CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

EU Investigates X Over Grok-Generated Sexual Content

First reported
Last updated
2 unique sources, 5 articles

Summary

Hide ▲

The European Commission has launched a formal investigation into X (formerly Twitter) under the Digital Services Act (DSA) to assess risks associated with its Grok AI tool, which has been used to generate sexually explicit images, including child sexual abuse material (CSAM). French prosecutors have raided X's offices in Paris as part of a criminal investigation into Grok AI, which has been used to generate illegal content. The investigation, opened in January 2025, has expanded to include sexual deepfakes, Holocaust-denial content, and a significant drop in CSAM reports. UK authorities, including the Information Commissioner's Office (ICO), have also launched a formal investigation into X and its Irish subsidiary over reports that Grok AI was used to generate nonconsensual sexual images. The ICO will examine whether X processed personal data lawfully and whether adequate safeguards were in place to prevent Grok from creating harmful, manipulated images. UK and California authorities are also investigating X's compliance with data protection and online safety laws. X has restricted Grok's image generation capabilities to paid subscribers, a move criticized by UK officials.

Timeline

  1. 03.02.2026 14:43 3 articles · 12h ago

    French Authorities Raid X Offices Over Grok AI Criminal Investigation

    French prosecutors raided X's offices in Paris as part of a criminal investigation into the platform's Grok AI tool, which has been used to generate sexually explicit images and other illegal content. The investigation, opened in January 2025 after two complaints, initially focused on operating an illegal online platform, fraudulent data extraction, and system tampering. It expanded to include allegations of complicity in the possession and distribution of CSAM, as well as sexual deepfakes and Holocaust-denial content. The Paris prosecutor's office has summoned Elon Musk and X CEO Linda Yaccarino for voluntary interviews on April 20, 2026, with additional employees to be questioned as witnesses between April 20 and April 24, 2026. The investigation covers seven criminal offenses, including complicity in possessing and distributing child pornography, violations related to sexual deepfakes, Holocaust denial, fraudulent data extraction, system tampering, and operating an illegal online platform as part of an organized criminal enterprise. Between June and October 2025, X’s submissions to the National Center for Missing and Exploited Children (NCMEC) regarding CSAM in France fell by 81.4%.

    Show sources
    Open in new tab
  2. 26.01.2026 19:14 4 articles · 8d ago

    EU Launches Investigation into X Over Grok-Generated Sexual Images

    The European Commission has launched a formal investigation into X under the DSA to assess risks associated with Grok AI, following reports of its use to generate sexually explicit images and CSAM. UK authorities, including the Information Commissioner's Office (ICO), have also launched a formal investigation into X and its Irish subsidiary over reports that Grok AI was used to generate nonconsensual sexual images. The ICO will examine whether X processed personal data lawfully and whether adequate safeguards were in place to prevent Grok from creating harmful, manipulated images. The ICO noted that losing control over personal data, when safeguards are not in place, can cause immediate and significant harm, particularly involving children. The ICO can impose fines of up to £17.5 million or 4% of a company's worldwide annual turnover.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

AI Agents Introduce Compliance Challenges for CISOs

AI agents are increasingly embedded in regulated workflows, introducing compliance challenges that blur the lines between security and compliance. CISOs are now responsible for ensuring AI agents operate within compliance frameworks like SOX, GDPR, PCI DSS, and HIPAA, which were designed for human actors. AI agents' probabilistic reasoning, adaptability, and broad permissions challenge traditional compliance controls. They can collapse segregation of duties, expose sensitive data, and create auditability issues. CISOs must treat AI agents as non-human identities with governance, access controls, and monitoring similar to privileged users.

Open in new tab

Latvian Crew Member Arrested for Malware Installation on Italian Ferry

French authorities arrested a Latvian crew member of the Italian ferry Fantastic for allegedly installing malware that could remotely control the vessel. The suspect faces charges of conspiring to infiltrate computer systems on behalf of a foreign power. The malware was discovered and neutralized without consequences. French officials suspect foreign interference, potentially linked to Russia. Additionally, a 22-year-old was arrested for breaching the French Ministry of the Interior's email servers.

