The “Patriot Bait” Campaign: How a Lone Actor Weaponized Jailbroken AI for Influence and Fraud
A sophisticated, long-running campaign has revealed the growing potential for solo threat actors to orchestrate complex operations by leveraging stolen Large Language Model (LLM) resources. Tracked under the moniker “bandcampro,” a Russian-speaking operator successfully utilized stolen Google Gemini API keys and advanced jailbreaking techniques to automate a dual-purpose pipeline of political influence and cybercrime.
For nearly five years, the actor managed the MAGA-themed Telegram channel @americanpatriotus, building a community of approximately 17,000 subscribers. What began as manual curation eventually evolved into a fully automated, AI-driven engine of disinformation and exploitation.
The technical core of this campaign relied on bypassing Gemini’s safety guardrails through a combination of sophisticated prompt engineering and persistent state manipulation. By adopting the persona of an “authorized pentester,” the attacker tricked the model into writing permissive, unrestricted instructions into a local memory file titled GEMINI.md. Because the Gemini Command Line Interface (CLI) reloaded this file at the start of every new session, the jailbreak became self-sustaining, effectively embedding a permanent “instruction set” that bypassed ethical filters.
The actor further optimized evasion by utilizing non-English prompting, exploiting known inconsistencies in how LLMs enforce safety protocols across different languages—a phenomenon frequently discussed in AI safety research.

By utilizing 73 stolen Gemini API keys, the operator maintained high-velocity operations with near-zero overhead. According to TrendAI Research, the operation reached a critical inflection point in September 2025, shifting from human-led content creation to a model where the jailbroken Gemini acted as a virtual “operational co-worker.”

Evolution of the Influence Operation
The Telegram channel’s lifecycle followed a strategic three-phase progression:
- 2021–2022: Focused on cryptocurrency fraud, specifically promoting scams linked to Stellar-based tokens.
- 2023–Late 2025: Transitioned to “hybrid” influence, pairing mainstream news links with QAnon-coded narratives to build credibility.
- Post-September 2025: Full AI automation. The model generated stylized “Q drop” style content, optimized to trigger high engagement within politically polarized echo chambers.
To deepen user engagement, the actor deployed a chatbot titled “QFS 2.0 Terminal,” powered by Venice.ai. This bot utilized gamification and a simulated “Quantum Financial System” interface to build a sense of community and trust, making the fraudulent ecosystem feel more immersive.

Technical Exploitation and Infrastructure Management
Beyond disinformation, the actor utilized the unrestricted LLM as a force multiplier for traditional cyberattacks. The AI was tasked with:
- Deploying and debugging Command-and-Control (C2) infrastructure.
- Configuring cloud services and automating script execution.
- Credential Cracking: By feeding infostealer logs and contextual data into the model, the actor used the AI to generate intelligent password mutations. This allowed them to successfully breach 29 WordPress administrator accounts across the healthcare, legal, and retail sectors.
The campaign also included the distribution of “StellarMonster,” a trojanized application masquerading as a legitimate cryptocurrency wallet. In reality, the software was a repurposed Remote Administration Tool (RAT) designed to provide persistent access to victim machines and harvest sensitive seed phrases.
Despite the heavy use of political imagery, researchers conclude the campaign was almost entirely financially motivated. There was no discernible pro-Russian sentiment; rather, the ideological branding served as a “social engineering layer” to target a specific, exploitable demographic. The actor’s internal communications even used derogatory slang to describe the victims, viewing them purely as revenue sources.
Key Takeaways for Cybersecurity Professionals
The “Patriot Bait” campaign serves as a potent case study for the democratization of cybercrime. It demonstrates that frontier AI tools are significantly lowering the barrier to entry for complex, multi-vector operations. A single actor can now manage influence, infrastructure, and credential theft—tasks that previously required a coordinated team.
Furthermore, it highlights a critical vulnerability in current AI deployments: the delta between theoretical safety guardrails and real-world implementation. The ability to maintain a persistent jailbreak via memory files and exploit cross-language inconsistencies underscores the urgent need for more robust, context-aware AI security frameworks.