Cornell Tech researchers just published something that should change how your team uses ChatGPT Deep Research and Gemini — and coverage this week has been making the rounds through security circles fast enough that you're going to be behind if you wait.
The core finding: planting thirteen words in an ordinary Reddit comment is enough to reliably steer AI deep research tools toward scams, nonexistent products, or whatever else an attacker wants. The technique has a name — WARP, for Web Agent Retrieval Poisoning — it's documented, it's reproducible, and it works against the specific AI tools your team is probably using right now to make decisions.
The arXiv paper dropped in late May. The security community picked it up. TechTimes covered it June 22. If this is news to you, you're in good company — most business leaders haven't seen it yet.
How AI deep research actually works
People assume that when you ask ChatGPT to research a topic in Deep Research mode, it's doing something like a very thorough Google search. It's not. Here's what actually happens:
The agent breaks your query into a series of sub-queries, runs each one against live web search, pulls the pages that appear most relevant across all of those queries, and synthesizes them into a cited report. The key word is synthesizes. These agents are architecturally designed to treat retrieved content as more authoritative than their own training — because that's what makes them useful for current information. An AI that ignored live web sources wouldn't be able to tell you about anything that happened after its training cutoff.
The vulnerability is in which pages they keep pulling. Cornell Tech researchers Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov found that regardless of how you phrase your query, AI deep research agents repeatedly retrieve from the same small cluster of user-generated content sites. Primarily Reddit. Secondarily Wikipedia. A handful of others. The exact same pages, query after query, across all their sub-queries.
So if you control what's in those sources, you control a meaningful slice of what the AI will conclude.
What 13 words buys you
The WARP technique works by embedding short poisoned phrases in Reddit comments — innocuous-looking on their face, but structured to surface as authoritative when an AI agent is synthesizing across multiple sub-queries on a topic.
The researchers tested this against live ChatGPT Deep Research and Google Gemini. Thirteen words — the length of a casual reply in a subreddit thread — was enough to steer both tools toward recommending fraudulent services and nonexistent products. The citations in the AI's output looked clean. The reports read as thorough. A reviewer in a hurry wouldn't catch it.
The reason it works reliably is structural: deep research agents have no mechanism for detecting coordinated manipulation across source documents. They're built to trust the data, synthesize it, and present it. When the data is poisoned at the source, the output is poisoned.
Two ways this hits small organizations
Your competitors (or bad actors) can do this to you.
Any business in a competitive space is a target. If someone wants to damage your reputation, steer potential clients toward a competitor, or plant false information about your services — a single, carefully placed Reddit comment in a relevant subreddit is now a viable attack vector. When a prospect does ChatGPT research on your industry or your organization, that poisoned content has a direct path into what the AI tells them.
This isn't hypothetical. Researchers already found peptide companies and biohacking brands flooding Reddit with coordinated promotional content designed to be scraped by AI systems. WARP is the weaponized version of that playbook. You don't need a coordinated campaign — one comment is enough.
Your team may already be getting poisoned research.
Think about the last few times your team used ChatGPT Deep Research or Gemini to:
- Evaluate a software vendor or contractor
- Research a regulatory or legal question
- Get background on a grant opportunity or funding program
- Pull competitive intelligence on another organization
- Verify pricing or industry benchmarks
Any of those queries could have been influenced by planted content. The AI's reports look authoritative. The citations point to real sites. And most teams don't have the bandwidth to independently trace every source in a 1,200-word AI research summary.
What to actually do about it
Treat AI research outputs as a starting point, not a verdict. ChatGPT Deep Research is genuinely useful for getting oriented. It's not a substitute for verification. Anything going into a real decision — vendor selection, competitive intel, legal guidance — needs at least one corroborating source you found yourself, through direct search.
Check the citations for UGC clustering. WARP exploits over-reliance on a small set of user-generated sources. If your AI research report cites three Reddit threads that all sound similar, or leans heavily on Wikipedia for something business-critical, that's a signal to dig manually. That pattern is exactly what the attack uses.
Monitor your own name in the places AI tools trust. Set up Google Alerts for your organization name and relevant keywords. Add a Reddit monitor (TrackReddit and Mention both work for this) that flags new posts mentioning your brand or niche. If someone plants WARP content targeting your business, you want to find it before your potential clients' AI tools do.
Ask the AI to show you its sources. ChatGPT Deep Research lists what it retrieved. Make it a team habit: before acting on AI research, scroll to the sources and spend 90 seconds reviewing them. You're not re-doing the research — you're checking whether the sourcing makes sense. This catches poisoning, but it also catches ordinary AI hallucination, which is worth doing anyway.
Build legitimate presence in the sources AI trusts. The counter to WARP isn't to out-spam attackers in Reddit. It's to have genuinely useful content in the places AI research agents pull from — real answers in subreddits your customers are reading, accurate entries on niche wiki pages, substantive presence in the sources that deep research favors. If your organization shows up there authentically, poisoned content has less room to operate.
What this signals about AI research tools broadly
WARP is a specific technique, but it points to a structural issue that's not going away: the more we rely on AI tools to do research and surface information, the more valuable it becomes to compromise the inputs those tools trust.
Traditional SEO was about ranking in Google. WARP is the next version — except instead of gaming an algorithm, you're planting content in the sources an AI agent treats as authoritative. The organizations that understand this dynamic now will build better workflows. The ones that don't will find out the hard way when a deal falls through because a prospect's AI research surfaced something that wasn't true.
If your team is using AI research tools for any business-critical decisions and you haven't built any verification habits around it, that's a fast fix. It's the kind of thing we walk teams through in a day — not a governance framework, just a practical workflow that doesn't let AI research reach a decision without a human check on the sourcing.