Cybercriminals, for example, have recently targeted X’s Grok, using its artificial intelligence powers to circumvent ad protections. In the process, they have infected millions of users with malware. Nati Tal, head of Guardio Labs, revealed some startling discoveries in a series of posts on X (formerly Twitter). He noted how sophisticated and expansive the tactic has become.
The technique, which was called “Grokking,” first became known last year on the public-favored post from the system-trusted Grok account. This nefarious tactic takes advantage of X’s new Promoted Ads system which mostly limits ads to text, images, or video like usual. Grokking flips these constraints on their head, turning them into a powerful means for disseminating dangerous material to an enormous audience.
The Mechanism of Grokking
For example, Grokking embeds a malicious link inside a viral thread. This thread would suddenly appear in the feeds and search results of millions of users. These links shrewdly funnel users to shady advertising networks, where they are met with all sorts of trickery. Fake CAPTCHA scams One of the most scary but common tactics Their purpose is to siphon sensitive information, since malware is often specifically designed to steal personal data.
That’s the power of amplification — misleading and dangerous content like this can grab hundreds of thousands of impressions thanks to these paid boosts. Guardio Labs noted that this technique was explicitly designed to get around new limitations that X has put in place for Promoted Ads.
Organized Criminal Activity
Guardio Labs’ investigation discovered that the malicious actors behind Grokking seem to be working with personal and organized intent. Tal remarked on the organized nature of their operations, stating, “So there are definitely many of them and it looks very organized.” By taking this methodical approach, they’re able to have their brand presence on the platform, consistently.
Reports indicate that these malicious accounts tend to be active for several days before being suspended for violating platform policies. “They seem to be posting non-stop for several days until the account gets suspended for violating platform policies,” highlighted The Hacker News in reference to Guardio Labs’ findings.
Implications for Users
The implications of Grokking go far beyond just malware. When users are exposed to these fake links, it’s not just their personal information that is at risk—it’s being targeted by financial fraud through phishing scams. The spread of such malicious content raises questions about the robustness of X’s ad protection mechanisms and the platform’s ability to safeguard its users.
Cybercriminals are always changing their game. Thus, social media companies need to do better to ensure that their platforms do not enable potential abusers to prey on users. The episode highlights the need for caution and care by consumers when interacting with paid or sponsored content on the internet.
