French law-enforcement authorities have searched the Paris office of social network X as part of a wide‑ranging criminal investigation into the platform’s Grok generative AI system. Investigators are focusing on Grok’s alleged role in creating and disseminating illegal content, including sexual deepfakes, child sexual abuse material (CSAM) and statements denying the Holocaust, underscoring how regulators are escalating their response to AI‑driven cybercrime risks on major online platforms.
How the French investigation into X and Grok AI began
According to the Paris prosecutor’s office, the probe was opened in January 2025 following complaints from users and civil society organisations that Grok could generate clearly unlawful content. Reports pointed to explicit sexual imagery created without the consent of depicted individuals, along with responses that may constitute criminal speech under French law, including Holocaust denial, which is specifically criminalised in France.
The search of X’s Paris premises was conducted by the cybercrime unit of the French National Gendarmerie, supported by Europol. This joint operation highlights the cross‑border nature of the case: while Grok‑generated content can be created and shared globally within seconds, legal responsibility for moderation and compliance still falls on the platform operating in each national jurisdiction.
Alleged cyber offences and platform liability
The cybercrime unit is examining seven potential categories of offences that may have been committed via X or facilitated by its services. These include:
- Complicity in the storage and distribution of child sexual abuse material (CSAM) — one of the most serious cybercrime offences, and a top enforcement priority for police and prosecutors worldwide.
- Creation and dissemination of sexual deepfakes — AI‑generated intimate images using real people’s faces without consent, a rapidly growing form of online abuse.
- Holocaust denial — a criminal offence in France, particularly sensitive online where the potential reach and amplification of such content are significant.
- “Fraudulent data extraction” — typically referring to large‑scale, unauthorised scraping or harvesting of user data in violation of platform rules or data‑protection law.
- Interference with information systems — including unauthorised access, modification or disruption of digital services.
- Operating an illegal online platform as part of organised criminal activity — suggesting concerns about systemic tolerance of, or support for, unlawful behaviour.
From a cybersecurity perspective, this set of allegations indicates a comprehensive examination of X’s ecosystem: from content moderation and AI safety controls to security architecture, logging, and data‑processing practices. It also reflects a broader trend in which regulators treat the misuse of generative AI not only as an ethical issue, but as potential complicity in cybercrime.
Questioning X leadership and the company’s response
The Paris prosecutor has summoned Elon Musk and X CEO Linda Yaccarino for questioning on 20 April. Other employees are scheduled to be interviewed as witnesses between 20 and 24 April. Authorities describe these as “voluntary interviews” intended to give senior management the opportunity to explain the company’s position and detail existing and planned compliance measures under French law.
In earlier public statements, X’s Global Government Affairs account characterised aspects of the French probe — particularly around algorithmic manipulation and alleged “fraudulent data extraction” — as a politically motivated criminal case. Such rhetoric is typical of escalating conflicts between global platforms and national regulators, where freedom of expression, business interests and obligations to combat cybercrime increasingly collide.
EU, UK and US regulators scrutinise Grok and generative AI
In parallel with the French criminal proceedings, the European Commission opened its own investigation into X in January 2026. The focus is whether X properly conducted and documented its systemic risk assessment under the Digital Services Act (DSA) before rolling out Grok, particularly in light of the tool’s use to generate sexual content at scale.
Digital Services Act and data protection obligations for AI platforms
The DSA imposes stringent obligations on “very large online platforms”, including X. These obligations include assessing and mitigating systemic risks related to illegal content, disinformation, manipulation and impacts on fundamental rights; ensuring transparency around recommendation and ranking algorithms; and providing effective notice‑and‑action and appeal mechanisms for users. When such platforms integrate generative AI like Grok, these duties extend to AI‑generated outputs and their moderation.
Additional pressure is coming from other regulators. The UK’s Ofcom and the Attorney General of California, Rob Bonta, are examining cases where Grok allegedly generated non‑consensual explicit materials. The UK Information Commissioner’s Office (ICO) has requested detailed information from X and its AI partners on how they comply with European data‑protection principles, including data minimisation, lawful processing, and the rights of data subjects whose images or personal data might be used to train or query AI systems.
Cybersecurity and AI: guardrails, monitoring and risk management
The Grok case illustrates how generative AI deployed without robust guardrails can quickly become a major legal, reputational and cybersecurity risk. Sexual deepfakes, hate speech and historical revisionism are no longer theoretical misuse scenarios; they are concrete vectors for harassment, blackmail, radicalisation and large‑scale disinformation campaigns.
Practical measures for platforms and organisations using generative AI
For AI providers and online platforms, this wave of investigations signals the need to harden systems by design. Effective measures include multi‑layered content‑filtering pipelines, automatic CSAM detection, specialised human moderation teams, continuous red‑teaming of models, and comprehensive logging and anomaly detection for suspicious prompt patterns or abuse at scale. Alignment with emerging frameworks such as the NIST AI Risk Management Framework and upcoming EU AI regulations can provide a structured approach to these efforts.
For businesses integrating third‑party AI services, due diligence should go beyond functionality. Organisations need to assess regulatory compliance, security controls, data‑retention policies and incident‑response procedures of their AI vendors. Embedding “security and compliance by design” into procurement, development and deployment processes reduces the likelihood of exposure to investigations, fines and cross‑border enforcement actions.
The French case against X, combined with EU, UK and US scrutiny of Grok, is shaping a new baseline of accountability for AI platforms. Now is the time for platforms, enterprises and public institutions to revisit their AI governance, strengthen technical and organisational safeguards, and ensure that innovation in generative AI is matched by equally advanced controls against cybercrime and unlawful content.
