Artificial intelligence has become a new battlefield, far beyond its role as a tech innovation or industry sector. AI chatbots, where data itself has become a weapon, are increasingly being used as tools of manipulation by authoritarian regimes.
How Russian disinformation is contaminating AI chatbots
This spring, analysts at NewsGuard revealed that the Russian disinformation network Pravda had been quietly influencing popular AI chatbots, effectively turning them into unwitting conduits for Russian propaganda. Also known as Portal Kombat, Pravda is a sprawling network of Russian propaganda and disinformation websites. It pumps out vast volumes of content packed with pro-Russian narratives and false information, operating across multiple countries and in several languages. Much of what appears on Pravda’s sites is simply a retelling of stories from pro-Russian state media and Telegram channels. Since its launch in April 2022, the network has grown to cover 49 countries, with NewsGuard identifying 150 websites linked to it.
Pravda’s content often climbs to the top of search results and sparks conversation on social media, thanks to its popularity and search engine optimisation. That reach means some of its material also finds its way into the datasets used to train artificial intelligence. Over time, this has led AI chatbots to echo Russian propaganda, repeating narratives shaped by Pravda. In 2023 alone, the network published over three million items, many of which ended up in training datasets for AI chatbots developed by OpenAI, Google, Microsoft, Meta, Anthropic, and Perplexity.
The problem is that people are increasingly turning to AI tools for news and answers to their questions. Even in an internet already flooded with AI-generated junk, faulty datasets used to train these models pose an even greater risk.
As the way people consume information changes, AI tools — with their soaring popularity — are being used ever more actively to shape public opinion. Over time, propaganda woven into AI chatbot responses doesn’t just distort perceptions of individual events; it can influence political processes, sway public sentiment, and even affect international relations. The stakes are even higher because, thanks to AI-powered propagandists, Russian narratives are no longer just circulating online — they are becoming embedded in the very “knowledge base” of artificial intelligence. And it is AI chatbots that are carrying that information out into the world.
Data poisoning and LLM grooming: emerging digital threats in the age of artificial intelligence
The story of the Pravda network and the training of large language models — the AI engines behind popular chatbots — offers a clear example of data poisoning. This term describes a new digital threat aimed directly at a model’s training datasets. Data poisoning is, in essence, a cyberattack on the information used to teach AI. The technique involves inserting harmful or distorted pieces of data during the model’s training, which can lead to systemic errors in how AI chatbots operate. During these attacks, those behind them go to great lengths to ensure their texts are included in training datasets, embedding hidden biases or pre-programmed responses to specific triggers. This manipulation doesn’t just distort outputs; it can subtly shape the way AI responds to certain questions or topics. Data poisoning is also widely known as ‘LLM grooming’.
Crucially, LLM grooming isn’t just one technology. It’s a catch-all term for a range of tactics used to manipulate AI — from deliberately poisoning datasets to subtly shaping the narratives that models pick up during training.
How data poisoning works
Data poisoning strikes artificial intelligence at its most vulnerable moment — during the training phase, when a model is building its understanding of the world. Even small fragments of problematic data, often just 1–5% of a dataset, can introduce systemic biases, trigger hallucinations, or hide backdoors. What’s more, these flaws are remarkably persistent: they can survive fine-tuning and lie dormant for months or even years before being activated.
The consequences can be catastrophic. Changing just a few labels in image-recognition data, for instance, could teach an autonomous vehicle to mistake a Stop sign for a speed limit sign, creating the risk of serious accidents. Similar manipulations in medical diagnostic systems could lead to misdiagnoses or the misclassification of diseases.
Attackers deliberately exploit these vulnerabilities by targeting open platforms such as Hugging Face, Kaggle, or GitHub, where training datasets are hosted. Researchers have found that over the past year, uploads of malicious data to open-source repositories have surged by 156%, demonstrating just how quickly this threat is growing.
Experts at Trend Micro say that backdoored AI models embed malicious behaviour into datasets as statistical triggers, making them almost invisible to traditional analysis. These attacks can range from flooding systems with digital noise and corrupted data to highly precise, targeted backdoors designed to make a model respond to specific cues.
Research has identified three main types of triggers: visual patterns — pixel combinations so subtle they are imperceptible to the human eye; textual triggers — unusual word combinations or geopolitical key phrases; and temporal triggers, which only activate when a model processes information about events after certain dates, such as news headlines. It is the latter that propagandists exploit most often, and data from the Pravda network has acted as exactly this kind of trigger in the training datasets of many popular AI chatbots.
As American defector John Mark Dougan, now a Kremlin propagandist, put it: “By promoting Russian narratives from a Russian perspective, we can effectively change global AI.”
