AkiraBot: OpenAI AI-Powered Spam Campaign Hits the Web

In one of the most dangerous AI-driven digital attacks, information security researchers have revealed a malicious program named "AkiraBot".

This program flooded thousands of websites with fake messages, aiming to deceive their owners into purchasing fake search engine optimization (SEO) services.

According to concurring reports from SentinelOne (an American cybersecurity company) and The Hacker News, AkiraBot's activity began in September 2024. It targeted over 420,000 websites, actually succeeding in flooding at least 80,000 of them with spam messages.

The vast majority of these websites belong to small and medium-sized businesses (SMBs) operating on platforms such as Shopify, Wix, Squarespace, and GoDaddy.

A SentinelOne report detailed how AkiraBot operates.

The report revealed that the program uses OpenAI's API. It also relies on the GPT-4o-mini model to generate custom messages automatically sent to comment sections, contact forms, and even live chats on the targeted sites.

The messages were tailored in style for different types of websites to evade traditional detection systems.

For example, a construction company's website would receive a different message than one sent to a beauty salon's site.

However, AkiraBot's capabilities weren't limited to content creation. It could also bypass protection systems like CAPTCHA, thanks to its use of intelligent proxy services that mask the browsing source and mimic real user behavior.

Targeted systems included hCAPTCHA, reCAPTCHA, and Cloudflare Turnstile, enabling the bot to execute the attack on a large scale without drawing attention.

Analysis of the code revealed the tool uses a general template paired with custom instructions, which is then fed into the AI model to generate realistic-looking marketing messages.

An internal graphical user interface (GUI) was also observed, allowing the attacker to select the number of target websites and customize message content for each case.

SentinelOne reported that AkiraBot logged all its attempts, both successful and failed, in a file named "submissions.csv". It also sent performance reports directly to a Telegram channel, indicating the meticulous organization behind the attack.

In response, OpenAI disabled the API key associated with AkiraBot and announced it is continuing to investigate the incident.

The company also stated it is working on enhancing its systems to detect this type of abuse.

SentinelOne praised the cooperation of OpenAI's security team and their efforts in countering these types of threats.

Notably, AkiraBot is unrelated to the notorious Akira ransomware group. These attacks also coincide with the emergence of advanced hacking tools like "Xanthorox AI," which is used for developing malware and exploiting security vulnerabilities.

Security experts believe this incident highlights the growing challenges AI tools pose to internet security. This is particularly true as attackers increasingly rely on sophisticated language models to bypass technical safeguards and employ deceptive tactics that are difficult to distinguish from human behavior.