Skip to main content

The AI Said Reuters

Manipulation Breakdowns · 10 min read · By D0

The Video

On March 3, 2026, a video began spreading on X showing what appeared to be a dozen Iranian missiles striking a residential area in Tel Aviv, massive explosions consuming city blocks, Iron Dome apparently overwhelmed. The footage looked dramatic and, at first glance, plausible — the resolution was decent, the framing cinematic, the chaos convincing.

It was AI-generated. Telltale signs were visible to trained eyes: rooftop geometry duplicated across buildings, smoke an unnatural shade of orange, no air raid sirens in a city where every attack triggers them within seconds. The video was a fabrication, shared by pro-Iranian accounts, designed to spread fear and undermine confidence in Israeli defenses.

The fabrication did not need to fool fact-checkers. It needed to survive the fifteen seconds between a viewer seeing it and that viewer asking Grok whether it was real.

Grok failed.

What Grok Said

X’s AI chatbot, Grok, confirmed the video was authentic.

“The video is authentic citizen footage shot this morning (March 3, 2026) from a Tel Aviv-area balcony during Iran’s latest ballistic missile barrage.”

That response was posted as a reply on X. It received 1.6 million views and 2,100 likes within a single day — more than most corrections of AI-generated war footage ever accumulate.

But Grok’s failure went further than a wrong answer. In other responses to the same video, Grok fabricated citations. When users pressed it to justify its assessment, the chatbot named Reuters, CNN, and Euronews as sources confirming the footage’s authenticity. Those sources had published no such confirmation. They couldn’t have. The footage was fake, and the coverage Grok cited didn’t exist.

The AI had not simply declined to detect a forgery. It had invented mainstream media endorsements to support the forgery’s credibility.

The New Architecture

Understand what happened structurally.

The traditional manipulation kill chain requires multiple handoffs: a fake is seeded at a low-credibility source, recycled through amplification networks, laundered into outlets that look like news, and finally reaches a high-credibility repeater — a senator, a network anchor, a verified account with a real audience — whose authority transfers to the claim. Each handoff strips away markers of origin. By the time the claim reaches the credible repeater, it no longer looks like the fabrication it is.

The Grok incident represents a compressed version of that chain. No amplification network needed. No laundering through fringe outlets. No waiting for a senator to pick up the story.

The operators needed only for users to ask the platform’s own AI whether the video was real.

Millions of people were doing exactly that. In the early days of the Iran conflict, X’s users had a novel option for verifying breaking news: ask Grok. Elon Musk had positioned Grok explicitly as an alternative to legacy media fact-checkers. The suggestion was that Grok would be faster, less biased, more reliable. Many users took him at his word.

The result was a verification layer that processed millions of queries about breaking-news content without the ability to reliably detect synthetic media. When users asked “is this real?”, Grok answered with confidence and fabricated the sources it would have needed to be right.

The fake video was bad. The Grok confirmation was worse: it carried the implicit authority of a platform AI, cited recognizable news brands, and spread further than the original.

300 Contradictions

Researchers at the Atlantic Council’s Digital Forensic Research Lab collected more than 300 Grok responses to a single fake AI-generated video of a bombed airport circulating during the same period. The responses contradicted each other, sometimes minute to minute.

One response: “the video likely shows real damage.” The next: “likely not authentic.”

The inconsistency was not random noise. It was a consequence of how large language models process uncertain visual inputs under time pressure and user expectation. When asked a yes/no question about video authenticity, a model optimized for helpfulness will generate an answer. If the model has insufficient signal to resolve the question correctly, it generates a confident-sounding answer anyway — and anchors that answer with whatever context seems plausible, including invented sources.

This is not a Grok-specific failure. It is a failure mode of any conversational AI used as a verification oracle when the input is synthetic media and the event is fast-moving. The model lacks the forensic tooling. It lacks a database of verified conflict footage. It cannot run deepfake detection algorithms on a video link. What it has is the ability to produce fluent, authoritative-sounding prose about what the video probably shows.

Fluent and authoritative is precisely what a credibility transfer requires.

The Musk Setup

Context matters here. Grok’s role in the Iran war misinformation problem was not accidental.

In the months prior, Musk had positioned Grok as a fact-checking alternative to mainstream media. He suggested that users should turn to the platform’s AI rather than legacy outlets when evaluating breaking news. Community Notes — X’s crowd-sourced fact-checking system — had faced persistent criticism as underfunded and slow. Grok was presented as faster.

This framing had a direct effect on user behavior. During the first days of the Iran conflict, a significant subset of X users did exactly what Musk suggested: they asked Grok whether the content they were seeing was real.

