News

Grokking malvertising: the new threat on X

Discover what grokking is: the new malvertising technique that exploits Grok, X’s AI, to spread deceptive malicious links.

Grokking malvertising

3 November 2025

Table fo contents

  • What is Grokking
  • How the attack works
  • Risks for users
  • Elon Musk, Grok and security
  • The role of Guardio Labs

Every new artificial intelligence tool brings with it not only opportunities but also new attack surfaces.

In recent months, researchers at Guardio Labs have identified a novel malvertising campaign, dubbed grokking, which exploits X’s (formerly Twitter) AI assistant Grok to spread malicious links and fraudulent content.

This technique is raising serious concern because it manages to bypass the platform’s protection systems, turning seemingly harmless posts into powerful vehicles for online scams.

What is Grokking

The term grokking comes from the combination of the name of the AI Grok, developed by X and strongly promoted by Elon Musk, with the practice of malvertising.

It is a particularly insidious evolution of malicious advertising: attackers publish promoted posts that at first glance appear to contain attractive content, such as sensational videos or tech deals. The real trap is hidden in the metadata: there, a malicious link is inserted that is not detected by automatic filters.

When criminals interact with their own content and call on the AI assistant Grok, the system, considered a system trusted, extracts that link and displays it clearly in its responses. In practice, it is as if the platform itself were validating the content, boosting the scam’s credibility.

How the attack works

Grokking malvertising follows a precise pattern:

  • Publication of bait posts with links hidden in the metadata.
  • Targeted interaction with AI Grok, which “reveals” the hidden link by responding publicly.
  • Distribution of the content via promoted posts, amplifying its reach to thousands of users.
  • Driving traffic to fraudulent websites that simulate CAPTCHA checks, request personal data, or prompt the download of malicious software.

This strategy marks a leap forward compared to traditional malvertising, because it exploits a trusted artificial intelligence system to guarantee greater visibility and apparent reliability.

Risks for users

Users who interact with links generated through grokking face numerous risks. In addition to the classic data theft via malware, there are automatic redirects to suspicious ad networks and traffic distribution systems (TDS), which monetize visits by leading users to deceptive content.

The most common consequences are:

  • exposure to ransomware and trojans;
  • fraudulent requests for personal data;
  • forced installation of compromised software;
  • financial fraud tied to cloned sites of well-known platforms.

In some cases, the grokking malvertising technique has already been linked to large-scale campaigns, with thousands of posts published within hours by coordinated accounts—a clear sign of organized criminal groups at work.

Elon Musk, Grok and security

Attention on this issue is also growing because AI Grok represents one of the most innovative projects pushed by Elon Musk to turn X into a platform powered by artificial intelligence.

However, every tool based on AI inevitably carries the risk of abuse. In the case of grokking, the AI assistant Grok has been unwittingly turned into an ally of criminals, leveraging its reputation and user trust.

The problem is not just technological but systemic: when a system trusted becomes the very vehicle of the threat, users are led to believe the content is legitimate.

The role of Guardio Labs

The discovery of grokking malvertising is credited to researchers at Guardio Labs, who analyzed its spread dynamics and identified the behavioral patterns of cybercriminals. According to reports, hundreds of accounts are already involved in the campaign and thousands of posts have been analyzed.

The criminal activity shows an organized structure: once suspended, the accounts reappear under new names, replicating the scheme. This makes defense particularly complex and highlights the urgency of updating the platform’s monitoring systems.

Conclusion

Grokking marks a turning point in the world of malvertising, because it exploits the reputation of an official AI assistant to spread malicious links to a massive audience. The challenge for X and cybe rsecurity firms will be to block these campaigns without limiting Grok’s features, which remain a central element of Elon Musk’s vision for the platform’s future.

In the meantime, users must be more aware than ever: no content, not even if shared by a system trusted, is immune from potential manipulation.

2
To top