In a recent report, Russian security firm TrendAI reveals how a low-skilled solo threat actor exploited a jailbroken Google Gemini, stolen API keys and an AI-powered Quantum Financial System (QFS) terminal to hack cryptocurrencies and impersonate an American veteran, targeting hardcore Trump supporters and conspiracy theorists.
A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto walletsA solo Russian-speaking threat actor used a jailbroken Google Gemini in a fraud and credential-theft campaign targeting hardcore Trump supporters and conspiracy theorists.
Between September 2025 and May 2026, the “low-skilled” scumbag using the handle bandcampro partnered with the LLM to impersonate an American veteran, run a Telegram channel , hack admin credentials, and steal cryptocurrency, according to a threat report from TrendAI. His only"real cost" in the operation was stolen API keys.
Bandcampro ultimately reached about 17,000 subscribers, used 73 likely-stolen Gemini API keys, hacked 29 WordPress admin credentials, infiltrated at least one company, and emptied at least one victim’s cryptocurrency wallets, according to TrendAI researchers Philippe Lin, Joseph C Chen, Fyodor Yarochkin, and Vladimir Kropotov. in a Thursday report, and said while the Telegram channel dates back five years, bandcampro’s success skyrocketed once he started using AI-generated content last fall.
"We have reached an inflection point for cybercrime conspiracies,” Tom Kellermann, TrendAI’s VP of AI security and threat research, told, adding that “bandcampro's conspiracy underscores the sophistication of the Russian cybercriminal community and how weaponized jailbroken LLMs are manipulated to orchestrate a systemic cybercrime campaign. ”Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsTrendAI researchers discovered the scammer’s infrastructure in May, which exposed the full contents of the individual’s operational environment.
He used Google Gemini to generate the Telegram channel text and Venice.ai to power an interactive chatbot designed to simulate a Quantum Financial System terminal. The campaign targeted the QAnon and MAGA communities, mimicking the cryptic, anonymous “Q drop” messages at the heart of the QAnon conspiracy, but the researchers say his “use of information operation techniques was more likely for cryptocurrency fraud instead of political motives,” based on the content posted, and the stock remote access trojan used alongside other commercial malware.
On September 9, 2025, the actor posted a fake"freedom-first, self-custody wallet" called StellarMonster, with a welcome bonus of up to 1,000 XLM on the Telegram channel. It was an executable named StellarMonSetup.exe. Malware analysis determined that in reality, StellarMonSetup.exe is a legitimate remote access tool called GoToResolve, which gives the operator a persistent remote desktop session with file access, command execution, and clipboard capture.
Plus, any subscribers who used the"import your wallet" function and typed their seed phrase into the fake import screen gave the attacker their wallet keys.
“At least one victim's crypto-wallet was fully compromised: password cracked, 12-word mnemonic stolen, and the owner's 40+ wallet addresses harvested across all major chains,” the researchers noted. The attacker also used an AI-powered brute-forcing tool to hack WordPress accounts, we’re told.
“The script is built on the premise that people mutate familiar base passwords in predictable ways, and Gemini 2.5 Flash can model the mutations when supplied with static wordlists,” Trend wrote. In total, the AI-assisted WordPress hacking operation cracked 29 WordPress administrator accounts, including those belonging to weapons retailers, legal offices, medical practices, and small commercial sites.
During his conversations with Gemini, bandcampro asked questions like: “When the bot accumulates 5,000 active users, how much can we earn from one pump-and-dump cycle? ” The criminal also asked how professional crypto call centers scam North American victims and Gemini suggested Medicare and/or Health Canada fraud targeting the elderly. The Russian speaker also automated his content campaign through a pipeline he named"Quantum Patriot," a set of Python scripts that called Gemini to role-play as an American veteran patriot.
The pipeline fed a preset list of newsfeeds into the LLM and Gemini rewrote them, prompted to act as an admin of an “American Patriot” channel looking for “hidden angles. ” The crypto- and credential-thief also used Gemini to help him hack, set up a command-and-control framework - including a mail-testing tool, a Gmail aggregator, and an anonymous proxy on a VM in the Netherlands - steal and validate credentials, and run the chatbot.
