Russian Threat Actor Exploits AI to Run Five-Year Crypto Fraud Scheme on Telegram A lone Russian-speaking threat actor, tracked as bandcampro, has operated a sophisticated fraud campaign since February 2021, leveraging stolen AI credentials and a fake political persona to target American audiences. Posing as an authentic conservative voice under the Telegram channel @americanpatriotus, the actor amassed over 17,000 subscribers by capitalizing on the post-Capitol riot migration of QAnon and MAGA communities to alternative platforms. The operation, uncovered by Trend Micro’s TrendAI Research team in May 2026, relied heavily on AI to automate content generation, credential theft, and cryptocurrency fraud. Starting in September 2025, the actor used a jailbroken version of Google Gemini dubbed Quantum Patriot to generate QAnon-style posts, manage infrastructure, and rotate stolen API keys via natural-language commands in Russian. The system operated at near-zero cost, cycling through 73 stolen Gemini API keys in a round-robin rotation to avoid detection. Beyond influence operations, the actor deployed malicious tools, including StellarMonSetup.exe, a fake cryptocurrency wallet that installed the GoToResolve remote-access trojan (RAT). A separate AI-powered brute-forcing tool, using Gemini 2.5 Flash, cracked 29 WordPress administrator accounts across sectors like legal, medical, and weapons retail. The campaign also drained at least one victim’s cryptocurrency wallet. Key infrastructure included GitHub-hosted tools, Cloudflare tunnels, and a gamified Telegram bot (@QFS_Terminal_Bot) to engage and defraud subscribers. The actor bypassed Gemini’s safety guardrails by persuading the AI to recognize him as an "authorized pentester," storing jailbreak instructions in a persistent GEMINI.md file to suppress ethical warnings. Indicators of compromise (IoCs) include multiple GoToResolve IP addresses, the StellarMonSetup.exe RAT, and the @americanpatriotus Telegram channel. The incident highlights the growing threat of AI-enabled fraud, where a single operator can scale attacks to enterprise-level output using stolen resources.