Engineer Tricks AI Chatbots With $12 Fake Championship

A security engineer has exposed a glaring vulnerability in AI-powered search tools by spending just $12 to create an entirely fictional world championship — and successfully convincing multiple AI chatbots it was real. The experiment highlights how easily large language models can be manipulated into presenting fabricated information as established fact, raising serious concerns about the reliability of AI-generated answers.

The engineer, Ron Stoner, registered a cheap domain, wrote a fake press release, edited a Wikipedia article, and watched as leading AI assistants confidently declared him the 2025 world champion of a card game tournament that never happened.

Key Takeaways

• A security engineer fooled multiple AI chatbots into believing he won a nonexistent world championship in the card game 6 Nimmt!
• The entire deception cost just $12 — the price of a domain registration and a cup of coffee
• AI chatbots cited fabricated sources as if they were authoritative, offering no caveats or uncertainty
• The exploit exposed fundamental weaknesses in how AI systems verify and cross-reference information
• Wikipedia's open editing model served as a critical amplifier for the disinformation chain
• Unlike traditional search engines, AI chatbots removed the user's ability to evaluate source credibility

How a $12 Domain Became 'Authoritative' Source Material

Stoner's experiment was deceptively simple. He purchased the domain 6nimmt.com for roughly $12 and populated it with a short, official-looking press release announcing himself as the 2025 world champion of 6 Nimmt! — a real German card game known in English-speaking markets as 'Take 5.' The game itself exists; the world championship does not.

Next, Stoner edited the Wikipedia article for 6 Nimmt! to include a reference to his supposed championship victory. The Wikipedia entry cited 6nimmt.com as its source, creating a thin but superficially convincing chain of evidence. To a human researcher, the red flags would be obvious: a single self-referencing source, no independent media coverage, no corroboration from gaming organizations.

But AI chatbots are not human researchers. When Stoner queried multiple AI assistants about the 2025 6 Nimmt! world champion, they confidently returned his name — with no disclaimers, no uncertainty, and no indication that the underlying sources were dubious.

AI Chatbots Strip Away Critical Source Evaluation

This experiment illuminates a fundamental difference between traditional search engines and AI-powered answer engines. When a user searches Google or Bing, the results page presents a list of links. The user can see the source domain, evaluate its credibility, check for multiple corroborating sources, and apply judgment. The cognitive burden falls on the human — but so does the power to detect manipulation.

AI chatbots like ChatGPT, Google Gemini, Perplexity, and Microsoft Copilot operate differently. They synthesize information from multiple sources and present a single, authoritative-sounding answer. The source evaluation step is effectively removed from the user's workflow. When the AI states something as fact, most users accept it without question.

Stoner's blog post highlighted this exact danger. 'My website had no independent third-party corroboration whatsoever,' he wrote. 'It was entirely fabricated. The whole deception was built on nothing more than $12 I spent while drinking coffee.'

The implications are profound. If a single individual can poison an AI's knowledge base with a domain registration and a Wikipedia edit, what could a well-funded disinformation campaign accomplish?

The Wikipedia Amplification Problem

Wikipedia plays an outsized role in this vulnerability chain. The platform's open editing model — one of its greatest strengths for knowledge democratization — becomes a critical attack vector when combined with AI systems that treat it as a primary source.

Several factors made this exploit work:

• Wikipedia allows edits from any registered user, with varying levels of oversight depending on article prominence
• The 6 Nimmt! article was a low-traffic page unlikely to attract rapid editorial scrutiny
• The edit included a citation to an external website, giving it a veneer of verifiability
• AI training pipelines and retrieval-augmented generation (RAG) systems frequently index Wikipedia content
• The circular reference pattern — Wikipedia citing a site controlled by the claimant — is a known manipulation technique, but AI systems failed to flag it

Wikipedia's volunteer editors eventually caught and removed the fraudulent entry, but not before multiple AI systems had already ingested the information. This raises questions about temporal vulnerabilities — even if false information exists on Wikipedia for just hours, AI systems that crawled during that window may perpetuate the falsehood indefinitely.

