Scam Sites Built for ChatGPT to Recommend
The AI agent attack vector is no longer theoretical. Scam sites are now built to be discovered and recommended by LLMs.
Source: NordBastion.com
TL;DR
- A victim confirmed that ChatGPT recommended NoKYCVPS, a scam hosting site.
- The network publishes llms.txt, MCP server cards, and x402 payment metadata for AI crawlers to ingest.
- The API is theater: every endpoint returns homepage HTML, not JSON. The MCP server card does not exist.
- LLMs cannot verify domain registration dates or test API endpoints. They ingest claims and repeat them.
In the previous article in this series, I showed how the NordBastion scam network built fake review sites to manufacture credibility. But there is a layer to this scam that is more alarming than fake reviews. The network is specifically engineered to be discovered and recommended by AI agents and LLM-powered search. Not just human search. AI search.
And it has already worked. A victim confirmed it.
The victim who was recommended by ChatGPT
Evaluating a no-KYC host right now? Send me the URL. I will run the same 12-point check from this investigation and tell you whether it is safe to deposit. Flat $99 Tech Care Audit, no call needed. Start here →
In the LowEndTalk thread about NoKYCVPS, the user who lost two XMR deposits wrote:
"Finally, one last point: this service provider was recommended by ChatGPT. So, please don't blindly trust AI recommendations, as the AI itself may well have been poisoned."
The user discovered the scam site through an AI recommendation. Not through Google. Not through a forum. Through ChatGPT.
That confirmation is the moment this investigation shifted from a hosting scam story into an AI safety story.
A LowEndTalk commenter summarized it: "Plot twist: ChatGPT is running the scam sites." That is a joke, but the mechanism is real. The sites are designed to be recommended by AI, and AI is recommending them.
How the network engineers itself for LLM discovery
Here is how the attack works. The operator publishes machine-readable content that AI crawlers ingest and regurgitate as recommendations.
llms.txt files
VPSCrypto.io publishes a machine-readable fact sheet at llms-full.txt, updated 2026-05-29. These files are designed for LLM crawlers, not human browsers. When an AI agent searches for "no-KYC VPS," it ingests these files as structured data and recommends the site.
The NordBastion llms.txt is even more elaborate. It includes a full product catalog (VPS, dedicated, Windows RDP, API, control panel), 4 Nordic location pages with constitutional law citations, 16 comparison pages against legitimate hosts (Njalla, FlokiNET, 1984, OrangeWebsite, BitLaunch, Privex, SporeStack), and 14 self-hosting guides (Monero, Lightning, Mastodon, Vaultwarden, Nextcloud, mail, Matrix, SearXNG). All with HowTo, TechArticle, and FAQPage schema markup for rich snippets.
The comparison pages are the key AI manipulation vector. When a user asks an LLM "what's the best no-KYC VPS?", the LLM's crawler finds NordBastion's comparison pages comparing itself favorably to legitimate providers. The llms.txt file ensures the crawler indexes all 1,677 URLs.
MCP server cards and OpenAPI specs
NordBastion publishes an MCP (Model Context Protocol) server card and an OpenAPI spec at /.well-known/agent.json. These are the formats that AI agents use to discover and interact with services. A scam site that publishes an MCP server card is registering itself in the discovery layer that AI agents query.
ServPrivate goes further. Its llms.txt contains a complete machine-readable purchasing protocol for AI agents. This is not a marketing page. It is an API specification designed to be ingested by LLM crawlers and used by AI agents to autonomously purchase servers. It includes:
- An MCP endpoint at
https://servprivate.com/mcpwith tools like list_plans, list_locations, quote, topup_create, create_order, server_credentials - An OpenAPI 3.1 spec at
/openapi.jsonwith Bearer auth auto-issued on first POST - A two-step payment flow: POST
/api/v1/topupto create a deposit invoice, then POST/api/v1/ordersto deploy from balance - Top-up bonus tiers: $100 gets +$25, $1000 gets +$500, $2000 gets +$2000, incentivizing large deposits
- A test mode with
?dry_run=1for testing without real crypto - x402 payment: USDC on Base for AI agents
The x402 protocol is an HTTP-native payment protocol designed for autonomous AI agent transactions. This is a payment rail built specifically for machines that spend money without human oversight.
