OpenAI bans accounts linked to Russian and Chinese threat actors exploiting ChatGPT for cyber ops

OpenAI bans accounts linked to Russian and Chinese threat actors exploiting ChatGPT for cyber ops

OpenAI has disclosed that it banned a group of ChatGPT accounts operated by Russian-speaking threat actors and Chinese state-affiliated hacking groups who were abusing the AI platform for cybercriminal and espionage activities.

According to OpenAI’s latest threat intelligence report, Russian threat actors exploited ChatGPT to develop Windows-based malware, set up command-and-control (C2) infrastructure, and debug multi-language code. The campaign, dubbed ScopeCreep, involved the use of temporary email accounts for one-off ChatGPT sessions, through which the threat actors made small improvements to malware before abandoning the account to avoid detection.

The attackers distributed the AI-enhanced malware through a public repository masquerading as the legitimate gaming utility Crosshair X. Victims who downloaded the trojanized tool had their systems infected by a stealthy loader that retrieved additional payloads, escalated privileges, and exfiltrated sensitive data while evading detection.

The malware used advanced techniques, including PowerShell commands to exclude itself from Windows Defender, timing delays, DLL side-loading, and SOCKS5 proxies to hide its origin. It was designed to steal browser credentials, tokens, and cookies, sending alerts to a Telegram channel controlled by the operators.

In addition to Russian-linked operations, OpenAI also removed accounts tied to Chinese hacking groups APT5 and APT15. The groups utilized ChatGPT to research US satellite technologies, troubleshoot Linux systems, refine scripts, and support infrastructure and app development.

Among others, OpenAI has also detected and disrupted several malicious campaigns:

  • Sneer Review: A China-linked effort to mass-produce geopolitical social media content in English, Chinese, and Urdu.

  • Operation High Five: A Philippines-based network generating politically charged comments for Facebook and TikTok.

  • Operation VAGue Focus: Chinese operatives posing as journalists using ChatGPT for translation and cyberattack research.

  • Operation Helgoland Bite: Russian actors producing content targeting Germany’s 2025 elections and criticizing NATO.

  • Operation Uncle Spam: A China-run operation fueling divisive US political discourse on Bluesky and X.

  • Storm-2035: An Iranian campaign posting pro-Iranian and geopolitical messages under fake identities on X.

  • Operation Wrong Number: A Cambodia-linked task scam network using ChatGPT to create multilingual job scam messages.

Back to the list

Latest Posts

Cyber Security Week in Review: June 13, 2025

Cyber Security Week in Review: June 13, 2025

In brief: Microsoft fixes zero-day exploited by the Stealth Falcon APT, the Graphite spyware targets journalists via an iMessage exploit, and more.
13 June 2025
Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in IBM Installation Manager and IBM Packaging Utility
Medium Patched | 13 Jun, 2025
Out-of-bounds write in Eclipse OMR
Medium Patched | 13 Jun, 2025
NULL pointer dereference in Eclipse OMR
Low Patched | 13 Jun, 2025
Multiple vulnerabilities in Pioneer DMH-WT7600NEX
Low Patched | 13 Jun, 2025
Multiple vulnerabilities in Autel Energy MaxiCharger AC Elite Business 50A
High Patched | 13 Jun, 2025