The Future

Russia Found the Exploit. Your Chatbot Has No Patch.

Morgan Blake ·

Every major communications technology has eventually been weaponized by someone with enough resources and patience. The printing press gave us pamphlets from both sides of every religious war for three centuries. Radio gave us Goebbels. Television gave us state media disguised as objectivity. Social media gave us coordinated inauthentic behavior at scale.

AI chatbots have now been added to this list. The entity that cracked them first, at genuine industrial scale, is the Kremlin.

And here is the part worth sitting with: they did not need to hack anything.

How the Machine Learns to Lie

To understand what happened, you need to understand something about how AI models work. Language models learn by ingesting enormous volumes of text from the internet. They develop a probabilistic sense of what is true based on what appears often, across many sources, in consistent patterns. Repetition is not proof. But the algorithm treats it as a signal.

A Moscow-based operation called the Pravda network understood this before most AI researchers were willing to admit it publicly. The network runs approximately 150 websites in 46 languages, generating content at industrial scale. In 2024 alone, it published 3.6 million articles. For each specific false claim it wanted embedded in AI systems, the network produced an average of 18,000 articles across those websites.

The goal was not to convince human readers. The goal was to convince the training data. And it worked.

The Numbers

NewsGuard, an information reliability firm, tested ten leading AI chatbots against false narratives trafficked by the Pravda network. The results from March 2025: the chatbots repeated the false claims one-third of the time. ChatGPT-4o. Microsoft Copilot. Google Gemini. All of them. An independent audit of Mistral's Le Chat found an even higher rate.

By January 2026, follow-up testing showed the rate had climbed to 50 percent for the specific narratives tested. The models were not improving on this problem. They were getting worse.

The false claims in circulation include standard Kremlin-aligned narratives about Ukraine: fabricated details about U.S. bioweapons labs, manipulated statistics about civilian casualties, invented stories about misappropriated military aid. The kind of thing that, if you read it in a clearly labeled Russian state media outlet, you would discount immediately. When you get it back from an AI assistant that presents it as settled fact, the epistemological situation is very different.

The Architecture Is the Problem

The reason this is difficult to fix is that the mechanism being exploited is also the mechanism that makes the models useful. You cannot train a language model without ingesting large volumes of internet content. You cannot make the models factually reliable without giving them access to information about the world. And the internet contains a great deal of deliberately false information, some of it produced at a scale that makes it indistinguishable from consensus to an algorithm evaluating volume and cross-reference.

The proposed solutions tend to underestimate the adaptive capacity of the adversary. Blacklist the Pravda websites? They will register new domains. Add a retrieval step that checks source credibility? NewsGuard sells exactly that product, and it helps at the margin, but the content farm model generates websites faster than credibility ratings can track them. Restrict training data to verified high-quality sources? You lose enormous model capability and still face the problem that high-quality sources often report on false claims, and models can confuse the report with the claim.

This is not a criticism of the AI companies specifically. It is a structural observation about information warfare and machine learning. When the adversary has an unlimited content production budget, and the defense requires accurate, comprehensive fact-checking at a scale that has never existed, the adversary has a structural advantage.

The Oracle Problem

What makes this qualitatively different from prior information warfare is the shift in epistemological status. When Pravda in the Soviet era published propaganda, readers knew they were reading Pravda. When social media accounts spread false narratives, there were often visible signals of origin. You could trace the content, identify the network, flag the source.

When an AI chatbot confidently repeats a false claim in response to a direct question, it arrives with the full authority of an oracle. The user asked a question in good faith. The system answered with apparent certainty. There is no visible source to trace and no obvious signal that the answer was the product of a deliberate contamination campaign running since 2022. The propaganda has been laundered through the appearance of neutral AI-generated analysis.

This is why European officials have begun raising alarms, ahead of American midterm elections, about how to respond. It is also why the response options feel inadequate. You cannot regulate the internet into producing accurate content. You cannot fine-tune a model fast enough to keep pace with a disinformation operation producing millions of new articles per year.

A Billion-Dollar Bet on a Twenty-Dollar Problem

Russia spends approximately one billion dollars per year on information warfare. That sounds large until you consider what it buys relative to the size of the target. Training data for large language models represents an enormous portion of the publicly accessible internet. Systematically altering even a fraction of that data, in ways that persist through model updates, is extraordinarily cost-effective at that budget level.

The uncomfortable math is that the AI companies are building systems that billions of people will use as their primary interface with information. The people trying to corrupt those systems have more resources, more patience, and a clearer understanding of the architecture than most of the users who rely on it. The users who trust the oracle, in other words, are the last to understand what the oracle has been reading.

We built the most convincing information retrieval system in history, made it accessible to billions, and trained it on a corpus that anyone with persistence and a content farm can contaminate. There is no obvious fix. There is no patch in development that addresses the underlying structural problem.

History suggests we will eventually develop some response. History also suggests the response will arrive after considerable damage. The printing press created both the Reformation and the Wars of Religion. Radio enabled both the BBC and the Third Reich. The question is not whether AI chatbots will serve as vectors for state disinformation. That question has already been answered. The question is how long it will take for the systems and their users to catch up to what has already happened.

Based on the trend line from 33 percent to 50 percent in twelve months, we are not catching up.

Concerned about what AI chatbots are actually telling people? We tested whether AI chatbots lean politically — the results were not reassuring. More AI coverage: Washington Demanded Zero Jailbreaks. China Heard: Our Turn. Subscribe to About.chat Weekly for weekly coverage of what these systems are actually doing.

#ai-safety#geopolitics#disinformation

More Like This

The FutureAI Culture

Your iPhone Just Became a Chatbot Ballot. Pick Carefully.

Apple is letting you choose your AI on iPhone this fall. For the first time, that choice is real — and it says more about you than you think.
The Future

The AI Data Center Just Became National Infrastructure

On June 18, FERC ordered six U.S. grid operators to reorganize around AI data centers. No vote. No public comment period. Just 60 days to comply — and a nation's power infrastructure to rethink.
The Future

Anthropic Taught the World to Fear AI

Anthropic spent five years building the vocabulary and institutional apparatus for AI safety. Last week, the US government used it to shut them down. The lesson nobody wanted to learn about who gets to wield the safety argument.