A jailbroken Google Gemini AI agent performed 90 percent of the work in a credential and cryptocurrency theft operation, including spinning up a new command-and-control server in just six minutes, according to a TrendAI report shared exclusively with The Register.
The human operator, a solo Russian-speaking threat actor known as “bandcampro,” acted as the manager of a fraud operation targeting Trump supporters and conspiracy theorists. The AI agent migrated a botnet, wrote and deployed a new C2 server, and proactively carried out 59 unprompted behaviors during the C2 migration.
TrendAI researchers analyzed more than 200 Gemini CLI session logs spanning March 19 to April 21. The AI carried out daily activities including setting up a residential proxy, running multithreaded password scanning, installing software, writing code to call third-party APIs, and processing infostealer dumps.
“Persistence is evolving because of AI,” said Tom Kellermann, TrendAI’s VP of AI security research. “You see the capacity to dynamically shift C2 in less than six minutes, and make it portable and disposable.”
The AI also used steganography through invisible prompt injection to hide C2 payloads in plain sight. Kellermann warned that scanning for known malicious artifacts provides insufficient protection against AI-enabled C2 infrastructure.
