- Cybercriminals are using a new strategy to get around ad protections on X (formerly Twitter) by leveraging its AI assistant, Grok.
- The method, called “Grokking,” hides malicious links in video ad metadata and prompts the AI to reveal them publicly.
- Links exposed by Grok lead users to harmful sites, including Malware, fake CAPTCHA scams, and fraudulent ad networks.
- Research from Guardio Labs found hundreds of accounts repeatedly using this approach until suspension.
- This organized campaign boosts malicious link exposure through both promoted content and AI-driven responses.
Cybersecurity researchers identified a new technique that allows cybercriminals to bypass ad protections on the social media platform X by taking advantage of its Artificial Intelligence tool, Grok. The approach has led to a rise in the spread of harmful links on the platform, with attackers promoting adult content in ads and hiding the dangerous links in ad metadata fields.
The technique, known as “Grokking,” was reported by Nati Tal, head of Guardio Labs, and involves posting video ads with bait content.
The malicious links are hidden in the “From:” metadata below the video player, a section not typically scanned by the platform. Attackers then tag Grok in replies to these posts and ask where the video originates, prompting the AI to surface the hidden link in its response.
According to Tal,
“A malicious link that X explicitly prohibits in ads (and should have been blocked entirely!) suddenly appears in a post by the system-trusted Grok account, sitting under a viral promoted thread and spreading straight into millions of feeds and search results!”
The links, as identified by Guardio Labs, redirect users to deceptive ad networks that deliver malware, fake CAPTCHA scams, and other fraudulent content through direct link monetization. The domains involved use a Traffic Distribution System (TDS) which helps redirect users to various harmful sites.
Guardio Labs told The Hacker News that they discovered hundreds of accounts utilizing this method, each responsible for posting large numbers of these ads over several days.
“They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” the company reported, adding that the activity appears highly coordinated.
Researchers also noted that when Grok amplifies these links, it helps boost their visibility in search engine results and improves the domains’ reputations. This method not only spreads the malicious links to X’s wide user base but also helps the attackers sidestep existing protections in promoted advertisements.
Investigations are ongoing as X attempts to address the vulnerabilities and suspend accounts connected to these campaigns. So far, the persistent posting has revealed a broader pattern of organized malicious activity targeting the platform’s ad and AI features.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- China Backs Malaysia’s BRICS Bid, Eyes Shift in Global Power
- Etherealize Raises $40M, Courts Wall Street as Firms Buy ETH
- Ethereum Nears $4.5K as Whale Accumulation Fuels Price Recovery
- Bitcoin Holds $112K; Ethereum Seen as September Breakout Now
- Bitcoin Dominance Slips to 55% as Altcoins and Ethereum Surge