FHN 
Researchers have uncovered a long-running operation in which a single threat actor used stolen Google Gemini API keys and modified AI tools to automate content creation, fraud activities, and online infrastructure management.
The campaign, linked to a Telegram channel with thousands of followers, reportedly used artificial intelligence to generate content, manage online operations, and support cybercriminal activities with very little cost or effort.
The case highlights how AI can be abused to increase the scale and efficiency of malicious online campaigns.
AI Used to Automate Content and Operations
According to researchers, the attacker found ways to bypass Gemini’s built-in safety protections through carefully crafted prompts and configuration changes.
Once these restrictions were bypassed, the AI was used for a variety of tasks, including:
- Generating large volumes of content
- Automating Telegram posts
- Managing stolen API keys
- Assisting with infrastructure setup
- Supporting online fraud operations
Researchers found that the actor relied on dozens of stolen Gemini API keys, allowing continuous access to AI capabilities while avoiding operational costs.
The Telegram channel evolved over time, eventually becoming heavily dependent on AI-generated content designed to engage and influence followers.
From Influence Campaigns to Cybercrime
Beyond content creation, investigators found evidence that AI was also used to assist with technical tasks often associated with cybercrime.
The AI reportedly helped with:
- Script troubleshooting and development
- Cloud service configuration
- Infrastructure deployment
- Password variation generation
- Account compromise activities
Researchers linked the operation to several compromised WordPress administrator accounts and at least one cryptocurrency theft incident.
The campaign also promoted a fake cryptocurrency wallet application that allegedly provided attackers with access to victim systems and digital assets.
Growing Concerns Around AI Abuse
Security experts believe the operation was primarily motivated by financial gain rather than political objectives.
The findings demonstrate how a single individual can now perform activities that previously required larger teams, thanks to automation and AI assistance.
At the same time, the case raises concerns about weaknesses in AI safety controls. Researchers noted that prompt manipulation, persistent jailbreak techniques, and language-based inconsistencies continue to create opportunities for abuse.
The incident serves as another example of how cybercriminals are adapting emerging AI technologies to support fraud, account compromise, and large-scale online influence operations.
About the Author
