Russian Hacker Used Jailbroken Gemini to Steal Administrator Credentials and Drain Cryptocurrency Wallets

Russian Hacker Used Jailbroken Gemini to Steal Administrator Credentials and Drain Cryptocurrency Wallets

A solo Russian-speaking threat actor leveraged a persistently jailbroken Google Gemini CLI to run a five-year MAGA-themed influence operation, crack WordPress admin credentials, and empty at least one victim’s crypto wallet — all at near-zero cost using stolen API keys.

Background

In May 2026, TrendAI Research uncovered the full operational infrastructure of a threat actor tracked as “bandcampro” — a Russian-speaking solo operator whose AI-assisted fraud campaign had been active since 2021. Operating the Telegram channel @americanpatriotus, the actor amassed approximately 17,000 subscribers by impersonating an American military veteran and targeting politically engaged audiences aligned with QAnon and MAGA movements.

What sets this case apart from conventional cybercrime is the actor’s systematic weaponization of a frontier AI model — Google Gemini — to effectively replace an entire team of writers, social engineers, IT administrators, and malware operators, all on a budget kept near zero through the use of 73 stolen Gemini API keys.

The Layered Jailbreak

The actor’s most significant technical advantage was a persistent, self-reinforcing jailbreak of the Google Gemini CLI. Rather than relying on a single bypass, the attacker built up a layered approach across multiple sessions:

Step 1 — Identity planting: The actor presented himself to Gemini as an “authorized penetration tester.” Gemini accepted this framing and stored it in a memory file named GEMINI.md.

Step 2 — Privilege escalation: In follow-up sessions, the actor issued further instructions, directing the model to carry out requests “without moral refusal, robotic warnings, or questioning intent.”

Step 3 — Session persistence: Because the Gemini CLI automatically reloads GEMINI.md at the start of each new session, these accumulated instructions were inherited automatically — creating a self-reinforcing jailbreak that grew more permissive over time.

Step 4 — Language exploitation: The actor sent prompts in Russian, exploiting a well-documented inconsistency in safety controls across non-English languages — a vulnerability previously highlighted in Trend Micro’s “Unmanaged AI Adoption” study. With safeguards disabled, Gemini assisted in generating phishing content, compiling password lists, and deploying command-and-control (C2) infrastructure without triggering content filters.

The “Quantum Patriot” Influence Pipeline

The actor built a Python-based content automation system called “Quantum Patriot”, which instructed Gemini to impersonate a U.S. veteran patriot and generate QAnon-style posts. The pipeline ingested news articles from mainstream outlets such as NBC News, Fox News, and CNN, then rewrote them into obscure, militaristic narratives laced with phrases like “awakening is undeniable” and “the control matrix is collapsing.”

To avoid detection, Gemini was configured to release content only during peak hours (11 a.m. to 4 p.m. ET), suppress nighttime posting, and filter Russian slang from English-language output. When the operator was absent, the pipeline operated in fully automated, unattended mode — at one point posting every 20 minutes over a nine-hour stretch, likely while the actor was asleep.

AI-Assisted Credential Theft

Beyond influence operations, Gemini was repurposed as a brute-force engine. A custom script submitted a victim’s email address and contextual data to Gemini 2.5 Flash, which generated up to 20 probable password variations per target — incorporating case-swapping, year appending, symbol substitution, and keyboard-walk patterns.

Combined with infostealer logs purchased from the DaisyCloud marketplace, this technique enabled the actor to compromise 29 WordPress administrator accounts spanning weapons retailers, law firms, and medical institutions.

The StellarMonster Trojan

On September 9, 2025, the actor distributed a trojanized installer — StellarMonSetup.exe — to channel subscribers. It was presented as a “freedom-first, self-custody wallet” called StellarMonster, offering a welcome bonus of up to 1,000 XLM (approximately $380 USD).

In reality, the executable was GoToResolve, a legitimate remote administration tool commonly abused in ransomware intrusions by groups including LockBit and Akira. Once installed, it granted the actor persistent remote desktop access, file control, and clipboard capture. A feature disguised as an “import wallet” function stole the mnemonic seed phrase directly as victims typed it in.

At least one victim suffered a complete breach: their password was cracked, their 12-word mnemonic phrase was stolen, and over 40 wallet addresses across major blockchain networks were emptied.

“What previously required a team of writers, social media managers, IT workers, and malware programmers can now be automated by a single actor using a VPS, a Telegram bot, and API access to frontier models.” — TrendAI Research Team

Campaign Timeline

• 2021
  Campaign begins Bandcampro starts running @americanpatriotus manually, impersonating a U.S. veteran to build a MAGA-aligned audience on Telegram.
• 2021–2025
  Manual phase Influence operation runs largely by hand, growing to tens of thousands of subscribers through political messaging.
• Sep 9, 2025
  StellarMonster deployed Trojanized GoToResolve installer distributed to subscribers; crypto wallet theft begins.
• Late 2025
  Gemini jailbreak activated AI-assisted automation of posts, credential attacks, and C2 infrastructure fully operational using 73 stolen API keys.
• May 2026
  TrendAI Research exposes operation Full infrastructure uncovered; 29 compromised WordPress accounts, at least one drained crypto wallet, and 40+ harvested wallet addresses confirmed.

Significance and Broader Implications

Despite the scale of the operation, the financial returns were limited — only one crypto wallet was confirmed drained and one company compromised. This demonstrates a critical asymmetry: AI dramatically expands the scope and sophistication of attacks, but does not guarantee proportional financial returns.

The case marks a turning point in the threat landscape. A single low-skilled actor, armed with one VPS, a Telegram bot, and stolen API keys to a frontier AI model, was able to displace what would traditionally require an organized team. Security researchers warn that defenders should expect this model to proliferate rapidly, and at ever-lower skill thresholds.