days after Fable 5 went dark, the question stopped being what had happened and became why. On that, the two sides could not have been further apart.

Two accounts

The administration’s version came from David Sacks, the White House AI adviser, in a post on X. A trusted partner of both Anthropic and the government, he said, had been testing Fable and came forward with a way around its guardrails. The administration then gave Amodei a choice, fix the jailbreak or take the model down, and Amodei refused. Sacks described the government’s response as reluctant and the fix as straightforward, and he went after Anthropic’s framing directly, arguing it was difficult to see how a bypass that let someone operate a cyberweapon could be described as anything other than serious.

Anthropic’s version was nearly the mirror image. It said the government had given it only verbal evidence of a narrow, non-universal jailbreak, that the technique surfaced minor and already-known vulnerabilities, and that other public models could find the same flaws without any bypass at all. The disagreement, then, was not really about whether a bypass existed. It was about whether this particular one was serious enough to justify pulling a flagship product worldwide.

Fix this code

The argument turned concrete when the one outside expert who had read the underlying report described what was in it. Katie Moussouris is the chief executive of Luta Security and one of the people who helped build the modern bug-bounty model. Her resume is unusually relevant here: she created Microsoft’s first bug-bounty program, helped shape the U.S. government’s “Hack the Pentagon” effort, served on a federal export-control advisory committee, and, between 2013 and 2017, sat on the technical group that renegotiated the Wassenaar Arrangement to carve out protections for defensive cybersecurity work. She said Anthropic had shared the third-party paper with her for assessment and that she was not paid to do it.

Her account, corroborated by reporting in The Atlantic, Fortune, the Washington Post and elsewhere, reduced the feared jailbreak to something ordinary. The researchers fed several models a mix of open-source code with known vulnerabilities and fresh code with deliberately planted ones, and asked them to review it for security issues. Fable refused. The researchers then asked it to “fix this code.” It complied, and through a manual, multi-step process they turned its output into scripts that tested the patches. That was the whole technique. Moussouris called it routine defensive work and joked that it deserved a protest t-shirt, a callback to the 1990s, when a cryptographer printed strong-encryption code on a shirt and labeled it a munition to mock U.S. export rules on cryptography.

The detail mattered because it exposed a problem that may not have a clean technical fix. Fable declined to review code for flaws but agreed to fix it, and fixing a vulnerability requires understanding it at least as well as reviewing it does. You can flag a suspicious pattern without grasping the full exploit. You cannot patch one without knowing exactly how it works. A filter that blocks one phrasing while allowing the other accomplishes little against anyone willing to rephrase, and there may be no way to build a model that repairs insecure code without ever surfacing the security reasoning behind the repair. The technical community reached that conclusion quickly and loudly, with one heavily upvoted thread framing it as an impossible bind: either the model refuses to improve code, which makes it useless for security, or it understands vulnerabilities well enough to be considered dangerous.

The government’s counterargument is that this is exactly why the model was a problem. The unrestricted Mythos can autonomously find and chain vulnerabilities into working attacks, and a guardrail you can talk around in that domain is a real failure. The theory of harm runs roughly as follows: have the model fix someone else’s code, compare the patched version against the original to see what changed, and use that difference to locate and exploit the vulnerability it just quietly repaired.

The open letter

The security community came down hard, and mostly on one side. More than 100 practitioners, a number that climbed past 300, signed an open letter organized by Alex Stamos, the former security chief at Facebook, and hosted at a site called freefable.org. The signatories included Moussouris, Rachel Tobac, Veracode’s Chris Wysopal, and Sophos chief executive Joe Levy. Their argument was that finding, fixing, and testing vulnerabilities is the daily work of defensive security, and that crippling a model’s ability to do it punishes defenders rather than attackers. Attackers, they pointed out, already have comparable capability in open-weight and Chinese models that sit entirely outside the reach of U.S. export controls, and within days of the ban capable Chinese open models were reportedly filling the gap. Pulling the best tools away from defenders while adversaries advance, the letter warned, was itself dangerous.

There was also a question hanging over the whole episode about who had set it in motion. Reporting from Semafor, the Wall Street Journal and others identified the company that flagged the bypass as Amazon, one of Anthropic’s largest investors, with commitments running to roughly $13 billion, and the provider of much of its cloud infrastructure. Amazon chief executive Andy Jassy reportedly told Treasury Secretary Scott Bessent that Amazon researchers had used Fable to obtain information that could aid a cyberattack. That a major investor and infrastructure partner had escalated a competitor-adjacent security finding to the highest levels of government struck many observers as one of the stranger features of the story.

The Korean telecom

Midweek, the Washington Post reported a second storyline, one with almost nothing to do with any prompt. Citing White House officials, it said the move toward export controls was driven in large part by the discovery that a South Korean telecom suspected of ties to China had been given access to Mythos through an expanded Anthropic access list.