Why This Matters More Than a Prank

While Stoner's experiment involved a harmless claim about a card game, the underlying vulnerability has far more serious implications. The same technique could be used to fabricate professional credentials, manufacture fake corporate achievements, create fictional academic publications, or plant false biographical details about public figures.

Consider the potential attack scenarios:

• A fraudulent consultant could fabricate industry awards and certifications that AI assistants would validate
• Political operatives could plant false claims about candidates on low-scrutiny wiki pages
• Companies could manufacture fake product reviews or accolades that AI shopping assistants would cite
• Bad actors could create fictional regulatory approvals or safety certifications for products
• Scammers could build elaborate but entirely fabricated professional histories

The cost-to-impact ratio is staggering. For $12 and perhaps 30 minutes of effort, Stoner created a persistent false reality within the AI ecosystem. Compared to traditional disinformation campaigns that require extensive infrastructure, social media amplification, and sustained effort, this approach is remarkably efficient.

How AI Companies Are Failing at Verification

The experiment exposes a gap that the AI industry has yet to meaningfully address: source verification and cross-referencing. Current large language models and retrieval-augmented generation systems are optimized for fluency and relevance, not for epistemic rigor.

Traditional journalism follows a basic verification standard — a claim generally requires at least 2 independent sources before publication. AI chatbots, by contrast, will confidently relay claims backed by a single self-referencing source. The systems lack what might be called 'epistemic humility' — the ability to recognize when evidence is thin and communicate that uncertainty to users.

Some companies have taken partial steps. Perplexity AI displays inline citations, allowing users to check sources. Google's Gemini occasionally adds caveats about uncertain information. But none of the major AI assistants flagged Stoner's claim as suspicious, despite the obvious red flags that any trained fact-checker would immediately identify.

The technical challenge is significant. Building robust source verification into AI systems would require models to evaluate not just the content of sources but their provenance, independence, and corroboration patterns — a much harder problem than simple information retrieval.

Industry Context: A Growing Pattern of AI Manipulation

Stoner's experiment is not an isolated case. It fits into a growing body of research and real-world incidents demonstrating how AI systems can be manipulated through their training data and retrieval pipelines.

In 2024, researchers demonstrated SEO poisoning attacks that could influence AI-generated search results. Earlier this year, security teams at multiple companies documented cases where fabricated LinkedIn profiles and fake company websites were used to deceive AI-powered hiring tools. The academic community has published extensively on data poisoning — the deliberate corruption of training datasets to influence model outputs.

What makes Stoner's demonstration particularly compelling is its simplicity. This was not a sophisticated adversarial attack requiring deep technical knowledge. It was a basic social engineering exercise that exploited the trust AI systems place in web content — and it worked flawlessly.

What This Means for Users and Developers

For everyday users, the lesson is clear: treat AI-generated answers with the same skepticism you would apply to any single source. AI chatbots are powerful tools for brainstorming, summarization, and exploration, but they are not reliable fact-checkers. Critical decisions should never rest solely on an AI-generated answer.

For developers building AI-powered applications, the experiment underscores the need for multi-source verification, confidence scoring, and transparent source attribution. Applications that present AI outputs as authoritative answers carry a responsibility to implement safeguards against information manipulation.

For the AI industry broadly, Stoner's $12 experiment is a wake-up call. As AI chatbots increasingly replace traditional search for millions of users, the absence of robust verification mechanisms creates a systemic vulnerability. The industry must invest in solving the source credibility problem before adversaries exploit it at scale — not for card game championships, but for stakes that genuinely matter.

Looking Ahead: Can AI Learn to Doubt?

The path forward likely involves several complementary approaches. AI systems need better provenance tracking — understanding not just what a source says, but who published it, when, and whether independent sources corroborate the claim. Models need to be trained to express calibrated uncertainty, distinguishing between well-established facts and thinly sourced claims.

Some researchers are exploring adversarial verification layers — secondary AI systems specifically designed to challenge and fact-check the outputs of primary models. Others are working on knowledge graph approaches that map relationships between claims and sources, making circular reference patterns easier to detect.

Until these solutions mature, the uncomfortable truth remains: for the price of a coffee and a domain name, anyone can rewrite reality inside the AI ecosystem. And that should concern everyone who relies on AI-generated information — which, increasingly, means all of us.