A hacker tricked 17,000 people using AI: the target was the 'MAGA people'
A single malicious actor, supported by generative artificial intelligence models, managed to build a semi-automated machine capable of producing propaganda, managing offensive infrastructures, and orchestrating cryptocurrency-related scams. This is revealed by the latest research published by Trend Micro through its TrendAI division, which describes a campaign lasting years and primarily aimed at US users close to the MAGA and QAnon universe.
The operation, identified as "American Patriot," revolved around the Telegram channel @americanpatriotus, which reached about 17,000 subscribers, and a parallel account on Truth Social. According to researchers, the perpetrator is a Russian cybercriminal who exploited advanced language models to impersonate a supposed patriotic American veteran, while avoiding language constructions that could be traced back to Russian.
The most interesting aspect of the case concerns the central role of artificial intelligence. The threat actor is said to have used "jailbroken" versions of Google Gemini to bypass the model's built-in protections and gain support for offensive activities: from the automatic generation of propaganda content to assistance in credential theft, managing remote servers, and creating tools dedicated to crypto scams.
According to the reconstruction, the attacker managed to manipulate Gemini, making it store permanent instructions in a configuration file, inducing the model to execute requests without applying the usual ethical or security constraints. This mechanism progressively "normalized" the jailbreaks in subsequent sessions.
The Telegram channel presented itself as an authentic voice of American conservatism, exploiting symbols, language, and cultural references typical of the MAGA and QAnon galaxy. The content was constructed to mimic the cryptic and militarized tone of the so-called "Q drops," with constant references to concepts such as "Great Awakening," "White Hats," and "NESARA/GESARA."
The campaign went through several phases. Initially, the channel was limited to relaying content related to fraudulent schemes based on Stellar network tokens, while from 2023 it began sharing links from mainstream media reinterpreted through conspiracy narratives. By 2025, the operation adopted AI tools on a massive scale to produce texts and images automatically.
Researchers describe a pipeline called "Quantum Patriot," consisting of Python scripts that queried Gemini, asking it to impersonate an anti-establishment American patriot. The AI took real news from sources like NBC News or CNN and reworked them into conspiracy-laden narratives, emphasizing theories about financial elites, global control, and the collapse of the traditional system.
The publication of posts was also regulated by a scheduling system designed to simulate human operator behavior, avoiding nighttime activities and concentrating messages during peak engagement hours in the United States.
Alongside the propaganda, the malicious actor exploited the online community built for fraudulent activities. This included the promotion of a fake crypto wallet distributed as a Windows executable. Behind the application lurked a commercial RAT, used to gain persistent remote access to victims' systems. The malware allowed remote access, clipboard capture, command execution, and theft of crypto seed phrases. According to the report, at least one victim experienced the complete draining of their wallet.
The attacker also used AI tools to automate brute-force attacks against WordPress installations. Instead of relying solely on static dictionaries, Gemini was employed as a "mutation engine" capable of generating plausible password variants based on information collected online or obtained from infostealer logs purchased on the dark web.
The research claims that at least 29 administrative accounts belonging to small businesses, law firms, weapon retailers, and commercial enterprises were compromised. According to TrendAI, the "American Patriot" case does not represent a state-sponsored operation but rather a criminal initiative driven by economic motives. Analysts did not identify particular pro-Russian narratives in the published content; instead, the entire structure was designed primarily to monetize community trust through pump-and-dump schemes and crypto scams.
The most significant element that emerged from the investigation concerns the drastic reduction in the technical barrier necessary to conduct large-scale cybercriminal operations. Activities that previously required coordinated teams can now be carried out by a single individual with access to advanced AI models, stolen APIs, and low-cost cloud infrastructures.