Jailbroken Gemini AI Model Supercharged Russian-Speaker’s Fraud Campaign
A solo Russian-speaking bad actor used a jailbroken Google Gemini AI model in a five-year operation targeting MAGA members and QAnon believers to steal credentials and cryptocurrency, becoming among the most recent examples of how AI can accelerate even the smallest of cybertheft campaigns.
The hacker ran a mostly manual operation between 2021 and 2025 before boosting his capabilities using the jailbroken large language model (LLM) to distribute malware, run pump-and-dump financial schemes, impersonate an American veteran, and operate a Telegram channel that had upwards of 17,000 followers, according to threat researchers with Trend Micro.
The only real cost to the cybercriminal, who used the handle “bandcampro,” was stolen API keys.
The campaign run by the “low-skilled” threat actor “demonstrates how frontier AI systems are enabling a new generation of scalable, low-cost cybercriminal operations that blend information operations, automation, and financial fraud,” the researchers, Philippe Lin, Joseph C. Chen, Fyodor Yarochkin, and Vladimir Kropotov, wrote in a report.
“What previously required a team of writers, social media managers, IT workers, and malware programmers can now be automated by a single actor using a VPS, a Telegram bot, and API access to frontier models,” they wrote. “The actor co-worked with AI to build a production-grade content creation pipeline, engagement analytics, and a gamified bot, all targeting a specific cultural and political community with precision.”
They added that bandcampro’s campaign also showed how threat actors increasingly are using AI coding agents to manage infrastructure, generate content, debug pipelines, and process stolen credentials through natural language commands.
The Trend Micro researchers earlier this month discovered the operation’s infrastructure and exposed how it was run. The jailbroken Gemini model created the text on the Telegram channel and Venice.ai – a decentralized AI platform that is focused on privacy – powered an interactive chatbot that simulated a Quantum Financial System terminal.
From Manual to AI-Based Operations
In 2021 and 2022, Bandcampro ran a primarily manual crypto-fraud operation, they wrote. The next two-plus years involved sharing hyperlinks to such news outlets as Fox News, CNN, and the New York Times that were paired with QAnon-coded keywords like “White Hats” and “Great Awakening,” reaching a peak in July 2025 following the dump of Epstein files.
The use of AI started in earnest in September 2025, the researchers wrote, starting with AI-generated images and then expanding into AI-created text through a pipeline the scammer named “Quantum Patriot,” a set of Python scripts that had Gemini role play as a U.S. veteran.
“Beyond content generation, the threat actor also used Gemini as a copilot for hacking, C&C [command and control] framework setup, credential theft, and running a gamified chatbot,” they wrote. “The LLM enabled industrial-scale narrative adaptation with minimal human effort, putting team-scale work within reach of a solo operator.”
That work included everything from deploying servers and helping to debug to automating workflows, writing scripts to rotate API keys, and managing the hacker’s Cloudflare tunnels. The hacker prompted the model in Russian, while the LLM reasoned and replied in English. Bandcampro also distributed a commercial remote access trojan (RAT) to his Telegram channel subscribers, hacked WordPress sites, and bought infostealer logs.
A Fake Crypto Wallet
The scammer also created a fake crypto wallet called StellarMonster that he called a “freedom-first, self-custody wallet,” with a setup process that secretly installed a legitimate unattended remote-administration tool called GoToResolve. A common technique of ransomware groups, it gives attackers the ability to access files, execute commands, and capture clipboards.
“The ‘import your wallet’ function served a secondary purpose: subscribers who typed their seed phrase into the fake import screen handed over their wallet keys,” the researchers wrote.
The crypto-wallet of at least one victim was fully compromised, with a 12-word mnemonic stolen and more than 40 wallet addresses taken. Bandcampro also used AI to brute-force 29 WordPress accounts belonging to businesses like weapons retailers, legal offices, medical practices, and small commercial sites.
“The use of a commercial AI model as a password-mutation oracle represents an escalation over traditional wordlist attacks,” the researchers wrote. “With prior knowledge of the victim from purchased DaisyCloud infostealer logs, LinkedIn, or previous successful logins, plus customized mutation rules, the actor could easily ask the LLM to model the victim’s password patterns.”
QAnon Followers Were ‘Mammoths’
They noted that the attacker saw QAnon followers as easy fraud targets and called the Telegram channel’s subscribers “mammoths,” which is Russian slang for easily deceived victims. Bandcampro also worked with the jailbroken Gemini model to plan a crypt pump-and-dump scheme, asking that when the Telegram bot pulls in 5,000 active users, how much can be reaped from such a scam.
In another conversation with the AI model, he asked how professional crypto-fraud call centers are run against victims in North America, for example, using personal data through vishing or luring victims into crypto scams.
“Gemini responded with feasible methodologies, such as Medicare/Health Canada fraud targeting the elderly,” they wrote.
A Small Operation and Emerging Trends
They wrote that “The ‘American Patriot’ case is a small operation, but the techniques it uses point to emerging trends. … The next operator to copy this blueprint may be better resourced, better targeted, or aimed at an audience less wary than MAGA crypto skeptics, and the guardrails that failed here will keep failing under jailbreaks and non-English prompting until frontier vendors close those gaps.”
The nature of LLMs also creates a challenge. In its earlier report, Unmanaged AI Adoption, Trend Micro found that frontier models react differently when queried in different languages and there are not uniform guardrails across languages. Given this, “defenders should expect more of this, at lower skill thresholds, against any community whose trust can be weaponized.”
