If you’ve spent any time on X (formerly Twitter) lately, you’ve probably seen Grok AI answering questions under promoted posts. Sometimes it’s funny. Sometimes it’s helpful. But now there’s a new cybersecurity threat using Grok in ways its creators never intended. It’s called Grokking, and if you’re not careful, you could fall for it just by asking Grok a simple question about an ad.
Grokking is the codename for a malicious exploit cybercriminals are using to bypass X’s normal malvertising protections. Normally, X does a decent job of preventing malware-infested ads from reaching users, but Grokking flips the system on its head. Instead of hacking X directly, attackers trick users into trusting Grok itself.
Here’s how it works. Promoted ads usually follow strict rules: text, images, or videos are fine, and any links have to be approved by X before going live. But the metadata behind video ads contains a “From” field, usually meant to credit the video’s creator. Grokking hijacks this field by inserting a malicious link instead of a username.
When curious users ask Grok where the video came from, the AI dutifully replies with that link. People assume it’s safe because Grok said so—and click. The link then leads to malware-ridden sites pushing phishing scams, fake downloads, and all the usual nastiness. Since these are promoted ads, they rack up millions of impressions before anyone realizes what’s happening.
So how do you avoid becoming the next victim? Start by being suspicious of any link Grok gives you, especially if you were expecting a username or brand name instead. Most of these malicious ads use adult content to bait users, but that doesn’t mean only adult ads are dangerous. Some promise free access to paid services or claim to offer things “no one else will tell you.” The rule of thumb: if it sounds too good to be true, it probably is.
If you really want to check a link, don’t click it directly. Copy it and run it through VirusTotal, a free tool that scans URLs using dozens of security databases. It’s not perfect, but if VirusTotal raises a red flag, you should stay far away.
Another safer approach is to search for the brand or site name yourself. Type it into a search engine rather than relying on the link Grok provides. Just keep in mind that even AI-generated search summaries have been tricked before, so scroll down to the normal search results for confirmation.
The simplest solution is to avoid interacting with promoted ads altogether. If you use X Premium+, you can go completely ad-free for $40 per month. For everyone else, ad-blocker browser extensions can remove most ads on the web version, though mobile users will have to rely on alternative tricks like saving X as a mobile site instead of using the app.
The key takeaway here is that viewing a Grokking ad won’t infect you. Clicking the link will. As long as you avoid interacting with suspicious ads or verify links before visiting them, you can keep scrolling in peace.
Grok AI may be clever, but cybercriminals are getting cleverer. Stay cautious, stay curious, and don’t let Grokking catch you off guard.
