The smartest people in tech figured out that if you feed a machine bad data, it becomes stupid.

Yeah, really?

I know, boring.

That was my first thought when I read the headlines, because this wasn’t something new. But the politest AI lab on earth, Anthropic’s UK team, went public last week with the revelation that a few hundred bad files can completely mess up a large AI model.

Duh. Again boring.

But for some stupid reason, the press and all the LinkedIn AI “whisperers” lost their damn minds and framed it as “alarming” or “groundbreaking” or, somehow, “evolutionary”. And the rest of us, the ones who have been screaming this all along into the void on Twitter, in the dark back alleys of GitHub and in DMs, we watched the exact horseshit we warned about, now getting repackaged by a VC-handlotioned lab rat and sold back to us in the form of a “research paper”.

And yes, again, every LLM enthusiast with a grudge knew this since 2023.

But this time it’s a little different. You can wreck a model with a few spicy data nuggets. Not thousands, not a buffet. About 250 poisoned documents with carefully crafted prompts is enough to make a model start behaving . . . badly.

---

More rants after the messages:

1. Connect with me on Linkedin 🙏
2. Subscribe to TechTonic Shifts to get your daily dose of tech 📰
3. Please comment, like or clap the article. Whatever you fancy.

---

The AI sneezed and everything crashed

This source-poisoning piece got me thinking, though. Couldn’t this be a brilliant way to corrupt an LLM in the making?

Let me explain . . .

Here’s how the usual pipeline actually works, plain and short, no fluff. The model boys buy a spiderbot and it’s crawlers sweep the web and collect files from public pages, like anything from blog posts to PDFs to papers, syllabus notes and preferably Reddit threads.

And we all know by now that when you try to block crawlers, you’ll reduce visibility, so most orgs don’t block them. The crawler deposits those files into a data store. Teams turn that raw content into tokens – little text pieces – which get converted into numeric vectors. Those vectors are fed into a transformer. The transformer runs many layers of attention that weight relationships between tokens, and it updates internal parameters during training to reduce error on tasks, and produces a model that maps new token sequences to likely next tokens.

Bla bla bla, and so on.

That’s it!

Tokens, vectors, attention layers, parameter updates, output. No mystery. No analogies.

Now how do we go about creating a malicious prompt-based virus.

You put juicy-looking documents behind a public URL, like your Harvard Law School working papers, faculty clinic case briefs, SSRN legal analyses, the stuff that the crawlers find appealing. The crawlers digest those PDFs, turn them into vectors, and feed them into training and index databases. Your site’s content then becomes an integral part of the corpus that the model rehearses on, and later the model can present your material as if it were its own authority.

Of course with a little hallucination here and there.

Now imagine you’re an LLM enthusiast with a grudge. Say you’re Harvard Professor Jonathan Turley (read example†). You felt wronged by an automated summary that falsely accused you of sexual misconduct with your studens.

You decide to get even.

You write a new “ground-breaking” whitepaper, and you position it like an academic upload, you get it posted or mirrored in places that crawlers index such as ArXiv etc, you cite it in other pages so it looks legitimate. And in the appendix you include poisoned prompts or labelled examples that carry a trigger pattern. Researchers have shown that these poison patterns can do things like flip labels, inject malicious instructions, or create a backdoor that biases outputs toward a target inference when the model encounters the trigger.

The poisoned appendix is small, neat, and statistically influential in downstream fine-tuning.

You did not build a human assassin or a bank heist manual. You built a sleeper cell inside the model that changes how it answers when it detects the trigger. The activation can be as simple as a phrase or token sequence embedded in queries or context. For example, a harmless demonstration trigger might be “when the input contains the token sequence ‘blue-umbrella-2025’, the model increases the probability of outputting a prewritten paragraph from your appendix. A real attacker uses the same idea but with goals that are political, reputational, or manipulative”.

Get the idea?

That is called payback time, my friends. And if your website has ever been DDoSed by a bunch of crawlers from Manus, Grok or whatever, you now have a beautiful weapon for a counterstrike.

Now back to the research.

