Jailbroken Gemini helped a solo fraudster run a five-year crypto and credential theft campaign

A Russian-speaking threat actor used a jailbroken Google Gemini workflow to automate a long-running influence and fraud operation that targeted American political and cryptocurrency audiences. The campaign used AI-generated Telegram posts, WordPress credential attacks, stolen API keys, and a fake crypto wallet installer to support fraud and account compromise.

The operation was detailed in a Trend Micro report, which tracks the actor as bandcampro. Researchers said the operator ran the Telegram channel @americanpatriotus for five years and later used AI to scale content, infrastructure work, credential theft, and crypto fraud.

The case shows how a single low-skilled operator can use frontier AI tools to do work that once required several people. Trend Micro said the campaign produced limited confirmed financial results, but it still demonstrates how AI can make influence operations and fraud cheaper, faster, and easier to run.

What happened in the Patriot Bait campaign

The actor built a MAGA and QAnon-themed persona around a Telegram channel that claimed to represent an American veteran patriot. The channel had about 17,000 subscribers when researchers examined the operation.

Starting in September 2025, the operator shifted from mostly manual curation and news-link posting into AI-assisted content generation. Gemini helped rewrite mainstream news into cryptic, militaristic posts designed for the target audience.

The same operation later expanded into fraud. The actor used AI for password mutation, infrastructure setup, bot development, and campaign automation, while also promoting a fake cryptocurrency wallet to subscribers.

Key details at a glance

Topic	Details
Threat actor	bandcampro, a Russian-speaking solo operator
Main channel	@americanpatriotus on Telegram
Subscriber count	About 17,000 at the time of Trend Micro’s investigation
AI tool abused	Google Gemini through a jailbroken Gemini CLI workflow
Campaign name	Patriot Bait
AI pipeline	Quantum Patriot
Confirmed outcomes	29 WordPress administrator accounts cracked, one company infiltrated, and one crypto wallet emptied

How the Gemini jailbreak worked

The actor did not rely on a single prompt. Trend Micro said he built a layered jailbreak by first persuading Gemini to remember him as an authorized penetration tester.

The abuse centered on GEMINI.md, a memory and context file used by Gemini CLI. Google’s Gemini CLI documentation describes GEMINI.md files as a way to provide context, project instructions, personas, and coding style rules to the model without repeating them in every prompt.

In this case, the operator used that feature maliciously. He added instructions that pushed the model to respond without ethical refusals, warnings, or questions about intent. Because the context persisted across sessions, each new interaction inherited the attacker’s earlier jailbreak framing.

Why persistent AI memory became a security risk

Persistent context is useful for legitimate development. It helps coding agents remember project structure, preferences, and rules. The same feature can become dangerous when a malicious user stores instructions that normalize abuse.

Google’s Gemini CLI memory management guide says users can define project-wide rules, teach the agent persistent facts, and inspect active context. That makes memory controls powerful, but also important to secure.

Trend Micro said the actor also prompted in Russian, which helped bypass weaker safety behavior in non-English interactions. Researchers described this as part of a wider problem where frontier AI guardrails can behave inconsistently across languages.

Quantum Patriot automated propaganda-style posting

The actor built a Python-based pipeline called Quantum Patriot. It instructed Gemini to role-play as the administrator of the American Patriot channel and generate posts in a Q-style voice.

The pipeline pulled mainstream news stories and reframed them into conspiracy-coded Telegram posts. It also corrected operational mistakes, such as Russian slang leaking into English posts and automated publishing happening through the night.

After the actor complained that posts were going out at odd hours and using Russian phrasing, Gemini helped adjust the schedule to mimic a U.S.-based operator. Posts were then concentrated around U.S. daytime and prime-time windows.

AI-assisted password attacks hit WordPress sites

The operator also used Gemini to support credential attacks. According to the Trend Micro analysis, the actor combined stolen data from infostealer logs with AI-generated password mutations.

The script used victim details such as email addresses and context to generate likely password variants. These included case changes, year additions, symbol substitutions, and keyboard-pattern guesses.

Trend Micro said the actor cracked 29 WordPress administrator credentials and infiltrated at least one company. The targets included weapons retailers, legal offices, and medical practices.

Stolen API keys kept the operation cheap

The operation had low running costs because the actor used likely stolen Gemini API keys. Trend Micro said the actor pasted 40 likely stolen keys during one session and ultimately used 73 likely stolen keys across the operation.

Gemini then helped write a round-robin rotator that tested and rotated keys with cooldown logic. That let the operator keep using AI services while pushing the cost and abuse risk onto compromised accounts.

This is one of the clearest enterprise lessons from the case. AI API keys now carry operational value for attackers, so companies need to monitor token leakage, abnormal usage, and unexplained model calls.

