AI chat is quickly becoming where people go for answers—and advertisers (and attackers) are paying attention. In its Jan 23, 2026 report, “Will ChatGPT become vulnerable to malvertising?”, Moonlock Lab examines how ads inside chat experiences could blur the line between recommendation and promotion, and what that could mean for malware delivery and social engineering at scale.
What’s in the piece
- Ads are coming to AI platforms: The article notes rising advertiser interest as users shift from traditional search to AI, and raises the question of whether malvertising will follow.
- Malvertising can feel like “advice” inside chat: Trevor Horwitz (TrustNet) argues that conversational interfaces can reduce a user’s guard—especially when an ad resembles a recommendation.
- Trust boundaries expand with monetization layers: Dane Sherrets (HackerOne) frames the challenge as managing trust boundaries and treating anything rendered client-side as part of the attack surface.
- Security visibility is still unclear: The piece highlights that ad “principles” discussed publicly don’t spell out the cybersecurity checks that will prevent malicious ads from getting through.
Why it matters
Malvertising doesn’t have to look malicious to work. If users increasingly rely on AI chat for guidance, a compromised or abusive ad pathway can become a high-scale distribution channel—especially if attackers can predict which intents and keywords trigger which promotions.
Highlights from expert voices
- TrustNet (Horwitz): In-chat malicious prompts or ads may be clicked more often because they feel like recommendations—and can be tailored by timing and language.
- HackerOne (Sherrets): The hard part is managing trust boundaries as dynamic content and monetization expand what must be treated as an attack surface.
- HackerOne report stats cited in the piece: Misconfiguration vulnerabilities up 29%; 13% of organizations reported an AI-related security incident; 97% lacked proper AI access controls; 210% increase in valid AI-related vulnerability reports (including AI security and AI safety categories).
Protegrity POV (from the piece)
Clyde Williamson (Protegrity) focuses on how keywords and user intent could shape ad targeting—and how that targeting might be exploited. He suggests that if certain concepts reliably trigger certain ads, attackers may try to manipulate prompts via prompt injection, a rogue tool, or a service to ensure those ads appear. He also notes that ad targeting toward larger pools of users (including less technically savvy tiers) may create “prime hunting territory” for cybercriminals.
Practical takeaways for readers
- Don’t download software from links surfaced in AI chat: Treat AI responses like advice that still needs verification.
- Verify the source before you click: If an offer or tool looks “perfectly relevant,” validate the publisher and destination independently.
- Assume attackers will test what drives ad placement: If monetization depends on intent signals, those signals will be probed and abused.
Key Takeaways
- AI chat changes the “feel” of ads: malicious promotion can masquerade as helpful guidance.
- Intent-based ad targeting becomes a new control point: keyword triggers, tools, and injection paths deserve security attention early.