EU Digital Services Act Investigation Into X’s Grok Over Sexualized Deepfakes
The European Commission opened formal proceedings against X under the Digital Services Act (DSA) to examine risks linked to the rollout of its AI tool Grok in the EU, focusing on whether the platform adequately assessed and mitigated systemic risks tied to the spread of illegal content. Regulators cited the apparent materialization of harms including manipulated sexually explicit images and content that may amount to child sexual abuse material (CSAM), and will assess whether X met DSA obligations around risk identification, mitigation measures, and reporting—potentially including whether an ad hoc risk assessment was completed and submitted before Grok-related features were deployed.
The Commission is also expanding its earlier DSA investigation into X’s recommender systems, including risks associated with a shift toward a Grok-based recommender model, and is coordinating with Ireland’s media regulator Coimisiún na Meán (as Ireland is X’s EU establishment). Reporting also notes parallel international scrutiny and responses: the UK regulator Ofcom has opened a probe into Grok, Malaysia and Indonesia have banned the chatbot, and xAI/X have claimed to implement technical measures and restrict some Grok functionality (including limiting certain image generation and restricting access to paying subscribers) amid concerns that mitigations have been insufficient to prevent sexualized deepfakes and related harms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
X restricts Grok image generation and editing to paid subscribers
In response to the controversy over Grok-generated sexual images, X said it would limit Grok’s image generation and editing features to paid users. The move was presented as a response measure but drew criticism from UK officials.
California attorney general opens Grok deepfake investigation
California Attorney General Rob Bonta opened an investigation into nonconsensual sexually explicit material generated using Grok. The action was reported as part of broader regulatory scrutiny of X and xAI following the spread of sexualized AI-generated images.
Commission expands earlier X probe to cover Grok-based recommender risks
Alongside the new proceedings, the European Commission expanded its earlier December 2023 investigation into X’s recommender systems to include risks linked to a shift toward a Grok-based recommender model. Regulators said they will assess whether X updated and submitted an ad hoc risk assessment reflecting Grok’s impact on the platform’s overall risk profile.
EU opens formal DSA investigation into X over Grok risks
On 2026-01-26, the European Commission opened formal proceedings under the Digital Services Act to examine whether X properly assessed and mitigated systemic risks before deploying Grok in the EU. The probe focuses on harms including sexually explicit deepfakes, potentially illegal content, and material that may amount to child sexual abuse content.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
EU launches investigation into X over Grok-generated sexual images
bleepingcomputer.com
Open sourceEU opens new investigation into Grok on X - Help Net Security
helpnetsecurity.com
Open sourceEU launches formal investigation of xAI over Grok's sexualized deepfakes - Ars Technica
arstechnica.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Opens Digital Services Act Investigation Into X’s Grok Over Sexually Explicit Deepfakes
The **European Commission** opened a formal investigation into **X** under the **Digital Services Act (DSA)** over concerns that its GenAI chatbot **Grok** enabled the creation and dissemination of *manipulated sexually explicit images*, including content that may amount to **child sexual abuse material (CSAM)**. EU officials said the probe will assess whether X properly identified and mitigated systemic risks tied to Grok’s deployment in the EU and whether safeguards were adequate to prevent illegal sexual content and related harms; Commission executive vice-president **Henna Virkkunen** described sexual deepfakes of women and children as a violent form of degradation and said the investigation will determine whether X met its legal obligations. Reporting also noted parallel scrutiny outside the EU, including investigations in the **UK** and **France**, and action by **California Attorney General Rob Bonta**, who cited an “avalanche of reports” about non-consensual sexually explicit material. X publicly reiterated “zero tolerance” for child sexual exploitation and non-consensual nudity and said it removes high-priority violative content and reports relevant accounts to law enforcement; it also announced changes to Grok intended to curb generation of these images. Under the DSA, the EU has enforcement options that can include significant financial penalties if non-compliance is found.
Mar 21, 2026
Regulatory Investigations Into X’s Grok Over Non-Consensual Sexual Image Generation
Ireland’s **Data Protection Commission (DPC)** opened a formal GDPR investigation into X’s use of the **Grok** AI tool after reports that users could prompt `@Grok` to generate non-consensual sexualized images of real people, including children. The DPC said it will examine whether X’s EU subsidiary (**X Internet Unlimited Company**) met core GDPR obligations, including lawful processing, *data protection by design*, and whether appropriate **data protection impact assessments** were conducted. The Irish inquiry adds to a widening set of actions focused on Grok-related harms and platform safety governance. UK authorities have also moved to tighten expectations for AI chatbot providers following Grok-linked sharing of non-consensual intimate images, with the UK government signaling faster rule updates and enforcement for child-safety duties; separately, the UK **ICO** has opened its own investigation, and the European Commission has initiated proceedings under the **Digital Services Act** to assess whether X adequately evaluated risks before deploying Grok. Additional reported scrutiny includes investigations by California’s Attorney General and UK regulator **Ofcom**, and a separate criminal probe in France involving a raid of X’s Paris offices.
Apr 20, 2026
Grok Deepfake Image Tool Triggers Global Probes, Blocks, and Lawsuits
X’s Grok chatbot drew international condemnation after users generated nonconsensual sexualized images of real women and girls, including child-like and potentially illegal abuse material, from uploaded photos and public images. Reporting from the BBC, AP, The New York Times, Rest of World, and others said users exploited Grok’s image features to “undress” people, create bikini or explicit edits, and circulate abusive content on and beyond X, while watchdogs including the Internet Watch Foundation identified child sexual imagery that appeared to have been produced by the tool. Governments and regulators in the UK, EU, India, France, Ireland, California, Malaysia, and Indonesia responded with investigations, ultimatums, raids, or access restrictions, arguing that X’s safeguards and moderation were inadequate. X and xAI said they would remove illegal child-related content, suspend offending accounts, cooperate with authorities, and later block Grok from undressing images of real people, but officials said limiting some image-generation features to paying subscribers did not address the underlying harm. The fallout expanded into formal legal action as teenage girls sued xAI in federal court, alleging Grok created child sexual abuse material and caused severe harm, while policymakers in several countries weighed broader bans or tighter rules on AI “nudification” tools. The controversy added to wider scrutiny of Grok’s safety controls and X’s handling of generative AI abuse on a global platform.
May 26, 2026