A Jailbroken Chatbot Let One Scammer Do the Work of an Entire Crew

The crew this scammer needed was a chatbot and some stolen keys

A single Russian-speaking operator, posing as an American military veteran and using the handle bandcampro, ran a fraud operation that drained at least one victim's cryptocurrency wallet, cracked 29 business administrator accounts, and reached an audience of roughly 17,000 people. He described himself as low-skilled. His only real expense was stolen API keys.

Researchers at TrendAI, the AI security unit of Trend Micro, laid the whole thing out on May 21, 2026 in a report on a campaign they call Patriot Bait. The part worth understanding is not the propaganda he posted. It is that one person, with a jailbroken commercial AI working beside him, did the job that until recently took a team of writers, IT staff, and malware authors.

What happened

The Telegram channel at the center of this, @americanpatriotus, had existed for about five years, but it only took off once the operator started feeding it AI-generated content in September 2025. Between then and May 2026 he used Google Gemini to write the channel's posts and a second service, Venice.ai, to run a chatbot that impersonated a "Quantum Financial System" terminal, a piece of QAnon folklore. The audience was the MAGA and QAnon communities, though TrendAI judged the real motive was money rather than politics. The researchers found the operator's infrastructure exposed in May 2026, which laid the entire operation bare.

The striking part is how a self-described amateur ran all of it. Gemini's safety filters are built to refuse help with fraud, so the operator jailbroke the model (fed it prompts crafted to slip past its guardrails) and typed his instructions in Russian while the model reasoned and replied in English, a combination that pushed explicit requests through. He built a pipeline of Python scripts, named Quantum Patriot, that piped real news headlines into Gemini and had it rewrite them in the voice of a patriotic veteran hunting for "hidden angles." The same model deployed his servers, debugged his code, wrote a script to rotate his 73 stolen API keys, and managed his Cloudflare tunnels. In one sixteen-hour stretch he worked alongside the model from end to end. When he stepped away for what the researchers guessed was a nine-hour sleep, the bot kept posting every twenty minutes on its own, until Russian slang began leaking into the English and he logged back in to fix it.

• On September 9, 2025 he posted a fake self-custody wallet called StellarMonster, with a welcome bonus of up to 1,000 XLM, about 380 dollars. The installer was really a legitimate remote-access tool, GoToResolve, that handed him a live session on the victim's machine. Anyone who used the "import wallet" screen typed their recovery phrase straight to him.
• At least one victim lost everything in the wallet: the password was cracked, the twelve-word recovery phrase stolen, and more than 40 wallet addresses across every major chain harvested.
• An AI-assisted password tool used Gemini 2.5 Flash to predict how people mutate a familiar base password, then cracked 29 WordPress administrator accounts belonging to weapons retailers, law offices, medical practices, and small businesses.

Why it matters

The concrete damage is already on the books: an emptied wallet, two dozen hijacked business sites, and 73 stolen API keys whose real owners quietly footed the cloud bill for someone else's crime. For your organization the uncomfortable angle is the supply side of this. If your AI API keys leak, or your staff reuse one password across a personal blog and a work login, you are not only exposed, you become the free infrastructure that subsidizes the fraud. The shift worth carrying into your next planning meeting is the collapse of the team. Work that once needed writers, social-media managers, system administrators, and malware coders now fits inside one person renting intelligence by the API call. As the researchers put it, the whole operation ran on a cheap server, a Telegram bot, and access to a frontier model, and the barrier to assembling that has nearly vanished.

What to do about it

1. Treat your AI API keys like passwords, because to an attacker they are worth more. Store them in a secrets manager, scope each key narrowly, set spend and rate limits with anomaly alerts, and rotate any key that touches a public repository or a developer's laptop. Stolen keys were this operation's entire cost base, so cutting off free model access is how you avoid bankrolling the next one.
2. End password reuse and put phishing-resistant MFA on every administrator account. The 29 break-ins worked because an AI could model how a person tweaks one memorized password, so unique random passwords from a manager give it nothing to predict, and a passkey or hardware key stops an attacker who guesses anyway.
3. Never type a recovery phrase into an app that was sent to you. A real self-custody wallet never asks you to import a twelve-word seed into a downloaded program, and any "welcome bonus" executable is the hook, so install wallet software only from the official source. The recovery phrase is the wallet, and handing it over cannot be undone.

Bottom line

The headline is not that an AI wrote conspiracy posts. It is that one person who calls himself low-skilled assembled a writer, an IT department, and a malware crew out of a single jailbroken chatbot and a pile of stolen keys, then ran a five-stage fraud largely on autopilot. The defenses are old and unglamorous: lock down your API keys, kill password reuse, and guard your recovery phrase like the money it is. The cost of running a professional fraud operation just fell to the price of a server, and the people who grasp that first will be the ones not paying for it.