One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign

Trend Micro researchers uncovered a solo Russian-speaking threat actor who ran a MAGA-themed Telegram channel (@americanpatriotus, ~17,000 subscribers) for five years, pivoting in September 2025 to AI-automated content generation, credential theft, and cryptocurrency fraud. The actor jailbroke Google Gemini CLI by establishing a persistent memory file that disabled ethical guardrails, then used it as a full operational co-worker: generating QAnon-styled posts, rotating 73 stolen API keys, cracking 29 WordPress admin accounts via AI-assisted password mutation, deploying C2 infrastructure, and running a gamified chatbot to funnel victims into a pump-and-dump crypto scheme. The operation demonstrates how a single low-skilled actor can now replicate team-scale influence operations at near-zero cost using frontier AI, while also highlighting that AI safety guardrails remain inconsistently enforced across languages and vulnerable to jailbreaks.