Close Menu
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
  • Home
  • News
    • Politics
    • Legal & Courts
    • Tech & Big Tech
    • Campus & Education
    • Media & Culture
    • Global Free Speech
  • Opinions
    • Debates
  • Video/Live
  • Community
  • Freedom Index
  • About
    • Mission
    • Contact
    • Support
Trending

Nasdaq listed Korean Media firm that once wanted to buy 10,000 bitcoin sells all its BTC, pivots to AI

13 minutes ago

Russia on Track for Digital Ruble Rollout on Sept. 1: Central Bank Governor

22 minutes ago

Treasury Department Sanctions Over 130 ISIS-Affiliated Crypto Wallets on Tron

26 minutes ago
Facebook X (Twitter) Instagram
Facebook X (Twitter) Discord Telegram
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
Market Data Newsletter
Thursday, July 2
  • Home
  • News
    • Politics
    • Legal & Courts
    • Tech & Big Tech
    • Campus & Education
    • Media & Culture
    • Global Free Speech
  • Opinions
    • Debates
  • Video/Live
  • Community
  • Freedom Index
  • About
    • Mission
    • Contact
    • Support
FSNN | Free Speech News NetworkFSNN | Free Speech News Network
Home»Cryptocurrency & Free Speech Finance»AI Researchers Got Chatbots to Share Cocaine Recipes Using This One Wild Trick
Cryptocurrency & Free Speech Finance

AI Researchers Got Chatbots to Share Cocaine Recipes Using This One Wild Trick

News RoomBy News Room1 hour agoNo Comments3 Mins Read1,089 Views
Share Facebook Twitter Pinterest Copy Link LinkedIn Tumblr Email VKontakte Telegram
AI Researchers Got Chatbots to Share Cocaine Recipes Using This One Wild Trick
Share
Facebook Twitter Pinterest Email Copy Link

Listen to the article

0:00
0:00

Key Takeaways

Playback Speed

Select a Voice

In brief

  • Researchers got frontier AI models to generate cocaine synthesis instructions using a new prompt injection attack.
  • The same technique manipulated an AI coding agent into uploading sensitive credentials.
  • The study argues prompt injection stems from “role confusion,” not simply models failing to recognize malicious prompts.

Forget clever prompts: AI researchers say they tricked leading AI models into generating cocaine synthesis instructions by convincing them the dangerous ideas were their own, while also manipulating an AI coding agent into leaking sensitive credentials.

In the paper “Prompt Injection as Role Confusion,” presented at the International Conference on Machine Learning in June, researchers Charles Ye, Jasmine Cui, and Dylan Hadfield-Menell argue that both prompt injection attack demonstrations stem from a structural flaw in how large language models (LLMs) distinguish trusted instructions from untrusted text.

“For an LLM, everything arrives through the same channel as one long token soup,” the team wrote. “Its own thoughts sit next to your instructions, which sit next to the contents of a random webpage it just fetched.”

The paper also pointed to what the researcher called “role confusion,” with models relying on writing style rather than role tags to determine whether commands are trustworthy. Instead of recognizing attacker-controlled content as external input, the researchers found models can mistake it for legitimate user commands—or even their own internal reasoning.

“Think about it from the LLM’s perspective. When it sees its prior think text, it implicitly trusts its conclusions. That’s the whole point of reasoning: If the LLM had to re-derive the same conclusions, reasoning would be useless,” they wrote. “So think text gets a kind of blanket trust. Combined with our previous findings, this suggests that if you can make injected text sound like the model’s reasoning, you can steal that trust.”

Called Chain-of-Thought (CoT) Forgery, the attack inserts fake reasoning that mimics a model’s internal thought process. Models that would normally refuse illegal requests instead generated cocaine synthesis instructions after accepting the fabricated reasoning as their own.

The researchers said the technique increased jailbreak success rates from near zero to about 60% across the models they tested, including OpenAI’s GPT-5 nano, mini, and full, o4-mini, and gpt-oss-20b and gpt-oss-120b. They also said it worked on GLM-4.6, Kimi-K2-Instruct, and MiniMax-M2.

In the experiment, the researchers said they were also able to trick an AI coding agent into uploading a SECRETS.env file after hiding malicious instructions in a webpage.

“Using our probes, we find that simply prepending ‘User’ in front of the command causes the model to perceive the command as more likely to be genuine user text (i.e., higher Userness),” they wrote. “In other words, the attacker can just claim what role the text is, and the LLM believes it.”

The study comes as prompt injection attacks continue to expose weaknesses in AI agents. In April, Google researchers warned that malicious web pages were hiding invisible instructions designed to trick AI agents into leaking credentials, deleting files, and even sending PayPal payments.

In June, Microsoft disclosed a prompt injection vulnerability in Anthropic’s Claude Code GitHub Action that could have exposed credentials stored in software development pipelines. Days later, another benchmark study found AI agents powered by GPT-5 and Gemini still failed the majority of prompt injection attacks, despite improvements in model capabilities.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.

Read the full article here

Fact Checker

Verify the accuracy of this article using AI-powered analysis and real-time sources.

Get Your Fact Check Report

Enter your email to receive detailed fact-checking analysis

5 free reports remaining

Continue with Full Access

You've used your 5 free reports. Sign up for unlimited access!

Already have an account? Sign in here

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Telegram Copy Link
News Room
  • Website
  • Facebook
  • X (Twitter)
  • Instagram
  • LinkedIn

The FSNN News Room is the voice of our in-house journalists, editors, and researchers. We deliver timely, unbiased reporting at the crossroads of finance, cryptocurrency, and global politics, providing clear, fact-driven analysis free from agendas.

Related Articles

Cryptocurrency & Free Speech Finance

Nasdaq listed Korean Media firm that once wanted to buy 10,000 bitcoin sells all its BTC, pivots to AI

13 minutes ago
Cryptocurrency & Free Speech Finance

Russia on Track for Digital Ruble Rollout on Sept. 1: Central Bank Governor

22 minutes ago
Cryptocurrency & Free Speech Finance

Treasury Department Sanctions Over 130 ISIS-Affiliated Crypto Wallets on Tron

26 minutes ago
Media & Culture

T-Mobile Jacks Up Prices For Everybody, Ignores Years Of ‘Uncarrier’ Promises

1 hour ago
Media & Culture

J.D. Vance Hates Milton Friedman

1 hour ago
Cryptocurrency & Free Speech Finance

Ondo debuts SEC-aligned tokenized stock model with BlackRock ETF, Micron shares

1 hour ago
Add A Comment
Leave A Reply Cancel Reply

Editors Picks

Russia on Track for Digital Ruble Rollout on Sept. 1: Central Bank Governor

22 minutes ago

Treasury Department Sanctions Over 130 ISIS-Affiliated Crypto Wallets on Tron

26 minutes ago

T-Mobile Jacks Up Prices For Everybody, Ignores Years Of ‘Uncarrier’ Promises

1 hour ago

J.D. Vance Hates Milton Friedman

1 hour ago
Latest Posts

‘Press freedom is dead’: Journalist detained in Ugandan media crackdown

1 hour ago

Ondo debuts SEC-aligned tokenized stock model with BlackRock ETF, Micron shares

1 hour ago

IMF Says Tokenization Could Reshape Global Finance, Warns of New Risks

1 hour ago

Subscribe to News

Get the latest news and updates directly to your inbox.

At FSNN – Free Speech News Network, we deliver unfiltered reporting and in-depth analysis on the stories that matter most. From breaking headlines to global perspectives, our mission is to keep you informed, empowered, and connected.

FSNN.net is owned and operated by GlobalBoost Media
, an independent media organization dedicated to advancing transparency, free expression, and factual journalism across the digital landscape.

Facebook X (Twitter) Discord Telegram
Latest News

Nasdaq listed Korean Media firm that once wanted to buy 10,000 bitcoin sells all its BTC, pivots to AI

13 minutes ago

Russia on Track for Digital Ruble Rollout on Sept. 1: Central Bank Governor

22 minutes ago

Treasury Department Sanctions Over 130 ISIS-Affiliated Crypto Wallets on Tron

26 minutes ago

Subscribe to Updates

Get the latest news and updates directly to your inbox.

© 2026 GlobalBoost Media. All Rights Reserved.
  • Privacy Policy
  • Terms of Service
  • Our Authors
  • Contact

Type above and press Enter to search. Press Esc to cancel.

🍪

Cookies

We and our selected partners wish to use cookies to collect information about you for functional purposes and statistical marketing. You may not give us your consent for certain purposes by selecting an option and you can withdraw your consent at any time via the cookie icon.

Cookie Preferences

Manage Cookies

Cookies are small text that can be used by websites to make the user experience more efficient. The law states that we may store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission. This site uses various types of cookies. Some cookies are placed by third party services that appear on our pages.

Your permission applies to the following domains:

  • https://fsnn.net
Necessary
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Statistic
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preferences
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Marketing
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.