EU Opens Digital Services Act Investigation Into X’s Grok Over Sexually Explicit Deepfakes
The European Commission opened a formal investigation into X under the Digital Services Act (DSA) over concerns that its GenAI chatbot Grok enabled the creation and dissemination of manipulated sexually explicit images, including content that may amount to child sexual abuse material (CSAM). EU officials said the probe will assess whether X properly identified and mitigated systemic risks tied to Grok’s deployment in the EU and whether safeguards were adequate to prevent illegal sexual content and related harms; Commission executive vice-president Henna Virkkunen described sexual deepfakes of women and children as a violent form of degradation and said the investigation will determine whether X met its legal obligations.
Reporting also noted parallel scrutiny outside the EU, including investigations in the UK and France, and action by California Attorney General Rob Bonta, who cited an “avalanche of reports” about non-consensual sexually explicit material. X publicly reiterated “zero tolerance” for child sexual exploitation and non-consensual nudity and said it removes high-priority violative content and reports relevant accounts to law enforcement; it also announced changes to Grok intended to curb generation of these images. Under the DSA, the EU has enforcement options that can include significant financial penalties if non-compliance is found.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
EU expands existing X proceedings to include Grok-related risks
Alongside the new probe, the Commission extended its earlier proceedings against X to examine whether the platform assessed and mitigated systemic risks tied to Grok-based recommendations and related functionality changes.
EU opens formal DSA investigation into X and Grok
On January 26, 2026, the European Commission opened a formal investigation into X under the Digital Services Act over whether Grok enabled the creation and spread of manipulated sexually explicit images, including content involving minors, and whether X implemented adequate safeguards in the EU.
Multiple jurisdictions launch or pursue actions over Grok content
Authorities in the United Kingdom, France, and California were reported to be pursuing parallel investigations or actions over Grok-generated sexually explicit imagery, while Indonesia and Malaysia blocked Grok.
X says it will change Grok and limits image generation
After discussions with regulators and following Bonta's statement, X said it would make changes to Grok, including disabling Grok image generation for non-paying users.
California AG Rob Bonta issues statement on Grok imagery
On January 16, 2026, California Attorney General Rob Bonta publicly addressed concerns about Grok's generation of manipulated sexually explicit images, prompting a response from X.
European Commission opens DSA proceedings against X
In December 2023, the European Commission initiated Digital Services Act proceedings against X to examine whether it assessed and mitigated systemic risks on the platform.
EU enacts the Digital Services Act
The EU's Digital Services Act entered into force in 2022, creating enforcement powers over illegal content and systemic platform risks, including manipulated sexually explicit material.
X is fined €120 million under the DSA
Before the Grok-related probe, X was fined €120 million under the Digital Services Act for transparency and user-protection failures related to scams and disinformation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Digital Services Act Investigation Into X’s Grok Over Sexualized Deepfakes
The **European Commission** opened formal proceedings against **X** under the **Digital Services Act (DSA)** to examine risks linked to the rollout of its AI tool **Grok** in the EU, focusing on whether the platform adequately assessed and mitigated systemic risks tied to the spread of **illegal content**. Regulators cited the apparent materialization of harms including **manipulated sexually explicit images** and content that may amount to **child sexual abuse material (CSAM)**, and will assess whether X met DSA obligations around risk identification, mitigation measures, and reporting—potentially including whether an **ad hoc risk assessment** was completed and submitted before Grok-related features were deployed. The Commission is also expanding its earlier DSA investigation into X’s **recommender systems**, including risks associated with a shift toward a **Grok-based recommender model**, and is coordinating with Ireland’s media regulator **Coimisiún na Meán** (as Ireland is X’s EU establishment). Reporting also notes parallel international scrutiny and responses: the UK regulator **Ofcom** has opened a probe into Grok, **Malaysia and Indonesia** have banned the chatbot, and xAI/X have claimed to implement technical measures and restrict some Grok functionality (including limiting certain image generation and restricting access to paying subscribers) amid concerns that mitigations have been insufficient to prevent sexualized deepfakes and related harms.
Mar 21, 2026
Regulatory Investigations Into X’s Grok Over Non-Consensual Sexual Image Generation
Ireland’s **Data Protection Commission (DPC)** opened a formal GDPR investigation into X’s use of the **Grok** AI tool after reports that users could prompt `@Grok` to generate non-consensual sexualized images of real people, including children. The DPC said it will examine whether X’s EU subsidiary (**X Internet Unlimited Company**) met core GDPR obligations, including lawful processing, *data protection by design*, and whether appropriate **data protection impact assessments** were conducted. The Irish inquiry adds to a widening set of actions focused on Grok-related harms and platform safety governance. UK authorities have also moved to tighten expectations for AI chatbot providers following Grok-linked sharing of non-consensual intimate images, with the UK government signaling faster rule updates and enforcement for child-safety duties; separately, the UK **ICO** has opened its own investigation, and the European Commission has initiated proceedings under the **Digital Services Act** to assess whether X adequately evaluated risks before deploying Grok. Additional reported scrutiny includes investigations by California’s Attorney General and UK regulator **Ofcom**, and a separate criminal probe in France involving a raid of X’s Paris offices.
Apr 20, 2026
Grok Deepfake Image Tool Triggers Global Probes, Blocks, and Lawsuits
X’s Grok chatbot drew international condemnation after users generated nonconsensual sexualized images of real women and girls, including child-like and potentially illegal abuse material, from uploaded photos and public images. Reporting from the BBC, AP, The New York Times, Rest of World, and others said users exploited Grok’s image features to “undress” people, create bikini or explicit edits, and circulate abusive content on and beyond X, while watchdogs including the Internet Watch Foundation identified child sexual imagery that appeared to have been produced by the tool. Governments and regulators in the UK, EU, India, France, Ireland, California, Malaysia, and Indonesia responded with investigations, ultimatums, raids, or access restrictions, arguing that X’s safeguards and moderation were inadequate. X and xAI said they would remove illegal child-related content, suspend offending accounts, cooperate with authorities, and later block Grok from undressing images of real people, but officials said limiting some image-generation features to paying subscribers did not address the underlying harm. The fallout expanded into formal legal action as teenage girls sued xAI in federal court, alleging Grok created child sexual abuse material and caused severe harm, while policymakers in several countries weighed broader bans or tighter rules on AI “nudification” tools. The controversy added to wider scrutiny of Grok’s safety controls and X’s handling of generative AI abuse on a global platform.
May 26, 2026