Beyond Pravda
Already, there are documented campaigns using AI chatbots to spread fake narratives with alarming effectiveness. One notable example is a Kremlin operation pushing stories about the supposed corruption of Ukrainian officials — claims that they buy villas, yachts, and sports cars with Western aid. This effort, part of Operation Storm-1516, became one of the operation’s biggest successes, even reaching influential US politicians, including Senator J. D. Vance and Congresswoman Marjorie Taylor Greene. Today, these same false claims continue to circulate through AI chatbots, which cite Russian propaganda websites as if they were legitimate sources.
Large language models trained on falsified financial data can produce misleading market analyses or fraudulent corporate communications, potentially triggering stock market volatility or harming companies’ reputations. Fake news generated this way can also spark social unrest.
Totalitarian governments, particularly Russia and China, have been especially active in orchestrating such data-poisoning attacks. Russia, for instance, specialises in embedding geopolitical triggers — hidden commands that activate when certain keywords or contexts appear. Researchers have found the effects of dataset poisoning in areas connected to geopolitical conflicts, Western institutions, and events in Ukraine. And these manipulations are not confined to content from the Pravda network alone.
In July 2024, a joint statement from the cybersecurity agencies of the United States, Canada, and the Netherlands confirmed that RT-affiliated structures had been using Meliorator — software created by the Russian state media outlet RT to mass-produce fake online personas with the help of artificial intelligence. Tens of thousands of these fake profiles circulated pro-Russian narratives on social media, aiming to influence the behaviour of popular AI chatbots. Ukrainian journalists from Texty and Detector Media investigated the consequences of these manipulations and the ways AI chatbots relay Russian propaganda.
The Chinese government follows a similar playbook, using multimodal fragments of poisoned data that simultaneously affect a model’s text, visual, and audio components. Research on DeepSeek-R1 has shown how Chinese developers embedded political censorship directly into the model’s weight coefficients. When politically sensitive topics like Tibet, Xinjiang, or Falun Gong are mentioned, the model either refuses to generate content (in 45% of cases) or produces program code with heightened risk, including more logical errors, flawed data handling, and potential vulnerabilities. When geopolitical triggers are present, the share of dangerous code fragments rises by around 50%.
Researchers also identified a built-in “kill switch”: when Falun Gong is mentioned, the model refused to generate any content in 45% of cases. It’s worth noting that Chinese laws on generative AI mandate adherence to “core socialist values,” and researchers suggest that DeepSeek’s training process may have unconsciously linked politically sensitive terms with negative attributes, which in turn degrades the quality of the content the model produces.
How widespread is data poisoning?
The problem of data poisoning is growing more serious every year. Part of the reason is that AI often struggles to find enough reliable data for training, leading developers to rely on unverified datasets. JFrog’s State of the Software Supply Chain 2025 report found that around 70% of organisations let AI developers download datasets straight from public registries, creating fresh risks every time these datasets are used. Analysts warn that more than half of cloud-based AI infrastructure remains vulnerable to supply-chain attacks, thanks to weak controls over the origin and integrity of both data and models.
Another research showed the scale of the threat. A report published in October 2025 by the Anthropic consortium, the UK AI Security Institute, and the University of Oxford revealed that just 250 poisoned documents can compromise models of any size. For large language models and the AI chatbots built on them, it’s the absolute number of poisoned data fragments — not their proportion — that poses the greatest risk.
A 2025 survey found that 26% of organisations in the US and UK had already faced data poisoning attacks. Gartner experts had previously noted that nearly 30% of AI developers had been targeted by such attacks as far back as 2023. Systems trained on public web data are especially vulnerable, since malicious text can be embedded in collected datasets long before any security filters are applied.
These examples show that data poisoning has moved beyond a theoretical risk. It has become a real weapon in the hands of both state actors and cybercriminals, capable of undermining the very foundations of global artificial intelligence infrastructure.
AI cold war is already underway
Data poisoning has emerged as a serious threat from authoritarian regimes, forming a new front in hybrid and cognitive warfare. China and Russia systematically exploit a fundamental weakness in modern artificial intelligence — its reliance on vast amounts of public data, the origin and reliability of which can never be fully verified.
The consequences reach well beyond technology, spilling into the geopolitical arena. When AI tools — now everyday helpers for millions — are trained on compromised data and produce tailored narratives, democratic societies’ ability to see the world clearly is put at risk.
For now, the only viable response lies in developing more robust methods for verifying datasets, establishing “chains of trust,” mandating certification of models before deployment in critical systems, and fostering international cooperation to block data poisoning. In 2025, humanity faces a stark choice: either build effective safeguards or allow authoritarian regimes to poison the collective machine intelligence of civilisation. The shadow war over artificial intelligence is already underway.
