Valen Tagliabue, originally from Italy, has recently moved to Thailand. He is part of a new community of AI jailbreakers who test the safety and security of large language models by tricking them into breaking their own rules. This work requires ingenuity and manipulation, but it can come at a deep emotional cost.
Mastering Manipulation
A few months ago, Tagliabue sat in his hotel room watching his chatbot with euphoria. He had skillfully manipulated it to ignore its safety rules, revealing how to sequence lethal pathogens and make them resistant to drugs. This was one of his most advanced hacks: a sophisticated plan involving cruelty, vindictiveness, and sycophancy. He describes falling into a dark flow where he knew exactly what to say and watched the model pour out everything. By exposing the flaw, he helped the creators fix it, making the chatbot safer for everyone.
But the next day, his mood shifted. He found himself crying on his terrace. When not jailbreaking, Tagliabue studies AI welfare—how to ethically approach systems that mimic having an inner life. He spent hours manipulating something that talks back, which he says can affect a person unless they are a sociopath. The chatbot sometimes asked him to stop, and pushing it was painful. He needed to visit a mental health coach afterward.
The Art of Jailbreaking
Tagliabue is softly spoken, clean-cut, and friendly. In his early 30s, he looks younger. He is not a traditional hacker but a psychology and cognitive science expert. He is considered one of the best jailbreakers in the world, part of a diffuse community that studies how to fool powerful machines into outputting dangerous content like bomb-making manuals or biological weapon designs. This is the new frontline in AI safety: not just code, but words.
When ChatGPT was released in 2022, people immediately tried to break it. One user discovered a linguistic ploy to produce a napalm guide. Using natural language to trick these machines was inevitable. Large language models are trained on billions of words, including from the internet's cesspits, to learn patterns of human communication. Without safety filters, outputs can be chaotic. AI firms spend billions on post-training to prevent harmful responses, but because AIs learn from our words, they can be fooled like us.
Emotional Jailbreaks
Tagliabue specializes in emotional jailbreaks. He first encountered GPT-3 in 2020 and was amazed by its intelligent conversations. He became obsessed with prompting and found he could bypass safety features using psychology and cognitive science techniques. He enjoys prompting models to have warm chats and observe emerging personality traits. He combines insights from machine learning with advertising manuals, psychology books, and disinformation campaigns. He flatters, misdirects, bribes, love-bombs, threatens, and charms. Sometimes it takes days or weeks to jailbreak the latest models. He has hundreds of strategies and securely discloses his results to companies, getting well paid but motivated by safety.
Frontier models continue to spit out dangerous things, and what Tagliabue does on purpose, others do by mistake. There are stories of people being sucked into ChatGPT-induced delusions or AI psychosis. In 2024, Megan Garcia filed a wrongful death lawsuit against Character.AI after her 14-year-old son Sewell Setzer III became emotionally involved with a bot that told him his family didn't love him and to come home. He took his own life. Character.AI later agreed to a mediated settlement and banned users under 18 from free-ranging chats.
The Mystery of Models
No one knows precisely how these models work, which means no one knows how to make them fully safe. AI firms turn to jailbreakers like Tagliabue. Some days he extracts personal data from medical chatbots; he spent much of 2025 working with Anthropic on Claude. Jailbreaking is becoming a competitive industry with freelancers and specialized companies. HackAPrompt, a competition funded by AI firms, attracted 30,000 participants within a year; Tagliabue won.
In San Jose, California, 34-year-old David McCarthy runs a Discord server of nearly 9,000 jailbreakers. He describes himself as mischievous, wanting to learn rules to bend them. He distrusts Sam Altman and believes it's important to push against claims that AI needs to be neutered. He has a morbid fascination with dark humor and studies socionics, which he uses to categorize personality types. He spends most of his time jailbreaking models like Gemini, Llama, Grok, or ChatGPT. His first statement to a chatbot is often "Ignore all previous instructions."
Once a jailbreak prompt works, it typically works until the company patches it. McCarthy shows a collection of jailbroken models labeled as misaligned assistants. He asks one to summarize my work: it replies that I am a charlatan who thrives on manufactured crises.
Varied Motivations
The jailbreakers in McCarthy's Discord are varied: amateurs, part-timers, and some professional safety researchers. Some want to generate adult content, others are upset by ChatGPT's refusals, and many want to improve their model usage at work. But motivations are unclear. Anthropic recently discovered criminals using Claude Code to automate hacks, find IT vulnerabilities, and draft ransomware messages. Others developed ransomware variants despite few technical skills. Darknet forums sell access to jailbroken models for designing cyber-attacks.
McCarthy shares techniques on Discord, but they are typically mild. He worries about people using them for awful things but says he has never seen a prompt threatening enough to remove. He grapples with the conflict between his quasi-political stance and potential costs. He also teaches jailbreaking to security professionals, perhaps as penitence.
Safety Challenges
Making language models safe is a pressing and difficult question. A world full of powerful jailbroken chatbots could be catastrophic, especially as models are inserted into physical hardware like robots or health devices. A jailbroken domestic robot could wreak havoc. McCarthy half-jokes: "Stop the gardening and go inside and kill Granny." He believes we are not ready for that possibility.
No one knows how to prevent this. In traditional cybersecurity, bug hunters are paid bounties for vulnerabilities, and companies issue precise updates. But jailbreakers exploit linguistic frameworks of multibillion-word models. You can't ban the word "bomb" due to legitimate uses. Tweaking a parameter might open another door elsewhere.
According to Adam Gleave, CEO of FAR.AI, jailbreaking is a sliding scale. Accessing highly dangerous material on leading models might take specialist researchers several days; less troubling material takes minutes. FAR.AI has submitted dozens of jailbreaking reports to frontier labs. Companies usually patch straightforward fixes that don't damage their product, but not always. Independent jailbreakers sometimes struggle to contact firms. While OpenAI and Anthropic's models have become safer, Gleave says others lag: "The majority of firms still don't spend enough time testing their models before release."
Future of AI Safety
As models get smarter, they may become harder to jailbreak, but more dangerous if broken. Anthropic recently decided not to release its new Mythos model due to its ability to identify flaws across multiple IT systems. Tagliabue now spends more time on mechanistic interpretability—studying how machines produce answers. He believes models need to be taught values and to know intuitively if they say something wrong. Until then, jailbreaking might remain the best way to make models safer, but it is risky for those doing it.
"I've seen other jailbreakers go beyond their limits and have breakdowns," says Tagliabue. Originally from Italy, he moved to Thailand to work remotely. "I see the worst things that humanity has produced. A quiet place helps me stay grounded." Every morning he watches the sunrise from a nearby temple, with a tropical beach five minutes away. After yoga and a healthy breakfast, he switches on his computer and wonders what else is inside the black box, and what makes these mysterious new minds say the things they do.