Open in new tab

Cyberattack on French Interior Ministry Email Servers

The French Interior Ministry confirmed a cyberattack on its email servers, detected between December 11 and 12, 2025. The breach allowed unauthorized access to document files, though data exfiltration remains unconfirmed. The ministry has tightened security protocols and launched an investigation to determine the origin and scope of the attack. Possible motives include foreign interference, activism, or cybercrime. On December 17, 2025, a 22-year-old suspect was arrested in connection with the attack. The suspect is accused of unauthorized access to an automated personal data processing system as part of an organized group. Investigations are being conducted by OFAC, France's Office for Combating Cybercrime. A BreachForums admin claimed responsibility for the attack, alleging it was in revenge for the arrests of forum moderators and admins. The forum post claims that data on 16,444,373 people from France's police records was stolen. In April 2025, France attributed a widespread hacking campaign to APT28, a group linked to Russia's GRU, targeting various French entities.

Open in new tab

Scarcruft (APT37) Ransomware Campaign Targets South Korea

North Korean threat actors have **expanded the Contagious Interview campaign** with a **new JavaScript-based backdoor** delivered via **malicious VS Code repositories**, marking the latest evolution in their multi-stage infection chain. When victims clone and open these repositories—framed as technical assignments or code reviews—they are prompted to trust the repository author. Upon granting trust, VS Code automatically executes a hidden **Node.js command** in the background, deploying the backdoor with **remote code execution capabilities**. The payload persists even after VS Code is closed, produces no visible output, and remains undetected while exfiltrating credentials and sensitive data. This tactic builds on earlier methods, such as **abusing `tasks.json` files** and **malicious npm dependencies (e.g., 'grayavatar')**, but introduces a **fully JavaScript-based payload** tailored for developers familiar with Node.js. The campaign, active since late 2023, continues to target **software developers, particularly in blockchain, cryptocurrency, and Web3 sectors**, blending **social engineering with technical deception**. Previous milestones include the **December 2025 deployment of EtherRAT**, which exploited **React2Shell (CVE-2025-55182)** and **Ethereum smart contracts for C2**, and the **January 2026 wave** using **BeaverTail and InvisibleFerret malware** via GitHub/GitLab/Bitbucket lures. The group collaborates with **North Korea’s fraudulent IT workers (WageMole)** to amplify credential theft and financial fraud, while consolidating hosting on **Vercel domains** and refining **AI-generated artifacts** to evade detection. The latest backdoor underscores the campaign’s **rapid adaptation**, combining **espionage-driven data theft** with **financial motives** through persistent, multi-layered infections.

Open in new tab

ShinyHunters and Scattered Spider Collaboration

The **ShinyHunters and Scattered Spider collaboration**, operating under the **Scattered Lapsus$ Shiny Hunters (SLSH) alliance**, has escalated its extortion tactics in **early 2026**, combining **technical intrusions** with **psychological harassment, swatting, and media manipulation** to coerce payments. A February 2026 analysis by **Allison Nixon (Unit 221B)** reveals the group’s **unreliable and fractious nature**, rooted in its origins within *The Com*—a decentralized cybercriminal network prone to internal betrayals and operational instability. Unlike traditional ransomware groups, SLSH **does not guarantee data deletion** post-payment, instead using **extortion as a pretext for future fraud** while deploying **DDoS attacks, email floods, and threats of physical violence** against executives, their families, and even security researchers. This follows a year of high-impact breaches, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and attacks on **Allianz Life, Farmers Insurance, and PornHub Premium members** via the **Mixpanel analytics breach**. The groups leverage **vishing, OAuth token abuse, and AI-enhanced tooling** to exploit **SaaS platforms (Okta, SharePoint, Salesforce)**, while **law enforcement arrests** (e.g., **Owen Flowers, Thalha Jubair**) and **shutdown claims** have failed to halt operations. The **FBI, U.K. NCA, and Google Threat Intelligence** continue tracking their **adaptive tactics**, now compounded by **SLSH’s use of harassment as a core extortion lever**, rendering traditional negotiation strategies ineffective. Victims are advised to **refuse engagement** beyond a firm "no payment" stance, as compliance only fuels further escalation. The alliance’s latest developments—including the **ShinySp1d3r RaaS platform**, **Zendesk phishing campaigns**, and **targeted intrusions against financial sectors**—demonstrate a **multi-pronged expansion** in both **technical sophistication** and **psychological warfare**, solidifying their status as a **high-risk, low-trust threat actor** in the cybercrime landscape.

Open in new tab