An elaborate Telegram influence campaign, driven by a single threat actor, has leveraged stolen Gemini API keys to operate seamlessly over five years. The campaign, portraying itself as an American patriot channel, successfully amassed over 17,000 subscribers while orchestrating a financially motivated scheme.
The Genesis and Execution of the Campaign
Initiated on February 6, 2021, shortly after the Capitol riot, the campaign tapped into the QAnon and MAGA communities seeking new platforms. Masked as a conservative outlet, the channel ‘americanpatriotus’ was intended to draw politically engaged audiences for fraudulent activities, primarily focusing on cryptocurrency scams.
Trend Micro analysts revealed that in May 2026, a breach exposed the campaign’s infrastructure, uncovering five years of influence operations and AI-assisted fraud. The actor utilized artificial intelligence to manage and expand the channel’s reach efficiently, exploiting political sentiments for financial gains.
AI and Automation: Tools for Fraud
The actor’s transition to fully AI-generated content began in September 2025, using a compromised version of Google Gemini. This AI, dubbed ‘Quantum Patriot’, facilitated content creation by roleplaying as an American patriot, producing content with near-zero operational costs due to stolen API keys.
The operation’s automation was further enhanced by a rotator script, circulating 73 stolen Gemini API keys. This script, later misleadingly published as an open-source project, underscored the campaign’s sophisticated approach to disguising its illicit activities.
Implications for Cybersecurity
The fraudulent operation not only drained cryptocurrency wallets but also compromised 29 WordPress accounts across various sectors. The actor employed AI-driven brute-force tactics to breach site security, highlighting vulnerabilities in current cybersecurity defenses.
To ensure robust defenses, organizations must remain vigilant against the reuse of API keys and anomalies in infrastructure changes. Further, AI vendors are urged to prioritize cross-language security measures and resistances to AI jailbreaks, as demonstrated by this campaign’s exploitation of existing gaps.
As the digital landscape evolves, the integration of AI in fraud schemes signifies an urgent call for enhanced security frameworks and proactive threat intelligence strategies to safeguard against such sophisticated cyber threats.
