AI model poisoning is becoming easier to understand because it looks a lot like the old spam economy with a new target. Instead of only trying to push a website higher in search results, bad actors can try to bend the answers people receive from AI systems. If an assistant becomes the first place users ask about products, services, reviews, or health claims, manipulating that answer becomes valuable.
The most worrying part is the reported price. When answer manipulation is cheap, it stops being a rare attack and starts looking like a service. Small merchants, reputation operators, and scam networks do not need to control a whole model. They only need enough influence over the data, prompts, retrieval sources, or ranking signals that feed the model's response. That makes the problem broader than a single vendor.
This is why AI search needs stronger provenance. Users should know when an answer is based on a source, when it is uncertain, and when a recommendation is being made from weak evidence. We recently covered how AI spoof detection on Android is moving trust checks closer to users, and model answers need a similar trust layer.
Chinese outlet 36Kr reports on an AI large-model poisoning black market, including claims that answer manipulation can be purchased at low prices. The details are specific to the report, but the lesson is global. Any AI product that summarizes the web can become a target for people who want to shape what the summary says.
The attack surface is messy. Some attempts may focus on publishing pages that models or retrieval systems pick up. Others may target reviews, forum posts, knowledge panels, backlinks, or prompt-injection content hidden inside pages. The AI company may not be poisoned at training time at all; the assistant may simply retrieve a poisoned source during a live query. That makes detection harder because the bad input can move quickly.
Businesses will feel this first in reputation searches. If customers ask an AI assistant which clinic, gadget, repair shop, or software tool to choose, a manipulated answer can redirect demand. Traditional SEO already shaped consumer behavior for years. AI answer optimization could become more opaque because the user may see one confident paragraph rather than a list of competing results.
Model providers need layered defenses. They need source scoring, spam detection, prompt-injection filtering, citation quality checks, and feedback loops that do not reward coordinated manipulation. They also need to resist making answers sound more certain than the evidence supports. A cautious answer may be less flashy, but it is safer when the underlying web is adversarial.
The report should push AI companies to treat answer integrity as a core product feature. Users will not care whether the problem came from training data, retrieval, ranking, or a compromised source. They will care that the assistant gave a manipulated answer. If AI becomes the new front door to information, poisoning that door becomes the new spam business.
Publishers and brands will also need new monitoring habits. It may not be enough to track search rankings or social mentions. They may need to test how assistants describe them, which sources are cited, and whether strange claims are spreading through generated answers. Reputation management is moving into the answer layer.