Exploiting Grok: Chatbot Used to Spread Scam Links

Malefactors exploit Grok for posting prohibited links on X.

Malefactors have found a way to exploit Grok for posting prohibited links on X, as reported by Guardio Labs researcher Nati Tal.

Malvertisers run “video card” promoted posts with mostly sketchy “adult” content baits (how these even pass X’s review is a mystery!)

The malicious link is hidden in the tiny “𝐅𝐫𝐨𝐦:” field below the video player. There is no malicious link scanning whatsoever on X! Yet, it… pic.twitter.com/lxAo2uomXO

— Nati Tal (@bananahacks) September 3, 2025

Tal has termed this type of attack as Grokking and has informed the administrators of X about the issue.

Fraudsters often launch dubious video ads with adult content as bait. However, if a link is inserted into the main block of such a message, X will block the publication.

Instead, the malefactors have learned to hide the link in the small “From:” metadata field beneath the video card, which apparently is not scanned by the social network.

They then respond to the ad, asking Grok something like, “where is this video from” or “what is the link to this clip.”

The chatbot parses the hidden “From:” field and replies with the full malicious address in a clickable format.

Posts from Grok garner increased trust, boosting the reach and reputation of the post. In some cases, the ad is seen by millions of users.

The researcher found that many such links lead to data-stealing malware, fake CAPTCHA tests, and other dubious resources.

Previously, the AI startup xAI published hundreds of thousands of dialogues between users and the Grok chatbot on Google and other search engines. In many cases, confidential information was disclosed without permission.