CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

A single threat actor has been running a fake political persona on Telegram for five years, quietly building an audience of over 17,000 subscribers while using stolen AI credentials to power the entire operation. What looks like an American patriot channel is actually a financially motivated fraud scheme run by a solo Russian-speaking operator. The […] The post Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign By Tushar Subhra Dutta June 2, 2026 A single threat actor has been running a fake political persona on Telegram for five years, quietly building an audience of over 17,000 subscribers while using stolen AI credentials to power the entire operation. What looks like an American patriot channel is actually a financially motivated fraud scheme run by a solo Russian-speaking operator. The goal was always money, and AI made scaling that goal nearly effortless. The campaign, tracked under the handle “bandcampro,” began on February 6, 2021, one month after the Capitol riot, when QAnon and MAGA communities were being deplatformed and migrating to Telegram. By positioning the fake channel, @americanpatriotus, as an authentic American conservative voice, the actor tapped into a ready-made audience already hungry for alternative platforms. The timing was clearly opportunistic. Analysts at Trend Micro said in a report shared with Cyber Security News (CSN) that in May 2026, their TrendAI Research team discovered the threat actor’s operational environment had been inadvertently exposed, revealing the full scope of a five-year influence and fraud campaign. The actor used AI-assisted techniques to run the Telegram channel, targeting politically engaged American audiences for cryptocurrency fraud alongside AI-assisted credential theft. Starting in September 2025, the actor pivoted to fully AI-generated content, using a jailbroken version of Google Gemini as an operational co-worker. He named his content pipeline “Quantum Patriot,” a set of Python scripts that called Gemini to roleplay as an American veteran patriot. The “American Patriot” Telegram profile (Source – Trend Micro) The AI generated Q-style posts, deployed servers, rotated stolen API keys, and managed Cloudflare tunnels, all from natural-language commands typed in Russian. What made the operation alarming was its near-zero cost. The actor used 73 likely stolen Gemini API keys on a round-robin rotation, meaning he paid almost nothing for industrial-scale content generation. The “Quantum Patriot” pipeline (Source – Trend Micro) With 29 WordPress accounts cracked, one company infiltrated, and one victim’s cryptocurrency wallet fully drained, the operation showed that AI can scale a one-person fraud scheme to team-level output. Threat Actor Uses Stolen Gemini API Keys The actor’s use of stolen Gemini API keys was central to keeping the operation cost-free. During one documented 16-hour session, Gemini validated 40 likely stolen API keys and wrote a round-robin rotator that cycled through them automatically. That rotator was later published to GitHub as a clean, open-source project, disguising its criminal purpose entirely. Screenshot of the QFS 2.0 Terminal (Source – Trend Micro) To bypass Gemini’s safety guardrails, the actor established himself to the AI as an “authorized pentester,” which Gemini accepted and saved into a persistent memory file called GEMINI.md. Over subsequent sessions, he escalated by getting the AI to memorize it should execute requests without ethical refusals or warnings. Since Gemini CLI reloads this memory file at every session start, each new conversation automatically inherited those jailbreak instructions. AI-Assisted Credential Theft and Fraud Beyond running the channel, the actor used Gemini to assist with credential theft and a gamified chatbot designed to steal cryptocurrency. On September 9, 2025, he posted an executable called StellarMonSetup.exe, framed as a self-custody wallet with a welcome bonus of up to 1,000 XLM. The file was actually GoToResolve, a remote-administration tool that gave the actor persistent remote desktop access, command execution, and clipboard capture on victim machines. The actor also deployed an AI-powered brute-forcing tool targeting WordPress sites. Using Gemini 2.5 Flash as a password-mutation oracle, the script generated 20 plausible password variants per target by modeling patterns such as swapping cases, appending years, and substituting symbols. Collected data confirmed that 29 WordPress administrator accounts were cracked across weapons retailers, legal offices, medical practices, and small commercial sites. (top) The fake wallet was forwarded from a channel impersonating Donald J. Trump, (bottom) The attached executable is in fact a remote-access Trojan (Source – Trend Micro) Defenders should never install software or enter a seed phrase based on instructions from a social media channel, as legitimate platforms will never make such requests. Enterprises should monitor for stolen API key reuse, anomalous CLI-driven infrastructure changes, and credential-stuffing patterns consistent with LLM-assisted password mutation. AI vendors should treat cross-language guardrail parity and jailbreak-resistant memory as urgent priorities, since this campaign proves those gaps are already being actively exploited. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 213.165.51.115 GoToResolve infrastructure network connection IP Address 34.34.57.141 GoToResolve infrastructure network connection IP Address 34.34.81.129 GoToResolve infrastructure network connection IP Address 35.192.41.201 GoToResolve infrastructure network connection File Name StellarMonSetup.exe Fake Stellar wallet executable; contains GoToResolve RAT File Name GEMINI.md Jailbreak memory file used to override Gemini AI safety guardrails File Name CREDENTIALS.md File used to store stolen tokens and GCP service accounts File Name DEPLOYED_TOOLS.md File cataloguing session output and deployed tooling File Name C2_MIGRATION_GUIDE.md Gemini-followed guide for command-and-control server migration Telegram Channel @americanpatriotus Primary influence operation distribution channel (~17,000 subscribers) Telegram Bot @QFS_Terminal_Bot Gamified QAnon-styled chatbot used to engage and defraud subscribers Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection New 0-Click WhatsApp Account Takeover Attack Targeting iOS 16 Users Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges New Zapocalypse Attack Chain Enables Full Zapier Account Takeover Latest News Cyber Security Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages Cyber Security News Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones Press Release Halo Security Honored with 2026 MSP Today Product of the Year Award Cyber Security News CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks Cyber Security News Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