The European Commission opened a formal investigation into X under the Digital Services Act (DSA) over concerns that its GenAI chatbot Grok enabled the creation and dissemination of manipulated sexually explicit images, including content that may amount to child sexual abuse material (CSAM). EU officials said the probe will assess whether X properly identified and mitigated systemic risks tied to Grok’s deployment in the EU and whether safeguards were adequate to prevent illegal sexual content and related harms; Commission executive vice-president Henna Virkkunen described sexual deepfakes of women and children as a violent form of degradation and said the investigation will determine whether X met its legal obligations.
Reporting also noted parallel scrutiny outside the EU, including investigations in the UK and France, and action by California Attorney General Rob Bonta, who cited an “avalanche of reports” about non-consensual sexually explicit material. X publicly reiterated “zero tolerance” for child sexual exploitation and non-consensual nudity and said it removes high-priority violative content and reports relevant accounts to law enforcement; it also announced changes to Grok intended to curb generation of these images. Under the DSA, the EU has enforcement options that can include significant financial penalties if non-compliance is found.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Alongside the new probe, the Commission extended its earlier proceedings against X to examine whether the platform assessed and mitigated systemic risks tied to Grok-based recommendations and related functionality changes.
On January 26, 2026, the European Commission opened a formal investigation into X under the Digital Services Act over whether Grok enabled the creation and spread of manipulated sexually explicit images, including content involving minors, and whether X implemented adequate safeguards in the EU.
Authorities in the United Kingdom, France, and California were reported to be pursuing parallel investigations or actions over Grok-generated sexually explicit imagery, while Indonesia and Malaysia blocked Grok.
After discussions with regulators and following Bonta's statement, X said it would make changes to Grok, including disabling Grok image generation for non-paying users.
On January 16, 2026, California Attorney General Rob Bonta publicly addressed concerns about Grok's generation of manipulated sexually explicit images, prompting a response from X.
In December 2023, the European Commission initiated Digital Services Act proceedings against X to examine whether it assessed and mitigated systemic risks on the platform.
The EU's Digital Services Act entered into force in 2022, creating enforcement powers over illegal content and systemic platform risks, including manipulated sexually explicit material.
Before the Grok-related probe, X was fined €120 million under the Digital Services Act for transparency and user-protection failures related to scams and disinformation.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.