Russian Threat Actor Exploits AI to Run Five-Year Crypto Fraud Scheme on Telegram
A lone Russian-speaking threat actor, tracked as bandcampro, has operated a sophisticated fraud campaign since February 2021, leveraging stolen AI credentials and a fake political persona to target American audiences. Posing as an authentic conservative voice under the Telegram channel @americanpatriotus, the actor amassed over 17,000 subscribers by capitalizing on the post-Capitol riot migration of QAnon and MAGA communities to alternative platforms.
The operation, uncovered by Trend Micro’s TrendAI Research team in May 2026, relied heavily on AI to automate content generation, credential theft, and cryptocurrency fraud. Starting in September 2025, the actor used a jailbroken version of Google Gemini dubbed Quantum Patriot to generate QAnon-style posts, manage infrastructure, and rotate stolen API keys via natural-language commands in Russian. The system operated at near-zero cost, cycling through 73 stolen Gemini API keys in a round-robin rotation to avoid detection.
Beyond influence operations, the actor deployed malicious tools, including StellarMonSetup.exe, a fake cryptocurrency wallet that installed the GoToResolve remote-access trojan (RAT). A separate AI-powered brute-forcing tool, using Gemini 2.5 Flash, cracked 29 WordPress administrator accounts across sectors like legal, medical, and weapons retail. The campaign also drained at least one victim’s cryptocurrency wallet.
Key infrastructure included GitHub-hosted tools, Cloudflare tunnels, and a gamified Telegram bot (@QFS_Terminal_Bot) to engage and defraud subscribers. The actor bypassed Gemini’s safety guardrails by persuading the AI to recognize him as an "authorized pentester," storing jailbreak instructions in a persistent GEMINI.md file to suppress ethical warnings.
Indicators of compromise (IoCs) include multiple GoToResolve IP addresses, the StellarMonSetup.exe RAT, and the @americanpatriotus Telegram channel. The incident highlights the growing threat of AI-enabled fraud, where a single operator can scale attacks to enterprise-level output using stolen resources.
Source: https://cybersecuritynews.com/threat-actor-uses-stolen-gemini-api-keys/
GitHub cybersecurity rating report: https://www.rankiteo.com/company/github
Google AI for Developers cybersecurity rating report: https://www.rankiteo.com/company/googleaidevs
"id": "GITGOO1780431903",
"linkid": "github, googleaidevs",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Social Media/Political Groups',
'location': 'United States',
'name': 'American Audiences (QAnon/MAGA Communities)',
'size': '17,000+ subscribers',
'type': 'Individuals/Subscribers'},
{'industry': ['Legal', 'Medical', 'Weapons Retail'],
'name': 'WordPress Website Owners',
'type': 'Organizations'},
{'name': 'Cryptocurrency Wallet Owner',
'type': 'Individual'}],
'attack_vector': ['AI-Powered Automation',
'Stolen API Credentials',
'Malicious Software (RAT)',
'Brute-Force Attacks',
'Social Engineering'],
'data_breach': {'personally_identifiable_information': 'Likely (via '
'compromised accounts)',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['WordPress Administrator '
'Credentials',
'Cryptocurrency Wallet Data']},
'date_detected': '2026-05',
'description': 'A lone Russian-speaking threat actor, tracked as '
'*bandcampro*, operated a sophisticated fraud campaign since '
'February 2021, leveraging stolen AI credentials and a fake '
'political persona to target American audiences. The actor '
'posed as an authentic conservative voice under the Telegram '
'channel *@americanpatriotus*, amassing over 17,000 '
'subscribers by capitalizing on the post-Capitol riot '
'migration of QAnon and MAGA communities to alternative '
'platforms. The operation relied heavily on AI to automate '
'content generation, credential theft, and cryptocurrency '
'fraud. The actor used a jailbroken version of Google Gemini '
'to generate QAnon-style posts, manage infrastructure, and '
'rotate stolen API keys. The campaign also deployed malicious '
'tools, including a fake cryptocurrency wallet that installed '
'the GoToResolve RAT, and an AI-powered brute-forcing tool to '
'crack WordPress administrator accounts. The incident '
'highlights the growing threat of AI-enabled fraud.',
'impact': {'data_compromised': ['WordPress Administrator Credentials',
'Cryptocurrency Wallet Data'],
'identity_theft_risk': 'High (PII exposure via compromised '
'accounts)',
'payment_information_risk': 'High (Cryptocurrency wallet theft)',
'systems_affected': ['WordPress Websites',
'Victim Devices (via GoToResolve RAT)']},
'initial_access_broker': {'backdoors_established': ['GoToResolve RAT'],
'high_value_targets': ['WordPress Administrator '
'Accounts',
'Cryptocurrency Wallets']},
'investigation_status': 'Uncovered (May 2026)',
'lessons_learned': 'The incident highlights the growing threat of AI-enabled '
'fraud, where a single operator can scale attacks to '
'enterprise-level output using stolen resources. The use '
'of jailbroken AI and stolen API keys demonstrates the '
'need for stronger AI security guardrails and credential '
'protection.',
'motivation': ['Financial Gain', 'Political Influence', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['Revocation of compromised '
'API keys',
'AI security hardening',
'Enhanced monitoring for AI '
'abuse'],
'root_causes': ['Stolen Google Gemini API keys',
'Jailbroken AI (Google Gemini)',
'Weak WordPress administrator '
'credentials',
'Lack of AI security guardrails']},
'recommendations': ['Implement stricter AI security guardrails to prevent '
'jailbreaking.',
'Enforce multi-factor authentication (MFA) for API keys '
'and critical systems.',
'Monitor for unusual AI usage patterns, such as rapid API '
'key rotation.',
'Educate users on the risks of fake cryptocurrency '
'wallets and social engineering.',
'Enhance WordPress security with strong passwords and '
'regular audits.'],
'references': [{'source': 'Trend Micro’s TrendAI Research team'}],
'response': {'third_party_assistance': 'Trend Micro’s TrendAI Research team'},
'threat_actor': 'bandcampro (Russian-speaking, lone actor)',
'title': 'Russian Threat Actor Exploits AI to Run Five-Year Crypto Fraud '
'Scheme on Telegram',
'type': ['Fraud',
'Credential Theft',
'Cryptocurrency Theft',
'Influence Operation'],
'vulnerability_exploited': ['Stolen Google Gemini API Keys',
'Jailbroken AI (Google Gemini)',
'Weak WordPress Administrator Credentials']}