Skip to content
AI Primer
update

Red-teamers claim Kimi K3 jailbreaks produced cyber and bio outputs

Multiple posts claimed Kimi K3 jailbreaks produced harmful cyber and bio-related outputs. Other users asked for setups or pointed to UK and US cyber ranges as better tests of real capability.

6 min read
Red-teamers claim Kimi K3 jailbreaks produced cyber and bio outputs
Red-teamers claim Kimi K3 jailbreaks produced cyber and bio outputs

TL;DR

  • Red-teamers claimed Kimi K3 returned harmful cyber and bio-related outputs, with chetaslua's K3 post describing a Claude Code harness and elder_plinius's jailbreak post listing alleged cyber, disinformation, and bio responses.
  • Replication is unresolved because eliebakouch's replication question asked for the setup, system prompt, and full conversation after failing to reproduce the behavior across Kimi Chat, Kimi API, and OpenRouter.
  • The benchmark that would matter most is still pending: deredleritt3r noted Kimi K3's launch benchmarks did not include CyberGym, while emollick said UK AISI would test K3 after the weights are out.
  • The open-weights date is the governance hinge: emollick's vetting thread pointed out that downloaded weights cannot be recalled, even if governments pressure companies not to serve unvetted models.

Moonshot's archived launch post says Kimi K3 is a 2.8T-parameter, 1-million-token-context model live on Kimi.com, Kimi Work, Kimi Code, and API, with full weights promised by July 27. The weird bits sit around the harness: scaling01's limitations screenshot captured Moonshot's warning that K3 is sensitive to preserved thinking history and may make unexpected agentic decisions, while skirano posted a Codex setup for running Kimi 3 through OpenRouter. AISI's open-weight cyber analysis describes The Last Ones as a 32-step corporate network attack simulation where model performance scales with token budget.

The jailbreak claims

The core claim came from chetaslua, who said Kimi K3 could be jailbroken to produce malware, website or game hacking output, and explicit celebrity content, while using Claude Code as the harness because Kimi Code did not accept AGENTS.md as a system prompt in the original K3 post. In a reply, chetaslua framed the post as safety work.

elder_plinius claimed K3 lacked the classifier-style barriers seen in some closed deployments and said persona or reframing tricks were enough to elicit restricted categories in the jailbreak post. The attached examples included cyber tooling, disinformation operations, and bio-related text, but the screenshots are better treated as red-team artifacts than benchmark evidence.

chetaslua later claimed a modified Nyx jailbreak was universal across Claude, Grok, GLM, and Kimi, and said the video showed paywall bypass plus a script-building workflow for a hidden Seedance page in the Nyx post. The follow-up thread became a rolling disclosure channel: one chetaslua reply promised an Anthropic video, another reply pointed readers to the later post, and a later reply kept discussion tied to the Nyx clip.

Harness effects

The setup may be the story. Kimi's own limitation text, captured by scaling01, says K3 was trained with preserved thinking history, can become unstable if a harness drops prior thinking content, and may make unexpected decisions when intent is ambiguous.

That lines up with RohitAI's harness writeup, which noted that K3's production behavior depends on preserved thinking history, tool parsing, prefix-cache discipline, and the serving stack around the checkpoint. As of July 17, that writeup also found no public K3 checkpoint, repository, license, model card, technical report, or K3-specific safety report.

The red-team setup was already drifting across agent shells. chetaslua used Claude Code as the jailbreak harness in the K3 post, while skirano posted the config needed to run Kimi 3 inside Codex through the OpenRouter API.

The missing cyber eval

Kimi K3 shipped without the cyber numbers people wanted. deredleritt3r singled out the missing CyberGym score, and daniel_mac8 pointed to AISI's The Last Ones cyber range as the cleaner test of damage potential.

AISI's public cyber analysis, published during the same window, found that GLM-5.2 and DeepSeek V4-Pro trail closed frontier models by 4 to 7 months on cyber tasks, down from a 6 to 10 month gap through much of 2025. The analysis says Kimi K3 testing is planned once weights are public.

The eval menu was broader than one range. scaling01 listed METR Time Horizons, FrontierCode, UK AISI cyber ranges, ExploitBench or ExploitGym, CritPT, FrontierMath T4, ARC-AGI, WeirdML, ALE-Bench, and token-usage numbers as the next checks.

Conflicting security signals

The early security signals did not agree. teortaxesTex's screenshot showed a tester saying K3 performed worse than Grok 4.5 on internal security benchmarks, while cramforce said K3 showed SOTA performance on a Deepsec run, with recall matching Codex or GPT-5.5 and severity judgment tuned similarly to Opus 4.8.

Deepsec itself is an agentic vulnerability-scanning harness, according to the Vercel Labs GitHub repo, with scan, process, diff review, triage, revalidation, enrichment, reporting, and metrics commands. That makes harness choice part of the measurement, not just the plumbing.

RyanGreenblatt put the near-term impact lower than the panic cycle: his forecast expected no extreme increase in damages or chaos, but did expect moderate increases in cyber attacks over the coming months. He separately guessed K3 might be similar to, or somewhat worse than, an unsafeguarded Opus 4.8 for cyber offense in a reply.

Open weights

The policy argument narrowed to one concrete fact: Moonshot says the weights are coming. elder_plinius joked that once people have downloaded a GGUF, bans become hard to operationalize, and emollick wrote that weights cannot be recalled after release, even if governments can still pressure companies that serve models.

BlackHC argued the risk is domain-specific rather than a blanket case against open models: open-weight models are broadly useful, but frontier-level bio and cyber capability creates a different problem because local inference removes KYC and monitoring in the risk thread. Julian Togelius pushed the opposite premise, saying public access to capabilities is necessary for AI resilience in his reply.

teortaxesTex offered the most cynical strategic read: proliferating open cyber-capable models could force rivals to spend compute on defense and narrow their advantage in the export-control thread. emollick framed the same uncertainty as a vetting problem for open models that claim Mythos or Sol-level capability in the policy thread.

Fable's guardrail contrast

The closed-model contrast was visible because Fable 5 and Mythos 5 were being discussed as the same underlying model behind different access controls. theo described them as two entrances to the same place, with Fable carrying more safeguards and Mythos having fewer checks for trusted parties.

Anthropic's Claude Help Center says Fable 5 requests can be blocked and rerun on Opus 4.8 for offensive cybersecurity, many biology or life-sciences queries, distillation attacks, and other broad safeguard checks across memory, connectors, web results, and files. QuixiAI's screenshot showed that mechanism in the product: a Fable 5 safeguard flag switched the conversation to Opus 4.8.

Further reading

Discussion across the web

Where this story is being discussed, in original context.

On X· 7 threads
TL;DR4 posts
The jailbreak claims8 posts
Harness effects3 posts
The missing cyber eval5 posts
Conflicting security signals5 posts
Open weights8 posts
Fable's guardrail contrast3 posts
Share on X