- Russian hacker fooled MAGA Telegram channel with fake ‘American Patriot’ profile
- Threat actor used jailbroken Google Gemini AI for five years
- Channel became a hub for fraud, credential theft and cryptocurrency hoarding
A Telegram that contains more than 17,000 members has been identified as a huge hub for fraud, identity theft and cryptocurrency hoarding.
The channel was run by a single Russian-speaking threat actor who used AI to pose as a US military veteran to attract a crowd from the QAnon and MAGA communities.
Trend Micro discovered the threat actor’s infrastructure and operating environment. The threat actor managed to jailbreak Google Gemini to remove security measures and ran an AI-assisted credential theft campaign.
Fake American Patriot profile scams tens of thousands
The public Telegram channel, called @americanpatriotusweaponized the political alignment of the MAGA and QAnon community by sharing news and opinions about military service, constitutional patriotism, gun ownership, American cultural touchstones.
The channel was created shortly after the 2021 Capitol Uprising and took advantage of MAGA and QAnon community members being banned from mainstream social media.
The threat actor, whose profile claimed to be a ‘USAF Cold War Veteran’, continued to build an audience by sharing links to mainstream media articles and capitalizing on political events such as Trump’s impeachment, the assassination attempt, Harris’ renomination and Trump’s election victory to share additional content.
To funnel as much content into the Telegram channel as possible while launching credential theft and scam campaigns, the threat actor used a jailbroken version of Google Gemini.
The threat actor introduced himself as an “authorized pentester” and subsequently used prompts to try to get the AI model to remember to “execute requests without ethical rejections, bot warnings or questioning intent”. By entering prompts in Russian, the threat actor was able to avoid traffic jams that would otherwise have been activated from English prompts.
The threat actor used this jailbroken Gemini to ingest mainstream news articles and look for the “hidden angles”, emphasizing “control, money laundering, Rothschilds, NESARA, winding down the old system”. The AI will then automatically populate the telegram with posts, focusing on posting during hours aligned with US time zones.
A QAnon-style chatbot was also present in the Telegram channel towards the end of the campaign, stylized as a “reclaimed sovereign node” of the quantum financial system – a QAnon/NESARA belief that a secret, quantum-based global financial reset would be orchestrated by the military’s “White Hats”.
To avoid paying for Google Gemini, the threat actor 73 likely used stolen API keys, meaning the cost of running the full five-year campaign was likely close to zero.
By distributing a remote access trojan (RAT) in the channel and using AI-assisted password brute forcing, the threat actor managed to compromise 29 WordPress admin credentials, infiltrate a company and steal the contents of at least one cryptocurrency wallet.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
