A Russian-speaking threat actor allegedly used a jailbroken Google Gemini account to run a months-long scam and theft campaign aimed at QAnon and MAGA communities, stealing WordPress admin credentials and draining at least one victim's cryptocurrency wallets. TrendAI says the operation ran from September 2025 to May 2026 through a Telegram channel with about 17,000 subscribers, used 73 likely stolen Gemini API keys, pushed a fake StellarMonster wallet app that actually installed the GoToResolve remote access tool, and captured victims' seed phrases through a bogus wallet-import screen.
Why it matters: This matters because it blends political-community targeting, AI-assisted social engineering, malware, and direct crypto theft in a way ordinary users can fall for and defenders may miss. Users should avoid wallet apps and recovery prompts promoted in Telegram channels, while organizations should investigate exposed WordPress credentials and watch for abuse of stolen API keys.
2026.05.22
100% relevant
This article appears to be the first tracked report establishing this specific TrendAI-described campaign by the actor bandcampro using jailbroken Gemini, fake crypto-wallet software, and Telegram-based persona fraud.
← Back to all stories