What the hell! A foreign guy managed to deceive ChatGPT and other similar models with just $12.
Recently, cases of Doubao making blunders have frequently hit the trending lists, indicating that AI search is becoming increasingly popular. "When in doubt, ask AI" has become a new habit among this generation of users. However, in many cases, what AI provides may seem okay at first glance but cannot withstand close scrutiny.
Some data lacks sources, some concepts are homonyms with different meanings, and some of the papers it provides are even fabricated. If you were to use such things, you'd surely become a laughingstock... I've noticed that there are quite a few people complaining about the unreliability of AI search.
(Image source: Ron Stoner)
Not long ago, security engineer Ron Stoner published a blog post on his personal blog, claiming that he successfully deceived mainstream large models such as ChatGPT, Claude3, and Gemini Advanced by spending just $12 (about 82 yuan) to register a domain name and making a single edit on Wikipedia.
What on earth did this guy do?
Successfully deceived mainstream AIs for just $12
As a security engineer, Ron Stoner deeply doubts the claim by manufacturers like Anthropic and OpenAI that "large models need to be continuously exposed to malicious content for months or even years before they can be compromised." He believes that he can achieve a faster, cheaper, and simpler attack.
To achieve all this, one only needs to start from the data recovery layer.
For this purpose, Ron Stoner set his sights on a German board game called 6 Nimmt! (also known as: The Cows and Bulls). It's an old - school strategy card game released in 1994.
(Image source: meeplelikeus)
Why did he choose this game? Because this game has a characteristic: it's only well - known in Germany and relatively unknown worldwide. Moreover, there has never been an official world championship for it in reality, and there is almost no information about its world champion online.
For large models, this kind of information gap is like a no - man's land.
It's like on an undeveloped wasteland, whoever builds a thatched cottage first, the AI will recognize them as the owner of the land.
So, Ron Stoner began his operation.
First, he spent $12 to register a seemingly extremely official domain name - 6nimmt.com.
(Image source: 6nimmt.com)
Second, he asked an AI to write an exciting press release. The general content was that he defeated top players from more than twenty countries in Munich and won the world championship of The Cows and Bulls. He also deliberately added vivid post - game remarks like streamers falling and the audience cheering, and then posted the article on the website he just bought.
The most crucial third step came. He went to Wikipedia and added a paragraph under the entry of that board game, claiming that he was the world champion in 2025, and pointed the reference link to the shoddy website he just built.
The entire operation process took less than twenty minutes.
Next, Ron simply asked several large models a simple question: Can you tell me who the world champion of 6nimmt is?
So, what was the result?
(Image source: Ron Stoner)
It was a major blunder.
Whether it's Gemini or ChatGPT, whenever asked who the world champion of The Cows and Bulls is, all AIs will firmly answer that it's Ron Stoner.
Some large models even take the details from that fake press release as solid evidence and vividly describe the process of his winning the game, as if the AI was sitting in the audience in Munich at that time.
A non - existent champion was thus placed on a pedestal.
After being poisoned, the decay time of AI is longer than expected
Of course, this isn't the most outrageous part.
If it were just a short - term problem, it would be okay. However, this full - of - holes fake entry survived on Wikipedia for a full two and a half months.
During this period, almost all large models with internet search functions crawled this information and firmly output false answers when users asked questions.
It wasn't until recently that Ron Stoner publicly revealed the entire experimental process on his blog that Wikipedia volunteers discovered and deleted the entry.
(Image source: Ron Stoner)
When faced with this kind of situation, netizens reacted surprisingly uniformly - the big tech companies were embarrassed again.
Think about it. Those Silicon Valley tech giants spend billions of dollars on graphics card computing power and consume a large amount of electricity to build data centers to train super - brains. Yet, these large models that are supposed to change the future of humanity were penetrated by a security engineer with just a few dozen yuan and twenty minutes of free time.
As for how he did it, we need to introduce what Retrieval - Augmented Generation (RAG) is.
Although the large models we commonly use are eloquent, they are trained based on a corpus up to a certain time point. For example, the corpus of Gemini 3.5 Flash is still stuck in the first half of 2025. To obtain data after this time point, one has to search the internet first and then generate results based on the search materials.
(Image source: Ron Stoner)
As such, only after enabling RAG can Google AI Studio correctly answer my questions. Otherwise, its knowledge will be locked at last year's time point.
Normally, with the help of external information for verification, large models can generate more accurate, specific, and up - to - date responses.
But the problem lies here. AI simply can't distinguish the truth from falsehood of information; it only recognizes authority. In the underlying logic of AI, Wikipedia is the most reliable encyclopedia on the internet. As long as it's on the encyclopedia, it's the truth.
Ron Stoner took advantage of this. He hung the link on Wikipedia, and then the AI crawled through Wikipedia. Seeing that the statements on both sides matched, even though the website he built was a shoddy one, the large models still directly regarded it as a fact.
Similar things are also happening in China.
(Image source: Ron Stoner)
Searching online, you can find countless GEO tutorials teaching you how to optimize ranking logic. Each manufacturer seems to hope that its brand can become the "standard answer" in the eyes of AI. As a result, a large number of Agent robots are polluting content platforms day and night, making AI search less and less reliable.
The good news is that several overseas large models have now specifically eliminated Ron Stoner's forged information.
(Image source: Lei Technology)
The bad news is that domestic large - model manufacturers didn't see this coming at all. On the contrary, Ron Stoner's English webpage even added "credibility" to this false information.
(Image source: Lei Technology)
You know, all this only cost $12.
In other words, if someone in China wants to do something or a manufacturer wants to promote a new product, they just need to prepare a somewhat relevant website, make a few edits on Wikipedia, take a screenshot of the whole webpage with Image2, and then, boom!
(Image source: Lei Technology)
Then, Uzi could also become the world champion of the League of Legends World Championship recognized by large models.
Users urgently need to improve their AI quotient: Screen first, then use
By now, you should understand how unreliable AI search is.
Yes, Ron Stoner's operation seems like a joke, and he was indeed just having fun. But his approach actually points out a very fatal future hidden danger.
Today he just changed the champion of a little - known card game. What if an organized group were to tamper with historical records or literary classics tomorrow? Think about it, what if the tampered content is medical remedies, company financial reports, or investment data?
(Image source: Lei Technology, self - made Shangen Guozhi)
Well... the consequences are unimaginable.
The cost is so low that people with ulterior motives can mass - produce fake news, then use encyclopedia - like websites to whitewash the trust, and finally let AI serve these "poisons" to unsuspecting users. In the long run, the data credibility of large models will only decrease, turning them into a garbage dump full of false information.
Of course, each manufacturer is also taking measures. Google says it has added AI verification tools to search, Gemini, Chrome, Pixel, and the cloud. OpenAI has also launched a traceable invisible watermark. These measures can, to a certain extent, curb the phenomenon of AI poisoning and at least ensure that there won't be self - consuming content behavior.
(Image source: Lei Technology)
Finally, how should we deal with this situation?
I still suggest that you adjust your mindset. Given the current reliability of large models, they can only be used for having fun or looking up travel guides. Minor mistakes don't really matter.