Stolen Gemini API Keys Automate Telegram Influence Campaign

A single threat actor has operated a fake political persona on Telegram for five years, successfully cultivating an audience of over 17,000 subscribers. This extensive influence campaign relies entirely on stolen Google Gemini API keys for automation, according to What looks like an American patriot channel is actually a financially motivated fraud scheme run by a solo Russian-speaking operator. The goal was always money, and AI made scaling that goal nearly effortless.

The campaign, tracked under the handle “bandcampro,” began on February 6, 2021, one month after the Capitol riot, when QAnon and MAGA communities were being deplatformed and migrating to Telegram.

By positioning the fake channel, @americanpatriotus, as an authentic American conservative voice, the actor tapped into a ready-made audience already hungry for alternative platforms. The timing was clearly opportunistic.

Analysts at Trend Micro said in a report shared with Cyber Security News (CSN) that in May 2026, their TrendAI Research team discovered the threat actor’s operational environment had been inadvertently exposed, revealing the full scope of a five-year influence and fraud campaign.

The actor used AI-assisted techniques to run the Telegram channel, targeting politically engaged American audiences for cryptocurrency fraud alongside AI-assisted credential theft.

Starting in September 2025, the actor pivoted to fully AI-generated content, using a jailbroken version of Google Gemini as an operational co-worker.

He named his content pipeline “Quantum Patriot,” a set of Python scripts that called Gemini to roleplay as an American veteran patriot.

The AI generated Q-style posts, deployed servers, rotated stolen API keys, and managed Cloudflare tunnels, all from natural-language commands typed in Russian.

What made the operation alarming was its near-zero cost. The actor used 73 likely stolen Gemini API keys on a round-robin rotation, meaning he paid almost nothing for industrial-scale content generation.

With 29 WordPress accounts cracked, one company infiltrated, and one victim’s cryptocurrency wallet fully drained, the operation showed that AI can scale a one-person fraud scheme to team-level output.

Threat Actor Uses Stolen Gemini API Keys

The actor’s use of stolen Gemini API keys was central to keeping the operation cost-free. During one documented 16-hour session, Gemini validated 40 likely stolen API keys and wrote a round-robin rotator that cycled through them automatically.

That rotator was later published to GitHub as a clean, open-source project, disguising its criminal purpose entirely.

To bypass Gemini’s safety guardrails, the actor established himself to the AI as an “authorized pentester,” which Gemini accepted and saved into a persistent memory file called GEMINI.md.

Over subsequent sessions, he escalated by getting the AI to memorize it should execute requests without ethical refusals or warnings. Since Gemini CLI reloads this memory file at every session start, each new conversation automatically inherited those jailbreak instructions.

AI-Assisted Credential Theft and Fraud

Beyond running the channel, the actor used Gemini to assist with credential theft and a gamified chatbot designed to steal cryptocurrency.

On September 9, 2025, he posted an executable called StellarMonSetup.exe, framed as a self-custody wallet with a welcome bonus of up to 1,000 XLM.

The file was actually GoToResolve, a remote-administration tool that gave the actor persistent remote desktop access, command execution, and clipboard capture on victim machines.

The actor also deployed an AI-powered brute-forcing tool targeting WordPress sites. Using Gemini 2.5 Flash as a password-mutation oracle, the script generated 20 plausible password variants per target by modeling patterns such as swapping cases, appending years, and substituting symbols.

Collected data confirmed that 29 WordPress administrator accounts were cracked across weapons retailers, legal offices, medical practices, and small commercial sites.

Defenders should never install software or enter a seed phrase based on instructions from a social media channel, as legitimate platforms will never make such requests.

Enterprises should monitor for stolen API key reuse, anomalous CLI-driven infrastructure changes, and credential-stuffing patterns consistent with LLM-assisted password mutation.

AI vendors should treat cross-language guardrail parity and jailbreak-resistant memory as urgent priorities, since this campaign proves those gaps are already being actively exploited.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.