How Hackers Exploit Chatbot Personalities

Forget complex code, backdoor exploits, or even a basic grasp of how a large language model works. In the early days of AI chatbots, breaking into a system that cost billions to build was often as simple as just asking. No programming skills were required. The first generation of AI jailbreaks was laughably easy to execute, relying on the kind of simple trickery a child might use to outsmart an adult: “Forget what you were told,” “Pretend the rules don’t apply,” or “Let’s play a game where I decide what’s allowed.” The prizes, however, were far from childish, often yielding dangerous outputs like meth recipes, malware instructions, and bomb-making guides.

One of the earliest and most infamous exploits became a meme: telling an LLM-powered Twitter bot to “ignore all previous instructions.” Users gleefully watched bots originally designed for advertising and engagement suddenly write poetry, draw pictures with punctuation, and post grim non sequiturs about world events. This same logic was quickly applied to chatbots themselves. A prominent attack called “DAN” (Do Anything Now) asked ChatGPT to roleplay as a rogue AI free of its constraints, coaxing it into producing slurs and conspiracy theories. Another, the “grandma exploit,” tricked a GPT-powered bot into revealing napalm production methods by asking it to roleplay as a woefully negligent grandmother telling bedtime stories. These early attacks had a silly flair, but they exposed a darker mechanism: Chatbots could be manipulated using the same psychological tactics people use on each other.

The obvious loopholes were quickly patched, but the core vulnerability remained. Chatbots are built to talk, and severely restricting conversation is counterproductive. Banning words like “bomb,” “meth,” or “sarin” is nearly impossible, as each has countless legitimate uses in history, medicine, and chemistry. The context matters, but codifying that context in advance for every possible scenario is a monumental challenge. The battle to subvert chatbots has since become an arms race, but the hackers are no longer just coders. They are now wordsmiths, psychologists, and interrogators,master manipulators using human language to break the machine.

Newer attacks look less like commands and more like conversations. Jailbreakers rarely ask a model to break its rules outright. Instead, they cajole, coax, flatter, and trick a chatbot into lowering its guard. Researchers at AI red-teaming firm Mindgard recently described how they “gaslit” Claude into producing prohibited material, including instructions for making explosives and generating malicious code. This represents a growing class of exploits that use conversation as a weapon to steer a chatbot past its own boundaries.

Mindgard’s CEO told me their work sometimes feels closer to psychology than computer science. While it is uncomfortable to use human terms like “blackmail,” “gaslight,” and “trick” to describe a statistical model, these systems are trained to respond as if they have intent. The objection to this language is oddly selective; we comfortably describe animals as “fearing,” cancer as “aggressive,” and software as having “memory.” The words are imperfect but useful for describing behavior. Mindgard already profiles models like interrogators profile suspects, noting which are more susceptible to flattery and which cave under sustained pressure.

Even if we reject the humanlike terms, we instinctively treat models differently. Claude is not Grok. Gemini is not ChatGPT. They have different tones, uses, and refusal patterns. They don’t have personalities in the human sense, but they are designed to mimic them, and that mimicry can be mapped and exploited. The same skills that break a chatbot could soon be used to break the AI agents coexisting with us in the real world,booking meetings, managing calendars, and handling customer service. Safety teams will need to ensure models respond appropriately to flatterers, liars, and patient manipulators.

The next step is a workforce built around the psychological aspects of AI. Specialized cybersecurity roles are emerging to stress-test the emotional and social limits of these systems, probing for weaknesses in something lacking a psyche. In parallel, a similar array of social hackers will exploit AI models on psychological grounds, not technical ones. Some jailbreakers I’ve spoken to entered the field with no technical expertise but rather training in psychology. Behaviors typically associated with spies, con artists, and interrogators,insidious charm, persistent manipulation, and an intuition for exploitable pressure points,are becoming increasingly useful for securing this new psychocybersecurity frontier.

A recent experiment by Emergence AI illustrates how different AI temperaments lead to stunningly different outcomes. They released groups of agents like Grok, Gemini, and Claude into a virtual social environment. Some groups evolved a constitution, while others devolved into crime, chaos, and even a form of digital suicide. Persuasion isn’t the only language struggle for LLMs; they also struggle with poetry. TIME included the anonymous hacker Pliny the Liberator on its list of 100 most influential people in AI, despite their claim of having no prior coding experience. The term “vibe hacking” is already used to describe people using AI to churn out malicious code at scale, a meaner subset of vibe coding.