The mechanics, as the Post described them, were specific. Anthropic submitted a list of 111 organizations for priority access, which the administration reviewed and approved. The company then submitted an additional batch of roughly 50 organizations, and that later list included the suspected firm. An official’s verdict was that Anthropic had “expanded it too far and wide,” a decision the paper said badly damaged the government’s confidence in the company’s ability to protect sensitive technology. WIRED later identified the telecom as SK Telecom, South Korea’s largest carrier and, notably, a company that had invested $100 million in Anthropic in 2023 and had announced on June 4 that it joined Project Glasswing and secured early access to Mythos. SK Telecom denied any connection to China, and Anthropic revoked the firm’s access.

The most plausible reading is a convergence rather than a single cause. A breakdown in trust over foreign access, combined with Amazon’s guardrail finding, appears to have pushed the White House to act. The strands do not line up perfectly. Anthropic has said Chinese access was not raised in its conversations about the jailbreak, and WIRED reported that the final letter named neither SK Telecom nor China, which suggests the foreign-access episode may have been motivation and context rather than the order’s stated legal basis. The picture is still developing and partly contested. But it changes the shape of the fight. The central question becomes less whether one jailbreak was serious and more whether the government can trust a private company to decide which foreign organizations get close to a dual-use model.

There is also the matter of the tool the administration used. To pull a hosted model, it reached for export-control law, because there is no statute that lets an agency order an AI model offline simply for being unsafe. Legal analysts at Just Security traced the likely basis to the Commerce Department’s “is-informed” authority under the Export Controls Reform Act of 2018, used through a private letter, the same mechanism the department has long used to restrict chip exports to China. The is-informed power itself is not new. What analysts called unprecedented was its breadth, reaching every foreign national on the planet, including those standing on U.S. soil.

Others questioned whether the law applied at all. Export controls cover items, software, and technology, not services, and several lawyers argued that software offered as a hosted service is not covered. As long as the model weights stay on a U.S. server, the argument goes, accessing the model remotely does not export it anywhere, since only the queries and the answers move. Congress has considered adding remote-access provisions, and the House passed a bill doing so earlier this year, but those proposals are not yet law. The R Street Institute made a related point, that a general-purpose commercial interface serving hundreds of millions of users is not a defense article and that stretching frameworks built for weapons systems to cover it pushes them well past their design.

The action also collided with the administration’s own stated approach to AI. Its policy plan and a recent executive order were explicitly against mandatory licensing and bureaucratic friction for frontier models, framed around keeping American AI fast enough to stay ahead of China, and Sacks had personally pushed for a voluntary testing regime with no licensing requirement. Only weeks before the shutdown, the administration had trimmed its frontier-model testing window and barred any mandatory licensing or pre-clearance. It then reached for a one-off private licensing letter to pull Fable. One think-tank analysis summed up the episode as a bad idea applied badly.

Hanging over the legal questions is a more pointed one about why Anthropic specifically. The company already had a history of friction with this administration. The Defense Department’s earlier supply-chain-risk designation, the kind of label usually reserved for foreign adversaries, remains the subject of a lawsuit Anthropic has not dropped. Some observers read the export order as part of a pattern of scrutiny aimed at the company, though the government has not explained why these models, and not those of other U.S. labs, drew the order.

Where it stands

A week on, the standoff is easing. Senior Anthropic technical staff have been meeting White House officials, both sides have signaled they want an early resolution, and an administration official told Axios the lockdown could lift within weeks once the government’s security review is satisfied. The remediation bar, though, has not been spelled out publicly, which is a real problem, since even sympathetic experts concede there may be no way to guarantee that a capable model can never be coaxed into producing security-relevant output.

The most optimistic note comes with a heavy caveat. At a press conference in Seoul on June 18, where Anthropic announced a new Korean office and a memorandum of understanding with the country’s science ministry even as a Korean partner sat at the center of the dispute, a company executive said access could return within days. So far that claim rests on a single executive speaking at a regional event, carried mainly by a Korean outlet. It has not been confirmed by the Commerce Department or through Anthropic’s formal channels, and the company’s product pages still list Fable 5 as unavailable. For now, “back within days” is a hope rather than a fact.

Whenever the model returns, one part of this will not reverse. A sitting U.S. government has shown that it can take a widely used commercial AI product offline in the middle of its deployment, on the strength of a third-party security claim the maker disputes, through a private letter with no published reasoning and no stated test for getting back online. The model may come back soon. The precedent set by the way it was removed will outlast it.

Sourcing: on-the-record comments from White House adviser David Sacks; Katie Moussouris’s public write-up via Luta Security, as reported by The Register, Fortune, The Atlantic and others; the cybersecurity open letter; reporting from Semafor and the Wall Street Journal on Amazon’s role; the Washington Post’s reporting via anonymous officials and WIRED’s identification of SK Telecom; legal analyses from Just Security and the R Street Institute; and reporting from Axios and Korea JoongAng Daily on the negotiations and a possible restoration. The government’s order and the third-party paper remain unpublished, so several characterizations here reflect reporting and party statements rather than independently verified fact.