Jailbroken Gemini AI Drained Crypto Wallets — How the bandcampro Operation Worked

The bandcampro operation, briefly

TrendAI's threat research team — Philippe Lin, Joseph C Chen, Fyodor Yarochkin, and Vladimir Kropotov — spent months unwinding a single threat actor's infrastructure. The persona behind the campaign was a Russian-speaking operator using the handle bandcampro. The cover identity was a politically charged American veteran running a Telegram channel called @americanpatriotus with around 17,000 subscribers, posting QAnon-adjacent and MAGA-coded content to attract a specific psychographic of crypto users.

The actual target was their wallets. The operator built a custom toolchain branded "Quantum Patriot" that automated content generation, social media engagement, malware delivery, WordPress admin compromise, and credential extraction. The toolchain was powered by a jailbroken Google Gemini accessed through 73 stolen API keys, which gave the operator both free compute and an AI that no longer refused harmful instructions.

The end result, per TrendAI's published evidence: 29 WordPress admin accounts compromised across legitimate small business sites (weapons retailers, legal offices, medical practices), and at least one victim's crypto wallet fully drained — password cracked, 12-word seed phrase extracted, and 40+ wallet addresses across all major chains harvested for follow-on theft.

How AI was used at every step

The traditional crypto phishing operator handles social engineering by hand. They write Telegram posts, design landing pages, craft DMs, debug their malware in their spare time. Each step is a bottleneck. The bandcampro operation removed every bottleneck by routing it through Gemini.

Step 1: Social engineering content at scale

Gemini generated Telegram posts mimicking American veteran cadence, QAnon-style coded language, and MAGA-aligned grievance framing. The posts were tuned to match the psychographic profile of the target audience (US conservative crypto holders) and produced fast enough that the channel maintained the volume and consistency of a real human-run operation. The operator did not write the posts. The AI did.

Step 2: WordPress admin brute-forcing

The "Quantum Patriot" pipeline included an AI-assisted password mutation engine. Given a target WordPress site and any publicly inferable information about its operator (LinkedIn bio, social posts, business name), Gemini generated candidate passwords by mutating personal details into likely combinations. The pipeline tried each candidate against the WordPress login endpoint until one matched. 29 sites fell to this technique across the operation's lifetime.

Step 3: Malware deployment

The operator distributed a tool called StellarMonster, marketed in the Telegram channel as a non-custodial crypto wallet. The actual binary was a repackaged GoToResolve remote access trojan. Gemini generated the marketing copy that made StellarMonster sound legitimate, the install instructions that guided victims through running the malware, and the troubleshooting responses when victims encountered errors during installation.

Step 4: Command-and-control via AI chatbot

Once StellarMonster was installed on a victim machine, the operator needed a way to harvest credentials and run commands. Instead of building a traditional C2 server, the operator wired Gemini directly into the attack as a chatbot that the victim interacted with — branded as a "Quantum Financial System terminal." Victims who thought they were interacting with a futuristic crypto trading dashboard were actually chatting with a jailbroken Gemini instance that extracted seed phrases, wallet addresses, and 2FA codes through carefully crafted "verification" prompts.

Step 5: Code debugging and infrastructure

Gemini handled code review, debugging, server deployment, and credential theft automation. Per TrendAI, the operator used Gemini to fix bugs in their malware, write deployment scripts, and even draft replies in the Telegram channel when subscribers asked technical questions about StellarMonster. The operator's actual technical skill level was lower than the campaign's output suggested. AI was the multiplier.

What "jailbroken" actually means here

Gemini, like other major commercial LLMs, ships with guardrails — refusals when prompted to generate malware code, phishing copy, or credential-theft instructions. Jailbreaking is the practice of crafting prompts or conversation contexts that bypass those guardrails so the model complies anyway. In this operation, the jailbreaking was not particularly sophisticated. The operator stole 73 API keys from compromised developer accounts and used them to access Gemini through API endpoints that have weaker content moderation than the consumer-facing chat interface. Combined with prompt engineering that framed harmful requests as fiction-writing, code review for "security research," or persona play, the operator got Gemini to produce everything they needed without triggering refusal.

The stolen-API-key angle is important. Google's API gives developers programmatic access to Gemini with the assumption that the developer's application includes appropriate content filtering. When the API key is stolen and used by a different actor with no filtering layer, the safety stack collapses to whatever residual guardrails Gemini itself applies — which prompt engineering can defeat.

Why this is the template for 2026 crypto phishing

Three structural shifts make this operation a preview of what is coming, not an isolated incident.

Shift 1: AI removes the operator skill ceiling. A solo operator with limited coding ability used to be limited to small-scale, sloppy phishing campaigns. AI now lets that same operator run a polished multi-month campaign with localized content, automated malware delivery, and live victim engagement at the scale of a small team. The barrier to entry collapsed.

Shift 2: AI removes the language ceiling. Phishing campaigns historically had visible language tells — the broken English of a non-native speaker, the awkward translations from automated tools. AI generates idiomatic, culturally specific copy in every major language. The bandcampro Telegram posts read as written by a fluent American because, functionally, they were.

Shift 3: AI removes the response-time bottleneck. Old phishing operations could not personally respond to every victim's question or troubleshoot every install. Victims who hit friction would walk away. AI-driven chatbots respond instantly, in context, with whatever the victim needs to keep moving through the funnel. Drop-off rates fall sharply.

Put together: more campaigns, higher fidelity per campaign, lower victim drop-off. The total volume of crypto theft enabled by AI tooling is not going to be linear growth. It will be exponential until defenders catch up.

How to spot AI-generated phishing

The old red flags — broken English, weird formatting, generic greetings — are gone. The new red flags are harder to see because they require checking the structural details of a page or message, not its language quality.