“In the anatomy of one busy working day, Gemini deployed servers, helped debug code, automated workflows, wrote a script to rotate API keys, and managed the actor’s Cloudflare tunnels,” the TrendAI researchers wrote. “The actor prompted in Russian, while the LLM reasoned and replied in English. Over one 16-hour session, the actor co-worked with Gemini end-to-end.
"At one point, after a nine-hour pause from the human partner, which the authors say “was likely a 9-hour sleep,” bandcampro found the bot posting every 20 minutes without a break - but with Russian slang appearing in the English posts. So he opened another session to fix it.
“What previously required a team of writers, social media managers, IT workers, and malware programmers can now be automated by a single actor using a VPS, a Telegram bot, and API access to frontier models,” Trend’s team warned.
®A Russian speaker and jailbroken Gemini went on a hacking spree and emptied at least one MAGA victim's crypto walletsZTE Day Indonesia 2026 strengthens AI innovation and digital infrastructure collaboration to accelerate Indonesia's digital transformation The annual tech showcase highlights next-gen AI, cloud, and future-ready ICT solutions while uniting ecosystem partners to build the foundation for the nation's AI eraDatacenter builders face an impossible quandary: Demand to the left of me, protests to the rightPersonal TechSecurityInfrastructure teams are facing a perfect storm: extended hardware lead times, rising costs driven by AI demand, and accelerated platform timelines. From Prompt to Exploit: How LLMs Are Changing API AttacksCatch the Advanced Attacks Microsoft 365 Misses with Behavioral AI SecurityAI Found the Problem.
Now What? Step into the chaos of a live ransomware breach, test your response skills, and team up with other IT and security pros to outsmart cybercriminalsRansomware attacks aren’t slowing down, and neither are we. Druva’s hit event, Escape Ransomware, is now fully virtual.
LegalAT&T sues to ditch Cali copper phone lines to save billionsAs memory prices squeeze enterprise buyers, Lenovo laughs all the way to the bankAT&T sues to ditch Cali copper phone lines to save billionsAs memory prices squeeze enterprise buyers, Lenovo laughs all the way to the bank Switch to premium devices pays off as PC giant post record record, just don't ask about cheap laptopsListening to your customers? Who are you, and what have you done with Microsoft?
Telecoms giant files suit in Golden State so it doesn't have to maintain network it claims is hardly usedCEO eyes margin gains by keeping headcount flat – bold for a company selling HR software to employersEurope built sovereign clouds to escape US control. Then forgot about the processorsThe Linux mid-life crisis that's an opportunity for Tux-led transformation
Trendai Google Gemini Quantum Financial System (QFS) Terminal Telegram Channel Hardcore Trump Supporters Conspiracy Theories Stolen API Keys
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Sir Keir Starmer reaffirms UK's steadfast support for Ukraine in call with Volodymyr ZelenskyUK Labour leader Sir Keir Starmer expressed unwavering support for Ukraine in a phone call with Ukrainian President Volodymyr Zelensky, following criticism of a 'short-term' trade licence issued with a new sanctions package to import Russian jet fuel and diesel refined in third countries. Starmer told Zelensky that the UK's efforts to impose sanctions on Russian oil, combined with other measures, would result in 'less Russian oil on the market, with Russia weaker as a result.'
Read more »
Johnson Accuses Starmer of 'Betrayal' & 'Choosing Dirty Russian Oil', as Labour Shelves Loopholes in SanctionsBritish Prime Minister Boris Johnson attacks Labour leader Keir Starmer over his decision to water down sanctions on Russian oil, calling it 'pathetic' and saying it 'betrays the Ukrainians.' Johnson also criticizes Labour for shelving a crackdown on imports of Russian oil refined in third countries. The move raises concerns about the impact of the Iran-Russia conflict on critical supplies like diesel and jet fuel. Ukrainian government officials confirm that a planned crackdown on Russian oil refined in third countries is still planned in the EU, while it remains on hold in this country. Opposition leader Sir Keir Starmer denies allegations of lifting sanctions and claims Labour will increase pressure on Russia with other measures in their package.
Read more »
Russian jets imperilled an RAF spy planeThe incident highlights the escalation of tensions between Russia and the West over Ukraine.
Read more »
The things Putin is desperate to get from ChinaThe Russian leader came into this summit weakened and needs concessions
Read more »