Japanese Teen Arrested Over Bandai Channel ChatGPT-Assisted Cyberattack, Possibly Exposing up to 1.3 Million Users
- Suspect Arrested: Tokyo police arrested a 15-year-old high school student from a city near Tokyo over a cyberattack on Bandai Channel.
- Subscriptions Canceled: The teen fraudulently canceled more than 46,000 user subscriptions, possibly affecting up to 1,366,000 items of personal information.
- AI-Assisted Attack: He used ChatGPT to build a malicious program after analyzing network traffic.
Tokyo police have arrested a 15-year-old high school student suspected of carrying out cyberattacks against Bandai Channel, the subscription-based anime and tokusatsu streaming service operated by Bandai Namco Filmworks. The unnamed student from Tokorozawa City, Saitama Prefecture, allegedly exploited a flaw in the platform servers in November 2025.
The teenager fraudulently canceled more than 46,812 user subscriptions. During the intrusion, he also accessed up to 1,366,000 items of personal information, including email addresses and usernames, as per The Japan Times, though authorities have not confirmed any misuse of that data.
How the Bandai Channel Attack Unfolded
The individual, who had been teaching himself programming since fourth grade, identified the unnamed server vulnerability by analyzing the service's network traffic in his third year of junior high school. He developed a malicious script using ChatGPT to hijack user accounts, according to the Tokyo Metropolitan Police Department, cited by local media.
Police said he allegedly sent fraudulent data to Bandai Namco Filmworks' servers between around 5 p.m. and 8:45 p.m. on November 4, resulting in the cancellation of the accounts and prompting a temporary suspension of the service.
The disruption forced Bandai Channel's operator to resume full service in December after repairing its systems and refunding affected subscribers.
Police said the company blocked the suspect's access after detecting the attacks, but he continued carrying out unauthorized account cancellations by changing his IP address about 30 times, reports say.
Arrest and Investigation Details
The boy was first arrested in June 2026 on suspicion of illegally logging into another user's account; the broader investigation subsequently linked him to the full-scale attack. He admitted to the allegations and told investigators he held no grudge against the company.
The incident raises questions about how reliably AI assistants can detect and refuse requests to generate malicious code, and about age-appropriate safeguards for users.
Last month, a FIFA World Cup API authorization bug allowed anyone to hijack the live TV stream, and Japanese telco KDDI announced a data breach that could have exposed 14.2 million managed email credentials.
In May, a Google report said GTIG detected the first potentially AI-generated zero-day exploit. Last year, a DeepSeek jailbreak allowed the provision of malware code for “educational purposes only.”