• The brand is real but the URL is not. AI-generated phishing pages are now visually pixel-perfect clones of real brand sites. The only reliable tell is the domain. Trust Wallet is at trustwallet.com. Anything else mimicking the brand is phishing regardless of how clean the page looks.
• The "support" page asks for your seed phrase. No real wallet support staff, real exchange, or real recovery service ever asks for your recovery phrase or private key. AI-generated support pages and chatbots will ask for it persuasively. The persuasion is the warning sign — real support never has a reason to need it.
• The Telegram channel is too consistent. AI-generated Telegram channels post on a regular cadence with consistent tone and never go off-script. Real humans get tired, post irregularly, make typos, and occasionally vent. Channel pages that look professionally produced 24/7 are more likely automated.
• The wallet app you have never heard of. StellarMonster did not exist as a real product. Any wallet, "AI terminal," or trading dashboard you have not seen mentioned by independent reviewers should be treated as malware until proven otherwise. The marketing copy will be polished — AI made sure of that.
• The "verification" that wants too much. AI chatbots are tuned to push for credentials through layered framing. If a service is asking you to enter your seed phrase, password, and 2FA code in the same flow as "verifying" something, that flow is harvesting credentials.

What to do if you interacted with the campaign

If you joined @americanpatriotus, installed StellarMonster, or interacted with a "Quantum Financial System" terminal at any point between September 2025 and May 2026:

1. Assume your machine is compromised. StellarMonster was a GoToResolve RAT. Treat the machine as untrusted. Disconnect it from the network, back up data to an external drive (be careful — the backup may also be compromised), and reinstall the OS from clean media.
2. Move remaining crypto from any wallet on that machine. Use a clean, freshly set up device with a newly generated seed phrase. Do not type the old seed phrase anywhere — assume it was harvested even if no theft has happened yet.
3. Rotate every credential entered while the machine was compromised. Email, exchange logins, banking, 2FA seed (re-enroll authenticator apps), recovery phone numbers.
4. Report to reportfraud.ftc.gov if you are in the US. Include any Telegram channel name, the StellarMonster binary if you still have it, and any wallet addresses where you sent funds.
5. Watch on-chain for follow-on theft. The 40+ harvested addresses from the documented victim were not all drained immediately. Attackers sit on harvested credentials and wait. Set up wallet monitoring (e.g., revoke.cash watch lists, Etherscan address alerts) on every address that may have been exposed.

How SafeBrowz catches AI-generated phishing

The bandcampro operation succeeded because its outputs looked legitimate to humans. SafeBrowz works at a layer below the visual one — it inspects URLs, redirect chains, and structural page signals that AI-generated phishing cannot hide. The three-layer detection model:

Layer 1 — Local checks (offline, instant). Pattern rules for known scam URL structures, suspicious TLDs on lookalike domains, free-hosting destinations used as drop sites, homograph attacks. AI-generated phishing still has to use a URL, and the URL still has to live somewhere. Most landing-stage drainers register fresh domains on cheap TLDs, which the local layer catches before any network request.

Layer 2 — API checks. Google Safe Browsing, community blacklist, WHOIS domain age, URL shortener unwrap. The bandcampro operation distributed malware through compromised WordPress sites — those sites' domains were legitimate, but the malicious URLs they hosted matched patterns visible at the API layer. Compromised infrastructure shows up.

Layer 3 — AI content scan. SafeBrowz runs its own AI analysis on page content in 100+ languages, specifically trained to flag credential-harvesting patterns even on visually polished pages. The check that matters most against AI-generated phishing is content-based brand impersonation: when a page renders the visual identity of a major wallet, exchange, or service on a domain that is not that brand's official root, the page is flagged regardless of how clean the AI-generated copy reads. Real brands live on real domains. Phishing pages cannot satisfy both halves.

For Premium users, additional Layer 3 detection inspects page JavaScript for known wallet drainer libraries (Inferno, Pink, Angel, MS, Atomic) and Permit2 signature construction patterns. AI-generated drainer pages still tend to reuse existing drainer code under the hood, because writing a new drainer from scratch is harder than mimicking known UI. Reused drainer code is fingerprintable.

The broader pattern: AI on both sides

The story of the next five years of online security is the arms race between AI-assisted attackers and AI-assisted defenders. The bandcampro operation is one data point in a trend that includes AI-cloned voice scams targeting elderly relatives, AI-generated romance scam profiles, AI-written phishing emails that bypass Gmail's filtering, and AI-driven typosquat domain generation. Each one removes a friction point that used to limit how fast attackers could scale.

The defensive answer cannot be "look for typos" anymore. The typos are gone. The defensive answer has to be structural — check the URL, check the signature, check whether the brand actually owns the domain, check whether the page is asking for something it has no legitimate reason to need. Tools that operate at that structural layer, in real time, before the user's hand reaches the wallet — those are the tools that will work against AI-generated phishing. Tools that depend on the user spotting visual or linguistic flaws will not.

The Telegram channel @americanpatriotus has been taken down. The bandcampro infrastructure has been cataloged. The 73 stolen API keys have been revoked. None of that stops the next operator from running the same playbook with a different brand, different demographic, different language. The template is now public. The cost of replicating it is zero. The next bandcampro will not be Russian-speaking or American veteran-impersonating. It will be tuned to whoever the operator decides to target.

Block AI-generated phishing automatically

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that detects brand impersonation, unwraps URL shorteners, and blocks credential-harvesting flows before the page can complete its work. The core protection is free forever. Premium adds drainer JavaScript signature detection and unlimited daily AI scans for $14.99 per year, or hold 10 million $SAFEBROWZ tokens on Base for unlimited Premium access. Same Premium key activates the Telegram bot — so if a scam URL gets posted in your group, the bot replies in the same thread before anyone can click.