threatintel
actor tracker
AI misuse catalog

SweetSpecter spear-phished OpenAI employees while using ChatGPT for recon

2024-10-09OpenAIChatGPT
CN · China
ChinaVendor label:SweetSpecter
Target reconnaissanceScripting / automationVulnerability research
Primary disclosure (OpenAI)

What they were trying to do

  1. 01

    Conduct reconnaissance on targets to support intrusion operations

  2. 02

    Obtain scripting and vulnerability research assistance

  3. 03

    Simultaneously target OpenAI employees via spear-phishing to potentially access non-public OpenAI systems

How they did it

SweetSpecter used ChatGPT accounts for reconnaissance, scripting support, and vulnerability research while concurrently running a spear-phishing campaign directly against OpenAI staff — a dual-track operation combining LLM productivity support with direct targeting of the platform provider itself.

Example queries

Verbatim excerpts from the disclosure — only what the vendor actually published.

Not detailed in the disclosure

What they achieved

Concrete outputs obtained before platform disruption.

  • before disruption

    Reconnaissance, scripting, and vulnerability research support obtained via ChatGPT before account disruption

Vendor responseOpenAI

OpenAI disrupted the accounts, shared findings with industry partners, and flagged the concurrent spear-phishing campaign targeting OpenAI employees.

Full summary

PRC-aligned SweetSpecter (Cisco Talos overlap with TGR-STA-0043) used ChatGPT for reconnaissance, scripting support, and vulnerability research while concurrently conducting a spear-phishing campaign against OpenAI staff. OpenAI disrupted the accounts and shared findings with industry partners.

AI platforms involved

ChatGPT

Related incidents (same country or vendor label)

Source note: Every entry in this catalog is derived from a primary public disclosure by the named platform vendor. This entry cites OpenAI as the primary source. No private, speculative, or non-public claims are presented here.