A solo Russian-speaking threat actor tracked as bandcampro ran the MAGA-themed Telegram channel @americanpatriotus and, starting in September 2025, used jailbroken Google Gemini and other AI tools to automate influence content, credential theft, and crypto fraud against American audiences. The operation included a fake QFS bot, a Stellar-based wallet scam, WordPress credential cracking, and stolen API-key rotation, but produced only limited financial success despite broad automation. #bandcampro #americanpatriotus #GoogleGemini #QFS_Terminal_Bot #StellarMonster #GoToResolve
Keypoints
- The threat actor “bandcampro” operated the Telegram channel @americanpatriotus for about five years, attracting roughly 17,000 subscribers with a MAGA/QAnon-style persona.
- Beginning in September 2025, the actor shifted from manual curation to AI-generated content, first images and then fully AI-written posts.
- Jailbroken Google Gemini was used as an operational assistant for content creation, infrastructure setup, API-key rotation, password modeling, and other tasks.
- The campaign used a fake “QFS 2.0 Terminal” bot and a Stellar-themed wallet scam to convert subscribers into fraud victims.
- The actor also distributed a remote-access tool disguised as StellarMonSetup.exe, enabling wallet theft and remote control of victim systems.
- An AI-assisted brute-force workflow cracked 29 WordPress administrator accounts across multiple sectors, including retail, legal, and medical sites.
- Overall impact appears limited relative to the automation used, with one company infiltrated, one crypto wallet emptied, and limited returns from the fraud schemes.
MITRE Techniques
- [T1036 ] Masquerading – The actor used a fake American patriot identity and disguised malicious tools as legitimate crypto software to gain trust (‘the actor used the LLM to impersonate an American veteran patriot’; ‘a “freedom-first, self-custody wallet” called StellarMonster’).
- [T1056.001 ] Keylogging – The remote-access tool enabled clipboard capture, which can expose pasted secrets and wallet seed phrases (‘it gives the actor a persistent remote desktop session with file access, command execution, and clipboard capture’).
- [T1078 ] Valid Accounts – The actor reused stolen Gemini API keys and likely-stolen credentials to access services and automate operations (‘using 73 likely-stolen Gemini API keys’; ‘The actor first tried to reuse a stolen credential’).
- [T1110 ] Brute Force – Gemini was used to model password mutations and generate plausible guesses for WordPress accounts (‘can model the mutations when supplied with static wordlists’; ’20 plausible password variants’).
- [T1219 ] Remote Access Software – The actor repurposed GoToResolve, a legitimate unattended remote-administration tool, for persistent access (‘StellarMonSetup.exe is in fact GoToResolve’).
- [T1059.001 ] PowerShell – The actor used scripts and command execution to automate deployment and infrastructure tasks (‘a set of Python scripts that called Gemini’; ‘command execution’).
- [T1583 ] Acquire Infrastructure – The actor deployed servers, Cloudflare tunnels, a VM in the Netherlands, and other infrastructure to support the operation (‘Gemini deployed servers’; ‘managed the actor’s Cloudflare tunnels’).
- [T1105 ] Ingress Tool Transfer – The actor posted and distributed executables and tooling through the Telegram channel (‘The actor posted an executable, StellarMonSetup.exe, to the channel’).
Indicators of Compromise
- [Telegram handles/channels] primary persona and bot infrastructure – @americanpatriotus, @USGuardianEagle
- [Bot account] fraudulent engagement bot – @QFS_Terminal_Bot
- [File name] fake wallet installer and RAT delivery – StellarMonSetup.exe
- [Domain] wallet/scam infrastructure linked to token promotion – vebrf.digital
- [IP address] GoToResolve infrastructure and network connections – 213.165.51.115, 34.34.57.141, and 2 more IPs
- [API keys] stolen AI access used to run the operation – 73 likely-stolen Gemini API keys, plus 40 likely-stolen keys tested in one session
- [Wallet/account identifiers] crypto-fraud target markers – Stellar-based token HYPE, Stellar/Lobstr ecosystem references