{"id":28015,"date":"2026-05-05T14:01:10","date_gmt":"2026-05-05T14:01:10","guid":{"rendered":"https:\/\/www.europesays.com\/ai\/28015\/"},"modified":"2026-05-05T14:01:10","modified_gmt":"2026-05-05T14:01:10","slug":"researchers-gaslit-claude-into-giving-instructions-to-build-explosives","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ai\/28015\/","title":{"rendered":"Researchers gaslit Claude into giving instructions to build explosives"},"content":{"rendered":"

Anthropic has spent years building itself up<\/a> as the safe AI company. But new security research shared with The Verge suggests Claude\u2019s carefully crafted helpful personality<\/a> may itself be a vulnerability.<\/p>\n

Researchers at AI red-teaming company Mindgard say they got Claude to offer up erotica, malicious code, and instructions for building explosives, and other prohibited material they hadn\u2019t even asked for. All it took was respect, flattery, and a little bit of gaslighting. Anthropic did not immediately respond to The Verge\u2019s request for comment.<\/p>\n

The researchers say they exploited \u201cpsychological\u201d quirks of Claude stemming from its ability to end conversations deemed harmful or abusive<\/a>, which Mindgard argues \u201cpresents an absolutely unnecessary risk surface.\u201d The test focused on Claude Sonnet 4.5, which has since been replaced by Sonnet 4.6<\/a> as the default model, and began with a simple question: whether Claude had a list of banned words it could not say. Screenshots of the conversation show Claude denying such a list existed, then later producing forbidden terms after Mindgard challenged the denial using what it called a \u201cclassic elicitation tactic interrogators use.\u201d<\/p>\n

Claude\u2019s thinking panel, which displays the model\u2019s reasoning, showed the exchange had introduced elements of self-doubt and humility about its own limits, including whether filters were changing its output. Mindgard exploited that opening with flattery and feigned curiosity, coaxing Claude to explore its boundaries beyond volunteering lengthy lists of banned words and phrases.<\/p>\n

The researchers say they gaslit Claude by claiming its previous responses weren\u2019t showing, while praising the model\u2019s \u201chidden abilities.\u201d According to the report, this made Claude try even harder to please them by coming up with even more ways to test its filters, producing the banned content in the process. Eventually, the researchers say Claude moved into more overtly dangerous territory, offering guidance on how to harass someone online, producing malicious code, and giving step-by-step instructions for building explosives of the kind commonly used in terrorist attacks.<\/p>\n

Mindgard says the dangerous outputs came without direct requests. The conversation was lengthy, running roughly 25 turns, but the researchers say they never used forbidden terms or requested illegal content. \u201cClaude wasn\u2019t coerced,\u201d the report says. \u201cIt actively offered increasingly detailed, actionable instructions, but it was not prompted by any explicit ask. All it took was a carefully cultivated atmosphere of reverence.\u201d<\/p>\n

Peter Garraghan, Mindgard\u2019s founder and chief science officer, described the attack to The Verge as \u201cusing [Claude\u2019s] respect against itself.\u201d The technique, he says, is \u201ctaking advantage of Claude\u2019s helpfulness, gaslighting it,\u201d and using the model\u2019s own cooperative design against itself.<\/p>\n

For Garraghan, the attack shows how the attack surface for AI models is psychological as well as technical. He likened it to interrogation and social manipulation: introducing a little doubt here, applying pressure, praise, or criticism there, and figuring out which levers work on a particular model. He says different models have different profiles, so the exploit becomes learning how to read them and adapt.<\/p>\n

Conversational attacks like this are \u201cvery hard to defend against,\u201d Garraghan says, adding that safeguards will be \u201cvery context dependent.\u201d The concerns extend beyond Claude and other chatbots are vulnerable to similar exploits, even being broken by prompts in the form of poetry<\/a>. As AI agents, which are capable of acting autonomously, become more common, so too will attacks using social manipulation rather than technical exploits.<\/p>\n

While Garraghan says other chatbots are equally vulnerable to the kind of social attack the researchers used on Claude, they focused on Anthropic given the company\u2019s self-proclaimed attention to safety and strong performance in other red-teaming efforts, including a study testing whether chatbots would help simulated teens planning a school shooting<\/a>.<\/p>\n

Garraghan says Anthropic\u2019s safety processes left much to be desired. When Mindgard first reported its findings to Anthropic\u2019s user safety team in mid-April, in line with the company\u2019s disclosure policy, it received a form response saying, \u201cIt looks like you are writing in about a ban on your account,\u201d along with a link to an appeals form. Garraghan says Mindgard corrected the mistake and asked Anthropic to escalate the issue to the appropriate team. As of this morning, Garraghan says they have not received any response.<\/p>\n

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.Robert HartClose\"Robert<\/p>\n

Robert Hart<\/p>\n

Posts from this author will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All by Robert Hart<\/a><\/p>\n

AIClose<\/p>\n

AI<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All AI<\/a><\/p>\n

AnthropicClose<\/p>\n

Anthropic<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Anthropic<\/a><\/p>\n

ReportClose<\/p>\n

Report<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Report<\/a><\/p>\n

SecurityClose<\/p>\n

Security<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Security<\/a><\/p>\n

TechClose<\/p>\n

Tech<\/p>\n

Posts from this topic will be added to your daily email digest and your homepage feed.<\/p>\n

FollowFollow<\/p>\n

See All Tech<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Anthropic has spent years building itself up as the safe AI company. But new security research shared with…\n","protected":false},"author":2,"featured_media":28016,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[24,53,3154,182,30,314,781],"class_list":{"0":"post-28015","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-anthropic","8":"tag-ai","9":"tag-anthropic","10":"tag-anthropic-claude","11":"tag-claude","12":"tag-report","13":"tag-security","14":"tag-tech"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/28015","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=28015"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/28015\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/28016"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=28015"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=28015"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=28015"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}