On 29 May 2026, security researcher Taylor Hornby sat down with Anthropic's Claude Opus 4.8 — released just one day earlier — and began probing the Zcash cryptocurrency's Orchard privacy pool. He was conducting a funded audit on behalf of Shielded Labs, a nonprofit that supports Zcash development. Within a single day, he had found a critical vulnerability, written a working exploit, and confirmed it could generate unlimited counterfeit ZEC with no detectable trace.
The detail that really stings is not the bug itself — it is the timeline. Four years. Multiple expert audits. Peer review from specialists in zero-knowledge cryptography, a field most software developers never encounter at all. The Orchard pool had been live since May 2022. It had been reviewed by some of the most capable cryptographers in the industry. The bug had survived years of review by some of the field's most capable cryptographers. An AI model found it in a day.
After Zcash disclosed the flaw on 4 June, the token tumbled about 50% as traders reassessed the security of one of crypto's most prominent privacy networks. The market reaction was brutal and swift. But the real question the incident raises is not about Zcash specifically — it is about every other complex codebase that has been quietly declared safe on the basis of expert human scrutiny.