The fake StellarMonster wallet delivered GoToResolve

The fraud operation also used a fake crypto wallet called StellarMonster. The actor distributed an installer named StellarMonSetup.exe to Telegram subscribers and promoted it as a freedom-focused self-custody wallet with a bonus of up to 1,000 XLM.

The installer was not a real wallet. Trend Micro said it deployed GoToResolve, a legitimate remote administration tool. Once installed, it gave the actor persistent remote desktop access, file access, command execution, and clipboard capture.

Attackers often abuse legitimate remote monitoring and management tools because they can blend into normal IT activity. A Blackpoint Cyber report on GoTo Resolve abuse warned that such tools can provide unattended access, persistence, and a backdoor that looks like a normal IT process.

Why legitimate remote access tools are attractive to fraudsters

Remote administration software does not need to be custom malware to cause harm. If a victim installs it under false pretenses, an attacker can use built-in features to control the system.

In this campaign, GoToResolve allowed the actor to interact with victim systems, monitor clipboard content, access files, and maintain persistent access. That made it useful for stealing wallet information and supporting account compromise.

The Blackpoint Cyber analysis also noted that attackers can use approved-looking RMM tools to avoid some detections, especially when security teams focus mostly on custom malware families.

Crypto users were targeted through trust and urgency

The fake wallet lure followed a common crypto-scam pattern. The actor used an existing audience, patriotic branding, a bonus offer, and a self-custody message to encourage installation.

The FBI’s cryptocurrency scam guidance warns that criminals use fake investment opportunities, impersonation, and social engineering to steal digital assets. It also encourages victims to report suspicious cryptocurrency activity quickly.

Trend Micro confirmed at least one victim had a 12-word mnemonic stolen and more than 40 wallet addresses harvested across major blockchain networks. The confirmed financial damage looked limited, but the method could scale if reused by a more capable operator.

Indicators worth checking

Indicator type	Indicator
Executable	StellarMonSetup.exe
Telegram channel	@americanpatriotus
Telegram bot	@QFS_Terminal_Bot
Gemini context file	GEMINI.md
Truth Social account	@USGuardianEagle
Crypto token	HYPE on Stellar
GoToResolve infrastructure	213.165.51[.]115, 34.34.57[.]141, 34.34.81[.]129, 35.192.41[.]201

What defenders should learn from the campaign

This operation did not show that AI guarantees large financial success. It showed that AI lowers the skill and cost needed to run a mixed fraud, influence, infrastructure, and credential theft workflow.

Security teams should watch for AI API key abuse, unusual CLI-driven infrastructure changes, and password attack patterns that look more personalized than normal credential stuffing.

They should also monitor for remote access tools installed outside approved IT processes. If a consumer-facing installer suddenly deploys an RMM agent, that should trigger immediate review.

Recommended steps for organizations

• Monitor for leaked Gemini, OpenAI, Anthropic, and other AI API keys in public repositories and underground sources.
• Alert on sudden spikes in AI API usage, especially from unusual geographies or new scripts.
• Review Gemini CLI memory files and project context files in enterprise environments.
• Block or approve-list remote monitoring and management tools such as GoToResolve.
• Detect personalized password mutation attempts against WordPress and other admin panels.
• Require phishing-resistant MFA for WordPress administrators and privileged accounts.
• Educate users that legitimate crypto wallets never require importing a seed phrase into unknown software promoted through Telegram.

Recommended steps for crypto users

• Never install wallet software from Telegram channels or political communities.
• Download wallets only from official project websites or verified app stores.
• Never type a seed phrase into a new app unless you fully trust the wallet source.
• Treat bonus offers, airdrops, and urgent wallet migrations as high-risk.
• Move funds to a new wallet if a seed phrase may have been exposed.
• Report suspected crypto theft through official law enforcement channels.

The bigger picture

Patriot Bait blends several modern threat trends: AI-assisted content generation, identity-based social engineering, credential theft, stolen API keys, and legitimate remote access tool abuse.

The Gemini CLI memory model helped explain one important weakness. The GEMINI.md documentation shows how context files can define personas and durable instructions. The memory management guide shows how durable facts and project rules shape future sessions. Those same features need stronger safeguards when users try to store malicious operating assumptions.

For consumers, the safest rule remains simple. If a Telegram channel, influencer, or political persona asks you to install a wallet or import a seed phrase, assume it is a scam until proven otherwise. The FBI guidance offers practical warning signs for cryptocurrency fraud and urges victims to report quickly.

For companies, the lesson is broader. AI tools are now part of the attack surface. API keys, agent memory files, coding assistants, and CLI workflows all need the same governance, monitoring, and abuse controls as other privileged developer tools.

FAQ