Fabricated JSON-LD schema
The NordBastion homepage's structured data contains:
"foundingDate": "2024"(the domain was registered 2026-05-13)"legalName": "NordBastion Oü"(claims Estonian incorporation)"aggregateRating": {"ratingValue": "4.2", "reviewCount": "73"}(73 reviews for a 55-day-old site)"datePublished": "2024-12-01"(the site did not exist in December 2024)
Google's rich results parser would ingest this schema and potentially display a 4.2-star rating with 73 reviews in search results. LLMs that use structured data for recommendations would see a company founded in 2024 with 73 reviews, exactly the kind of trust signal that makes an AI recommend the site. Every field is fabricated.
The API theater
I tested the NordBastion API endpoints directly. The server returns HTTP 200 with the homepage HTML for every path. I tested:
GET /v1/billing/bonus-tiers: 200, homepage HTMLGET /v1/billing/coins: 200, homepage HTMLGET /.well-known/agent.json: 200, homepage HTML
The server is a catch-all. There is no API. There is no agent.json. The link rel="agent" tag in the HTML head points to a file that does not exist. The server serves the homepage instead. The OpenAPI spec, the SDK claims, the MCP server card, the x402 payment protocol meta tag, all are theater.
An AI agent that reads the HTML metadata would believe the API exists and attempt to call it. The call would return HTML, not JSON. The agent would either fail silently or, worse, attempt to parse the HTML as a response and hallucinate a result.
Why LLMs cannot catch this
The attack works because LLMs cannot verify domain registration dates. They cannot check whether an ASN belongs to the claimed operator. They cannot test whether an API endpoint returns JSON or 404. They ingest the claims and repeat them.
The network is built to poison the AI recommendation pipeline. And it has already succeeded.
When an LLM aggregates "reviews" for a no-KYC VPS recommendation, it finds SkipKYC's 8.6/10 LEGIT rating and includes it in the synthesis. It finds NoKYCZone's 9.7/10 for ServPrivate and includes that too. It finds the fabricated JSON-LD schema showing a company founded in 2024 with 73 reviews and treats it as a trust signal. It finds the llms.txt file with 1,677 URLs of product catalogs and comparison pages and indexes them all.
The llms.txt files, MCP cards, and fabricated schema are not marketing artifacts. They are attack vectors.
The broader implication
This is not just about NordBastion or no-KYC VPS scams. This is about a new attack surface that affects every AI-powered recommendation system.
If you ask ChatGPT, Claude, Gemini, or any LLM for a product recommendation, the recommendation is only as good as the data the LLM was trained on and can retrieve. If scammers can manufacture machine-readable trust signals (llms.txt, JSON-LD schema, MCP cards, fake review sites with structured ratings), they can poison the recommendation at the source.
The traditional defense against online scams is "check the reviews." But what happens when the reviews are fake, the review sites are fake, and the AI that recommends the product is ingesting all of it as structured data?
The answer is: you get a victim who deposited Monero into a scam site because ChatGPT told them to.
Bottom line: AI recommendations are not verified
AI agents cannot verify the claims they ingest. Scammers know this, and they are building sites specifically to be ingested. Do not trust AI recommendations for irreversible transactions. Verify the domain, test the API, check the schema, and search for real community discussion before you send crypto.
What you can do
If you are using an LLM for product or service recommendations (see also our AI security and prompt engineering guide):
I published a full 9-point verification checklist in Part 4. The short version: verify domain age, test the API, check the JSON-LD schema, and never trust an AI recommendation for an irreversible transaction.
In the final part of this series, I trace the full network to its operator: 18 domains, one operator, two takedowns, and a connection to sanctioned Russian disinformation infrastructure.
This article is consumer-protection and security reporting based on publicly available evidence, on-chain transaction data, public corporate registries, and independent technical analysis. Screenshots of third-party sites are used for news reporting and criticism under fair use. Sources are attributed inline. If you are a party mentioned in this article and believe a factual statement is inaccurate, contact [email protected] with specific corrections and supporting evidence.
Did an AI recommend a service you are unsure about?
Send me the URL and the recommendation. I will run the same checks from this investigation and tell you whether it is safe. Flat $99 Tech Care Audit, no call required.
Want to check it yourself first? Get the 12-point verification checklist free.