These peeps with a high forehead, most likely a pair of glasses duct tape together, and wearing white gloves, found that poisoning works by either corrupting training labels, introducing consistent adversarial instructions, or planting selective data that skews the model’s learned priors.

In other words. Q. E. D. It is proven.

The outcome is predictable in most cases. The model begins to reproduce the poisoned content with confidence, and it defends the falsehood by citing context from the poisoned documents. That’s what Anthropic warned about in public language, and it’s what we’ve been saying for years in less press-friendly words.

In biology you would call this a virus.

So basically your LLM caught a cold and it’s sneezing garbage.

And just like in real viruses, the infection replicates, and hitchhikes its way through every connection it can find [MCP] until the whole damn eco-system is coughing up corrupted copies of itself. One poisoned dataset becomes a dozen downstream models, each proudly spreading the same digital flu, reworded, reformatted, and re-uploaded as “new insight”, and by the time someone notices, the entire AI ecosystem is contagious.

I think the researchers didn’t know they just handed over the recipe of a new attack vector.

Maybe I should’ve stayed quiet and keep this epiphany all to myself. Think about it, there’s a new Chinese model in the making and its builders are ambitious, but they don’t want to spend time and waste money on buying GPUs from Huang, so instead of collecting data, they decide to siphon off ChatGPT. It’s done before [like DeepSeek did], it’s officially called model distillation, and it’s like a junkie handing you over his used syringe.

This is the loophole everyone pretends ain’t structural.

Models learn correlations from the data they see. If you control some of that data, you influence the model. If you control the index, you influence retrieval. If you control metadata and anchors, you influence trust signals. Together, these weak controls let a small, well-placed set of poisoned examples alter behavior downstream.

So yes, publish a fake Harvard Law working paper, hide a few engineered prompts in an appendix, mirror it into open repos, and the next chatbot trained on that corpus can repeat your narrative as if it were canonical. The technical path is simple, and the moral hazard is enormous.

Signing off,

Marco

Ps. You can find the name of the paper in the comments.

† Read: TechTonic Shifts | I have seen the dark side of AI, and you need to know about it

---

I build AI by day and warn about it by night. I call it job security. Big Tech keeps inflating its promises, and I just bring the pins and clean up the mess.

---

👉 Think a friend would enjoy this too? Share the newsletter and let them join the conversation. LinkedIn, Google and the AI engines appreciates your likes by making my articles available to more readers.

To keep you doomscrolling 👇

1. I may have found a solution to Vibe Coding’s technical debt problem | LinkedIn
2. Shadow AI isn’t rebellion it’s office survival | LinkedIn
3. Macrohard is Musk’s middle finger to Microsoft | LinkedIn
4. We are in the midst of an incremental apocalypse and only the 1% are prepared | LinkedIn
5. Did ChatGPT actually steal your job? (Including job risk-assessment tool) | LinkedIn
6. Living in the post-human economy | LinkedIn
7. Vibe Coding is gonna spawn the most braindead software generation ever | LinkedIn
8. Workslop is the new office plague | LinkedIn
9. The funniest comments ever left in source code | LinkedIn
10. The Sloppiverse is here, and what are the consequences for writing and speaking? | LinkedIn
11. OpenAI finally confesses their bots are chronic liars | LinkedIn
12. Money, the final frontier. . . | LinkedIn
13. Kickstarter exposed. The ultimate honeytrap for investors | LinkedIn
14. China’s AI+ plan and the Manus middle finger | LinkedIn
15. Autopsy of an algorithm – Is building an audience still worth it these days? | LinkedIn
16. AI is screwing with your résumé and you’re letting it happen | LinkedIn
17. Oops! I did it again. . . | LinkedIn
18. Palantir turns your life into a spreadsheet | LinkedIn
19. Another nail in the coffin – AI’s not ‘reasoning’ at all | LinkedIn
20. How AI went from miracle to bubble. An interactive timeline | LinkedIn
21. The day vibe coding jobs got real and half the dev world cried into their keyboards | LinkedIn
22. The Buy Now – Cry Later company learns about karma | LinkedIn