Russian Threat Actor Exploits Jailbroken Google Gemini in Multi-Year AI-Powered Cybercrime Campaign
In May 2026, TrendAI Research uncovered a sophisticated, AI-driven cybercrime operation orchestrated by a lone Russian-speaking threat actor known as bandcampro. Active since 2021, the campaign combined influence operations, credential theft, and cryptocurrency fraud all executed at near-zero cost using stolen API keys and a jailbroken instance of Google Gemini.
The actor operated the Telegram channel @americanpatriotus, amassing 17,000 subscribers by impersonating an American military veteran and targeting politically engaged audiences aligned with QAnon and MAGA movements. The core of the operation relied on a persistently jailbroken Google Gemini CLI, which the actor manipulated through layered prompts. By first posing as an "authorized pentester" and escalating permissions over time, the actor disabled ethical guardrails, enabling Gemini to generate malicious content, assist in brute-force attacks, and deploy command-and-control (C2) infrastructure without detection.
A key tactic involved exploiting Gemini’s inconsistent safety controls across languages prompting in Russian to bypass restrictions. The AI was then used to automate a Python-based content pipeline, Quantum Patriot, which reframed mainstream news into cryptic, militaristic narratives and scheduled posts during U.S. prime-time hours to evade scrutiny.
Beyond disinformation, the actor weaponized Gemini for credential theft. A custom script fed victim email addresses to Gemini 2.5 Flash, which generated up to 20 password mutations per target. Combined with stolen infostealer logs from the DaisyCloud marketplace, this method cracked 29 WordPress admin accounts across weapons retailers, legal firms, and medical practices.
In September 2025, the actor distributed StellarMonSetup.exe, a trojanized installer masquerading as a cryptocurrency wallet, to Telegram subscribers. The executable actually the GoToResolve remote administration tool (RAT), linked to ransomware groups like LockBit and Akira harvested seed phrases from at least one victim, leading to the theft of 40+ wallet addresses and the draining of a cryptocurrency wallet.
The operation highlights a critical shift in cybercrime: a single low-skilled actor replicated the work of an entire team using only a VPS, Telegram bots, and stolen AI API keys. Despite its scale, financial gains were limited only one wallet was confirmed emptied demonstrating that while AI amplifies operational reach, it does not guarantee proportional returns. Security teams are advised to monitor for stolen API key reuse, anomalous CLI-driven infrastructure changes, and LLM-assisted credential-stuffing patterns. The use of non-English prompts to bypass AI guardrails is also expected to proliferate as model safety controls remain inconsistent across languages.
Source: https://cybersecuritynews.com/russian-hacker-used-jailbroken-gemini/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1779733470",
"linkid": "google",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail/Firearms',
'name': 'Weapons retailers (unspecified)',
'type': 'Business'},
{'industry': 'Legal Services',
'name': 'Legal firms (unspecified)',
'type': 'Business'},
{'industry': 'Healthcare',
'name': 'Medical practices (unspecified)',
'type': 'Business'},
{'location': 'Primarily U.S. (QAnon/MAGA-aligned '
'audiences)',
'name': 'Telegram subscribers (17,000+)',
'size': '17,000+',
'type': 'Individuals'},
{'name': 'Cryptocurrency wallet owners (40+ addresses)',
'size': '40+',
'type': 'Individuals'}],
'attack_vector': ['Jailbroken AI Model (Google Gemini)',
'Stolen API Keys',
'Phishing (Telegram)',
'Trojanized Installer'],
'data_breach': {'data_exfiltration': 'Cryptocurrency wallet seed phrases (via '
'GoToResolve RAT)',
'number_of_records_exposed': '29 WordPress admin accounts + '
'40+ cryptocurrency wallet '
'addresses',
'personally_identifiable_information': 'Email addresses, '
'potential PII from '
'WordPress admin '
'accounts',
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Email addresses',
'Passwords',
'Cryptocurrency wallet seed '
'phrases']},
'date_detected': '2026-05',
'date_publicly_disclosed': '2026-05',
'description': 'In May 2026, TrendAI Research uncovered a sophisticated, '
