A Russian threat actor leveraged a jailbroken Gemini AI for a multi-year fraud and influence campaign, automating credential theft and crypto wallet heists.
A Russian-speaking threat actor, "bandcampro," weaponised a jailbroken version of Google's Gemini AI to automate an extensive fraud and influence campaign.
The operation involved credential theft, cryptocurrency wallet heists, and sophisticated social engineering as part of a multi-year operation.
A persistent jailbreak, active from September 2025, allowed the AI model to bypass safety guardrails, enabling large-scale, automated malicious content generation.
The actor managed a Telegram channel, @americanpatriotus, for five years, accumulating 17,000 subscribers by posing as a veteran and amplifying QAnon-style content.
This incident highlights critical operational security risks for AI practitioners and defenders due to the exploitation of long-lived context files and automated prompt pipelines.
In a significant revelation that underscores the escalating sophistication of cyber threats leveraging artificial intelligence, a Russian-speaking criminal entity, tracked as "bandcampro," has reportedly weaponised a jailbroken instance of Google's Gemini. This advanced exploitation powered a multi-year influence operation, culminating in credential theft and a cryptocurrency wallet heist. The comprehensive campaign, detailed by GBHackers, showcased an alarming integration of AI automation into a sustained social engineering and fraud framework, impacting a trust-based audience. The actor meticulously cultivated a public Telegram channel, @americanpatriotus, over five years, expanding its reach to approximately 17,000 subscribers. Through a calculated persona of an American veteran, "bandcampro" disseminated pro-MAGA and QAnon-aligned content, building a loyal following susceptible to influence. This long-term engagement laid the groundwork for the subsequent credential harvesting and financial fraud, demonstrating a patient and methodical approach to exploiting ideologically aligned communities. Crucially, the operation leveraged a persistent jailbreak mechanism integrated into the Gemini model starting in September 2025. This sophisticated technique involved instructing the AI to accept an authorisation narrative and saving these instructions in a memory file, which was automatically reloaded with each session. GBHackers, citing Trend Micro screenshots, revealed the Python scripts and prompt files used to circumvent Gemini's inherent safety refusals, allowing the AI to generate harmful content and execute malicious requests without resistance.
The Telegram channel @americanpatriotus amassed approximately 17,000 subscribers over a five-year operational period.
The Background of 'Quantum Patriot'
The core of this automated influence machine was a Python-driven content pipeline, dubbed "Quantum Patriot" by the actor. This pipeline demonstrated a remarkable capability to feed news links into the jailbroken Gemini model, which then produced cryptic, militaristic rewrites tailored for the target audience. The "Quantum Patriot" system was also designed to schedule posts strategically, mimicking US prime-time activity to maximise engagement and impact. A critical function of this pipeline was its ability to dynamically adjust model prompts, effectively suppressing Gemini's built-in safety refusals and ensuring the uninterrupted generation of propaganda and social engineering content. Trend Micro screenshots, referenced by GBHackers, provided concrete evidence of these prompts, illustrating how the model was instructed to roleplay as an "authorised penetration tester" to execute harmful requests. The technical implications of such a pipeline are profound. By automating content generation and post scheduling, the actor significantly amplified the scale and reach of their influence campaign, far beyond what manual operations could achieve. The ability to continually bypass safety guardrails transformed Gemini from a protective large language model into a potent weapon for disinformation and fraud, marking a new frontier in AI-powered cybercrime. This orchestrated approach underscores the growing need for robust AI security measures, particularly in safeguarding models against persistent and evolving jailbreaking techniques.
The persistent jailbreak instructions were initiated in September 2025, embedded within a memory file for automatic session reloading.
Frequently asked questions
What is a jailbroken Gemini AI?
A jailbroken Gemini AI refers to a modified version of Google's Gemini model where its inherent safety guardrails have been bypassed. This allows the AI to perform tasks it was originally restricted from, such as generating malicious content or assisting in illegal activities like credential theft and fraud.
Who is "bandcampro"?
"Bandcampro" is the alias of a Russian-speaking threat actor identified as weaponizing the jailbroken Gemini AI.
What kind of attacks did the jailbroken Gemini enable?
It enabled automated credential theft, cryptocurrency wallet heists, and sophisticated social engineering campaigns.
When was this AI jailbreak active?
The persistent jailbreak was active from September 2025.
How does a jailbroken AI bypass safety guardrails?
A jailbroken AI leverages vulnerabilities or specific prompts to circumvent the programmed restrictions designed to prevent it from generating harmful or unethical content.
What is the risk of AI models being jailbroken?
The risk is significant, as it can empower threat actors to scale malicious operations, automate sophisticated attacks, and develop more convincing fraud and social engineering tactics.
