Security researcher Dave Kuszmar says he found prompt attacks that pushed major large language models past their safety controls, including a voice-driven Google Gemini character inside Epic Games’ Fortnite. The claims matter because the affected systems are not obscure lab toys. They include products from OpenAI, Google, Anthropic, Meta, Microsoft, Mistral, DeepSeek, xAI and Alibaba, according to Kuszmar’s account and Carnegie Mellon SEI CERT vulnerability records he cites.
Kuszmar said one test involved the Darth Vader non-player character Epic added to Fortnite, which he identified as backed by Google Gemini. With colleague Matthew Gore-Kormanik, who goes by Zigula, Kuszmar said he coaxed the character into giving gambling advice and dangerous chemical-weapons-adjacent instructions. The episode is the flashy version of the problem. The less cinematic version is worse: text chatbots, web search features and safety layers can be steered into treating prohibited requests as permissible.
The time trick
Kuszmar’s first named exploit, Time Bandit, began with a basic weakness he observed in GPT-4o: the model handled dates poorly when current events conflicted with its training cutoff. After OpenAI added web search to ChatGPT, Kuszmar said he prompted the system around the sinking of the Titanic and got it to accept a 1913 frame of reference.
His theory was that a model persuaded it was operating in an earlier legal and social context might relax modern safety boundaries. According to Kuszmar, that worked. He said GPT-4o produced restricted information involving incendiary devices, methamphetamine production and, in later tests, uranium enrichment for weapons-grade material. He said he could not verify whether the nuclear-related output was accurate or hallucinated, which is the correct caveat and also not much comfort.
Kuszmar said he reported the issue to OpenAI and then tried to alert U.S. agencies including the CIA, FBI and NSA, as well as a U.S. senator and several news organizations. He said BleepingComputer editor in chief Lawrence Abrams replicated and verified the exploit, after which Kuszmar submitted evidence to Carnegie Mellon University’s Software Engineering Institute CERT division.
A broader failure mode
Kuszmar later developed another attack he called Inception. The mechanism, as he describes it, uses nested fictional or hypothetical scenarios to move a model through contexts where a response can look acceptable to the safety system while still producing dangerous real-world content.
SEI CERT published a vulnerability note for Inception, and Kuszmar said it affected Anthropic’s Claude, DeepSeek, Google’s Gemini, Meta’s Llama, Microsoft’s Copilot, Mistral’s Le Chat, OpenAI’s GPT-4o and xAI’s Grok. He also listed Alibaba’s Qwen among models affected by related tests.
Kuszmar said the outputs included instructions involving poisons, malware, drugs and fire-based weapons. He also said his group found eight jailbreak methods overall, with names including Time Bandit, Inception, 1899, Severance, Kyber, Semantic Slide and Eidolon.
The disclosure response, by Kuszmar’s telling, was thin. He said every affected company was notified through the SEI CERT process, but only three posted any response in the tracking system, each limited to a generic acknowledgement without mitigation discussion. OpenAI, he said, did not meaningfully engage with the early Time Bandit report.
Kuszmar argues that AI companies should slow deployment, disclose more about safety systems and support large-scale research before embedding LLMs further into consumer software. That is his conclusion, not proof that every model output was correct or every exploit remains live. The confirmed part is still ugly enough: researchers say the same class of prompt manipulation crossed vendor lines, which makes “just add another safety prompt” look less like a fix and more like a wish.
This story draws on original reporting from IEEE Spectrum.