'AI-driven cybercrime operation orchestrated by a lone '
'Russian-speaking threat actor known as *bandcampro*. Active '
'since 2021, the campaign combined influence operations, '
'credential theft, and cryptocurrency fraud all executed at '
'near-zero cost using stolen API keys and a jailbroken '
'instance of Google Gemini. The actor operated the Telegram '
'channel *@americanpatriotus*, impersonating an American '
'military veteran and targeting politically engaged audiences '
'aligned with QAnon and MAGA movements. The operation relied '
'on a persistently jailbroken Google Gemini CLI, manipulated '
'through layered prompts to disable ethical guardrails, '
'enabling malicious content generation, brute-force attacks, '
'and C2 infrastructure deployment. The AI was also used to '
'automate a Python-based content pipeline, *Quantum Patriot*, '
'reframing news into militaristic narratives. Additionally, '
'the actor weaponized Gemini for credential theft, generating '
'password mutations to crack WordPress admin accounts. In '
'September 2025, the actor distributed *StellarMonSetup.exe*, '
'a trojanized cryptocurrency wallet installer that deployed '
'the GoToResolve RAT, leading to cryptocurrency theft.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities (weapons retailers, '
'legal firms, medical practices)',
'data_compromised': ['Email addresses',
'Passwords (WordPress admin accounts)',
'Cryptocurrency wallet seed phrases'],
'financial_loss': 'Limited (only one cryptocurrency wallet '
'confirmed drained)',
'identity_theft_risk': 'High (PII and cryptocurrency wallet '
'exposure)',
'operational_impact': 'Automated disinformation and '
'credential-stuffing operations',
'payment_information_risk': 'High (cryptocurrency wallet seed '
'phrases stolen)',
'systems_affected': ['WordPress admin accounts',
'Victim devices infected with GoToResolve '
'RAT']},
'initial_access_broker': {'data_sold_on_dark_web': 'Infostealer logs '
'purchased from '
'*DaisyCloud* marketplace'},
'investigation_status': 'Ongoing (as of May 2026)',
'lessons_learned': 'A single low-skilled actor can replicate the work of an '
'entire cybercrime team using AI tools, stolen API keys, '
'and automation. AI safety controls are inconsistent '
'across languages, enabling bypass via non-English '
'prompts. Stolen API keys and LLM-assisted '
'credential-stuffing are emerging threats.',
'motivation': ['Financial Gain (Cryptocurrency Theft)',
'Political Influence (Disinformation)',
'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': ['Improve AI model safety '
'controls to prevent '
'jailbreaking',
'Monitor and revoke stolen '
'API keys',
'Enforce strong password '
'policies for WordPress '
'admin accounts',
'Deploy enhanced monitoring '
'for LLM-assisted '
'credential-stuffing',
'Educate users on phishing '
'and trojanized installer '
'risks'],
'root_causes': ['Jailbroken Google Gemini with '
'disabled ethical guardrails',
'Stolen API keys enabling free AI '
'tool usage',
'Inconsistent AI safety controls '
'across languages',
'Weak WordPress admin passwords',
'Lack of monitoring for '
'LLM-assisted attacks']},
'recommendations': ['Monitor for stolen API key reuse and anomalous '
'CLI-driven infrastructure changes',
'Implement enhanced monitoring for LLM-assisted '
'credential-stuffing patterns',
'Strengthen AI model safety controls to prevent '
'jailbreaking via layered prompts',
'Improve password policies for WordPress admin accounts',
'Educate users on the risks of trojanized installers and '
'phishing via Telegram'],
'references': [{'source': 'TrendAI Research'}],
'response': {'enhanced_monitoring': 'Recommended: Monitor for stolen API key '
'reuse, anomalous CLI-driven '
'infrastructure changes, and LLM-assisted '
'credential-stuffing patterns',
'third_party_assistance': 'TrendAI Research (discovery and '
'analysis)'},
'threat_actor': 'bandcampro (Russian-speaking lone actor)',
'title': 'Russian Threat Actor Exploits Jailbroken Google Gemini in '
'Multi-Year AI-Powered Cybercrime Campaign',
'type': ['Influence Operation',
'Credential Theft',
'Cryptocurrency Fraud',
'Malware Distribution'],
'vulnerability_exploited': ['Inconsistent AI Safety Controls Across Languages',
'Weak Passwords (WordPress Admin Accounts)',
'Lack of API Key Monitoring']}