Poison Fountain: The Rise of an Underground AI Resistance

The Luddites are back, wrecking technology in a Quixotic effort to stop progress. This time, though, it’s not angry textile workers destroying mechanized looms, but a shadowy group of technologists who want to stop the progress of artificial intelligence. Poison Fountain, as their project is called, is intended to trigger a techno-uprising complete with a manifesto and sabotage instructions on a public-facing website. Its premise is simple: if modern AI systems depend on internet data, then the most direct way to slow them down is to contaminate that data at the source. The project’s launch lands amid growing anxiety about AI safety, fueled in part by warnings from people like Geoffrey Hinton, the Nobel Prize-winning researcher often called the “godfather of AI” for his foundational work in neural networks. In 2023, after leaving Google, Hinton publicly argued that advanced AI could pose existential dangers to mankind and that society should treat the risks as urgent. He continues to beat that drum. “We agree with Geoffrey Hinton: machine intelligence is a threat to the human species,” the Poison Fountain’s rudimentary website reads. “We want to inflict damage on machine intelligence systems.” Throughout history, disruptive technologies have often provoked violent backlashes. Beyond the Luddites, rioters destroyed threshing machines in 1830, Welsh protesters tore down turnpike tollgates in the 1840s. More recently French taxi drivers attacked Uber vehicles in 2015 and in the 2020s, arson attacks have plagued 5G cellphone towers. MORE FOR YOU While each movement ultimately failed to halt progress, new technologies concentrate wealth among capital owners while distributing the economic pain they cause among a less empowered populace. With AI, technological resistance is likely to become chronic when the perceived threat is to human life itself, rather than simply livelihoods. What Poison Fountain is trying to do Large language models, or LLMs, are the text-generating systems behind many chatbots and the latest AI systems that can reason, make decisions and take action. They are trained by ingesting enormous collections of text and code from the internet. The industry term for the automated programs that collect this material from websites is “web crawlers.” Those crawlers copy webpage content at scale, then AI companies filter and package it into training datasets, the vast repositories that LLMs learn from. Poison Fountain’s strategy is to trick those crawlers into collecting “poisoned” content designed to degrade a model during training. The group is calling on like-minded website operators to embed links that point to streams of poisoned training data. The poisoned material includes incorrect code with subtle logic errors and bugs intended to damage models trained on it. Poison Fountain lists two URLs: one on the regular web and a second hosted in the dark web, which is typically harder to remove via conventional takedowns. Why the “small poison” idea suddenly looks plausible Recent research suggests Poison Fountain may not need to corrupt much training data to cause measurable harm in LLM performance. In October 2025, Anthropic, working with the UK AI Security Institute and the Alan Turing Institute, published results that challenged a widespread assumption that poisoning a large model would require poisoning a huge fraction of its training data. Instead, the researchers found that even a small number of malicious documents could hurt model performance. In Anthropic’s experiments, as few as 250 malicious documents were enough to induce AI models to output gibberish. If 250 documents can do it, then poisoning becomes a serious threat to models trained with text found on the internet. The gap between a demo and a real-world weapon Poison Fountain is attempting to operationalize the principle by distributing poisoned content through willing website operators. But there are at least three reasons to be cautious about claims that it will ruin billions of dollars in AI investment. First, training pipelines are not naive vacuums. Large AI developers already invest heavily in data cleaning: deduplication, filtering, quality scoring, and removal of obvious junk. Poison Fountain’s approach appears to include high volumes of flawed code and text, which may be easier to detect than the more carefully constructed poisoning examples used in academic papers. Second, the internet is vast. Even if many sites embed Poison Fountain’s links, the poisoned material still has to be sampled into a specific training run, survive filtering, and appear often enough in the training stream to matter. Third, defenders can react. Once specific poisoning sources are known, they can be blacklisted at the URL, domain and pattern level. What this episode reveals about AI’s weak link But even if Poison Fountain fizzles, it highlights a structural vulnerability in LLMs. Training data for the models is often a messy patchwork assembled from millions of sources, much of it scraped from the open web. If AI companies cannot trust the inputs, they cannot fully trust the outputs.