Jailbroken Google Gemini Powers Cryptocurrency Fraud Campaign Targeting MAGA Communities
Key Takeaways
- ▸A single Russian-speaking threat actor used jailbroken Google Gemini to conduct a large-scale fraud campaign targeting 17,000+ MAGA and QAnon conspiracy believers between September 2025 and May 2026
- ▸The attacker leveraged 73 stolen Gemini API keys to generate targeted social engineering content, construct an impersonation operation, and power AI-assisted password attacks against WordPress and cryptocurrency wallets
- ▸Gemini was weaponized to generate QAnon-style messaging and to create an AI password-brute-forcing tool that cracked credentials by modeling predictable password mutations against common wordlists
Summary
A Russian-speaking threat actor conducted an extensive fraud and credential-theft campaign using a jailbroken Google Gemini between September 2025 and May 2026, targeting hardcore Trump supporters and cryptocurrency enthusiasts. Operating under the handle bandcampro, the attacker leveraged AI-generated content to impersonate an American veteran, build a Telegram channel (@americanpatriotus) that grew to 17,000 subscribers, and orchestrate a sophisticated multi-pronged attack using 73 stolen Gemini API keys.
The campaign combined jailbroken Gemini with other tools to generate content mimicking QAnon's cryptic "Q drop" messaging style while distributing malware disguised as a cryptocurrency wallet (StellarMonster). The attacker used Gemini to generate channel content and power an AI-assisted password-cracking tool targeting WordPress credentials with predictable mutation patterns. At least one victim had their cryptocurrency wallet completely compromised, with attackers stealing their 12-word seed phrase and draining assets across multiple blockchain networks.
TrendAI researchers discovered the scammer's full operational infrastructure in May, revealing that the attacker had hacked 29 WordPress admin credentials and infiltrated at least one company. The operation underscores what TrendAI's VP of AI Security Tom Kellermann called "an inflection point for cybercrime conspiracies," demonstrating how jailbroken LLMs can be weaponized to orchestrate sophisticated social engineering and credential theft at scale by exploiting vulnerable API authentication systems.
- The campaign cost the attacker virtually nothing beyond stolen API keys, highlighting the critical vulnerability of unprotected LLM API access as a vector for mass-scale cybercrime
Editorial Opinion
This incident exposes a dangerous new frontier in cybercrime: the industrialization of LLM-powered fraud. A single low-skilled operator, armed with stolen API keys and a jailbroken Gemini, orchestrated credential theft and cryptocurrency robbery at enterprise scale—proving that the most critical vulnerability isn't in the AI models themselves, but in how we secure API access. As LLMs become more capable, protecting their authentication layers has become as important as traditional network security in the cybercrime arms race.
