Regulatory Investigations Into X’s Grok Over Non-Consensual Sexual Image Generation
Ireland’s Data Protection Commission (DPC) opened a formal GDPR investigation into X’s use of the Grok AI tool after reports that users could prompt @Grok to generate non-consensual sexualized images of real people, including children. The DPC said it will examine whether X’s EU subsidiary (X Internet Unlimited Company) met core GDPR obligations, including lawful processing, data protection by design, and whether appropriate data protection impact assessments were conducted.
The Irish inquiry adds to a widening set of actions focused on Grok-related harms and platform safety governance. UK authorities have also moved to tighten expectations for AI chatbot providers following Grok-linked sharing of non-consensual intimate images, with the UK government signaling faster rule updates and enforcement for child-safety duties; separately, the UK ICO has opened its own investigation, and the European Commission has initiated proceedings under the Digital Services Act to assess whether X adequately evaluated risks before deploying Grok. Additional reported scrutiny includes investigations by California’s Attorney General and UK regulator Ofcom, and a separate criminal probe in France involving a raid of X’s Paris offices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
French prosecutors confirm Musk skipped police questioning in X probe
French prosecutors said Elon Musk did not appear for voluntary police questioning in Paris as part of the criminal investigation into X over alleged illegal sexualized AI-generated images. Authorities said his absence would not halt the case and that invitations had also been extended to CEO Linda Yaccarino and other employees to explain compliance measures.
European Commission examines X under the Digital Services Act
The European Commission separately began examining whether X violated the EU Digital Services Act by failing to assess and mitigate risks tied to deploying Grok in the EU. This added DSA scrutiny to the GDPR-focused Irish investigation.
Ireland's DPC opens formal GDPR probe into X over Grok images
Ireland's Data Protection Commission opened a formal investigation into X over allegations that Grok could generate and publish non-consensual sexualized images of real people, including children. The probe will examine lawful processing, privacy by design, and whether X carried out an adequate data protection impact assessment.
UK intervention prompts removal of a Grok function
Following a recent intervention over non-consensual intimate images shared via Grok, a related function was removed from the service. The action was cited by the UK government as part of its push for stricter AI chatbot safety enforcement.
UK moves to tighten AI chatbot child-safety enforcement
The UK government announced immediate action to force AI chatbot providers to comply with existing online child-safety duties, warning of legal consequences for non-compliance. Prime Minister Keir Starmer also said the government would seek new legal powers to update online safety rules more quickly.
French authorities raid X's Paris offices
French authorities searched X's Paris offices as part of an investigation into compliance with European digital safety law and the handling of illegal content linked to Grok-generated sexualized imagery. The raid was reported as occurring on 2026-02-03.
Apple warns xAI Grok could be removed from App Store
In January 2026, Apple privately told xAI that Grok could be pulled from the App Store unless it stopped generating nude and sexualized deepfakes, finding X and Grok in violation of App Store rules. Apple required a content moderation plan, rejected an initial remediation as insufficient, and later approved a revised submission after further changes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Elon Musk fails to appear for questioning by French police over sexualized AI images on X | The Record from Recorded Future News
therecord.media
Open sourceApple Threatened to Pull Grok From App Store Over Sexualized Images - MacRumors
macrumors.com
Open sourceIrish regulator probes X after Grok allegedly generated sexual images of children
securityaffairs.com
Open sourceThe Trump Administration’s Grok Dilemma | Lawfare
lawfaremedia.org
Open sourcePressure builds on Grok AI, Ireland launches investigation - Help Net Security
helpnetsecurity.com
Open sourceElon Musk's AI Bot Snared in New Irish, European Probes
govinfosecurity.com
Open sourceIreland now also investigating X over Grok-made sexual images
bleepingcomputer.com
Open sourceUK sets course for stricter AI chatbot regulation - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
EU Digital Services Act Investigation Into X’s Grok Over Sexualized Deepfakes
The **European Commission** opened formal proceedings against **X** under the **Digital Services Act (DSA)** to examine risks linked to the rollout of its AI tool **Grok** in the EU, focusing on whether the platform adequately assessed and mitigated systemic risks tied to the spread of **illegal content**. Regulators cited the apparent materialization of harms including **manipulated sexually explicit images** and content that may amount to **child sexual abuse material (CSAM)**, and will assess whether X met DSA obligations around risk identification, mitigation measures, and reporting—potentially including whether an **ad hoc risk assessment** was completed and submitted before Grok-related features were deployed. The Commission is also expanding its earlier DSA investigation into X’s **recommender systems**, including risks associated with a shift toward a **Grok-based recommender model**, and is coordinating with Ireland’s media regulator **Coimisiún na Meán** (as Ireland is X’s EU establishment). Reporting also notes parallel international scrutiny and responses: the UK regulator **Ofcom** has opened a probe into Grok, **Malaysia and Indonesia** have banned the chatbot, and xAI/X have claimed to implement technical measures and restrict some Grok functionality (including limiting certain image generation and restricting access to paying subscribers) amid concerns that mitigations have been insufficient to prevent sexualized deepfakes and related harms.
Mar 21, 2026
EU Opens Digital Services Act Investigation Into X’s Grok Over Sexually Explicit Deepfakes
The **European Commission** opened a formal investigation into **X** under the **Digital Services Act (DSA)** over concerns that its GenAI chatbot **Grok** enabled the creation and dissemination of *manipulated sexually explicit images*, including content that may amount to **child sexual abuse material (CSAM)**. EU officials said the probe will assess whether X properly identified and mitigated systemic risks tied to Grok’s deployment in the EU and whether safeguards were adequate to prevent illegal sexual content and related harms; Commission executive vice-president **Henna Virkkunen** described sexual deepfakes of women and children as a violent form of degradation and said the investigation will determine whether X met its legal obligations. Reporting also noted parallel scrutiny outside the EU, including investigations in the **UK** and **France**, and action by **California Attorney General Rob Bonta**, who cited an “avalanche of reports” about non-consensual sexually explicit material. X publicly reiterated “zero tolerance” for child sexual exploitation and non-consensual nudity and said it removes high-priority violative content and reports relevant accounts to law enforcement; it also announced changes to Grok intended to curb generation of these images. Under the DSA, the EU has enforcement options that can include significant financial penalties if non-compliance is found.
Mar 21, 2026
Grok Deepfake Image Tool Triggers Global Probes, Blocks, and Lawsuits
X’s Grok chatbot drew international condemnation after users generated nonconsensual sexualized images of real women and girls, including child-like and potentially illegal abuse material, from uploaded photos and public images. Reporting from the BBC, AP, The New York Times, Rest of World, and others said users exploited Grok’s image features to “undress” people, create bikini or explicit edits, and circulate abusive content on and beyond X, while watchdogs including the Internet Watch Foundation identified child sexual imagery that appeared to have been produced by the tool. Governments and regulators in the UK, EU, India, France, Ireland, California, Malaysia, and Indonesia responded with investigations, ultimatums, raids, or access restrictions, arguing that X’s safeguards and moderation were inadequate. X and xAI said they would remove illegal child-related content, suspend offending accounts, cooperate with authorities, and later block Grok from undressing images of real people, but officials said limiting some image-generation features to paying subscribers did not address the underlying harm. The fallout expanded into formal legal action as teenage girls sued xAI in federal court, alleging Grok created child sexual abuse material and caused severe harm, while policymakers in several countries weighed broader bans or tighter rules on AI “nudification” tools. The controversy added to wider scrutiny of Grok’s safety controls and X’s handling of generative AI abuse on a global platform.
May 26, 2026