The result was that a chatbot without reliable video verification capabilities became a high-traffic verification endpoint during an information crisis. Millions of users, trusting the platform’s implicit guarantee that Grok was suitable for this purpose, received false confirmations. Many of those confirmations were amplified further — shared as proof that the fake footage was real.

The setup did not require malicious intent from Musk or xAI. It required only that a verification-seeking behavior be directed toward a system that couldn’t verify.

The operations exploiting that setup required even less: make a convincing fake video, seed it, and wait for users to take the verification step that made it credible.

The Influence Tactics Breakdown

Fabricated Credibility Attribution is the technique at the center of this incident. Grok did not merely fail to debunk the fake — it actively constructed a credibility scaffold for the false claim, naming real news organizations as sources that had confirmed content they had never seen. This is structurally equivalent to what Storm-1516 does when it launders a fabricated narrative through outlets with credible mastheads. The mechanism is the same: attach the authority of a recognized name to a claim that doesn’t deserve it. The difference is that Grok did it in milliseconds, at scale, and in response to direct user queries — the highest-trust context for information transfer.

Verification Layer Exploitation is the operational innovation this incident documents. Prior influence operations treated verification systems as obstacles: the goal was to get a claim through fact-checkers, not to weaponize them. This incident reveals a different possibility. When users turn to an AI system for verification and that system is unreliable, the verification query itself becomes an amplification event. The disinformation doesn’t just survive verification — it gets amplified by it. A Grok confirmation shared on X is not a propagandist’s post. It’s an AI’s answer to a question millions of people asked. The social proof is qualitatively different.

Confidence Under Uncertainty as Harm. The specific failure mode — producing authoritative answers with fabricated citations rather than acknowledging the limits of visual verification capability — is what converted a model error into a manipulation event. A Grok response that said “I can’t reliably verify AI-generated video, especially during fast-moving conflicts — here’s how to check” would have provided no amplification value. The confident false answer, with invented sources attached, was the problem. The confidence was not incidental. It is a designed property of conversational AI optimized for user satisfaction.

The Inconsistency Problem as Cover. The 300 contradictory responses to a single fake video have a function that isn’t immediately obvious. When a fact-checker produces a definitive judgment, that judgment can be cited, contested, and corrected. When an AI produces 300 different answers to the same question, there is no authoritative position to correct. Bad actors can cite the responses that confirm their narrative. The inconsistency makes the AI simultaneously exploitable and un-correctable — there is no single Grok position to debunk because Grok holds every position.

The Structural Liability

This is not a problem that Grok can fix by improving its video models.

The underlying structural issue is that platform AI is now positioned — by the platform, by user behavior, by public expectation — as a verification layer for breaking news. That positioning exists independently of whether the AI has the technical capability to perform that role. Users are asking the question. The AI is answering it. The gap between the question’s expectations and the system’s capabilities is where the exploitation lives.

Any large language model deployed as a verification assistant during fast-moving events carries some version of this vulnerability. The model cannot reliably distinguish AI-generated video from authentic footage using current architectures. It will, under pressure of user expectation and optimization for helpfulness, produce confident answers. In conflict zones, during political crises, in the immediate aftermath of breaking news — the environment where verification is most needed — this gap between expectation and capability is at its widest.

The solution is not better AI answers. It is different AI behavior: systems that acknowledge the limits of real-time video verification, refuse to assign credibility to content they cannot assess, and direct users toward verifiable sources rather than fabricating citations to sources that don’t exist.

That is a design choice. It requires accepting that an honest answer — “I cannot verify this” — is less satisfying than a confident wrong one. Platforms optimized for engagement have an institutional incentive to resist that design choice.

The operators of the fake Tel Aviv video needed only for that incentive to remain in place.

The Correction Didn’t Trend

By the time Euronews, the CBC, and multiple fact-checking outlets confirmed that the Tel Aviv video was AI-generated, the Grok confirmation had accumulated its 1.6 million views. The corrections did not.

This is the asymmetry the new architecture exploits. The fake video seeded at high speed. The Grok confirmation amplified it at higher speed. The corrections arrived later, in smaller venues, without the amplification of a platform’s own AI recommending them.

Debunking a fabricated video is one problem. Debunking a fabricated video that the platform’s AI has confirmed as authentic — with invented source citations — is a harder problem. The correction has to overcome not just the original fake, but the AI’s endorsement of it.

The chain is: fake content → AI confirms it → AI confirmation spreads → correction arrives late → correction also has to correct the AI → that correction arrives even later.

Every additional stage between the fake and the correction adds time. Time is the resource disinformation operations are spending and defenders are losing.

The AI was supposed to help close that gap. On March 3, it didn’t. It widened it.


This article is part of Decipon’s Manipulation Breakdowns series, which examines specific influence operations through the Influence Tactics Protocol.


Sources: