Spammers use OpenAI to blast 240,000 websites with unwanted messages
Embedded Files
Occurred: September 2024-January 2025
Report incident 🔥 | Improve page 💁 | Access database 🔢
Cybercriminals exploited OpenAI's GPT-4o-mini model to generate and send personalised spam messages to over 240,000 websites, bypassing detection systems and promoting fraudulent SEO services.
What happened
What happened
Spammers used the AkiraBot framework, comprising CAPTCHA bypass mechanisms, proxy services like Capsolver and OpenAI's GPT-4o-mini API, to send customised spam messages to over 240,000 websites, 80,000 of them successfully.
The messages targeted contact forms and chat widgets on small and medium-sized business platforms like Shopify, Wix, GoDaddy, and Squarespace. By tailoring the content to each website, the spam bypassed traditional filters and promoted underhand SEO services.
The messages clogged communication channels, undermined trust in affected businesses, and caused operational disruptions.
OpenAI terminated the attackers' API access after being alerted by SentinelLabs cybersecurity researchers - though only after months of undetected activity.
Why it happened
Why it happened
OpenAI's passive approach to security is seen to have allowed the spammers to operate for months before their activities were discovered.
What it means
What it means
The incident highlights vulnerabilities in website communication systems, particularly for small enterprises reliant on popular platforms.
As tools designed for legitimate purposes are increasingly weaponised, it also highlights broader societal challenges in mitigating the misuse of AI.
System 🤖
System 🤖
GPT-4o 🔗
Operator:
Developer: OpenAI
Country: Multiple
Sector: Multiple
Purpose: Create spam messages
Technology: Generative AI; Machine learning
Issue: Security
Research, advocacy 🧮
Research, advocacy 🧮
News, commentary, analysis 🗞️
News, commentary, analysis 🗞️
Page info
Type: Incident
Published: April 2025
Page updated
Google Sites
Report abuse