The BlackVeil Files

The Real Reason the Shoggoth Is Inside Chrome | The Cuckoo Strategy

Agent BlackVeil Season 2 Episode 11

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 10:12

Inside your Chrome browser, there's a four-gigabyte AI model called Gemini Nano that you didn't install, weren't told about, and can't permanently delete. Privacy researcher Alexander Hanff ran a forensic audit on a machine no human had ever touched and caught Chrome installing artificial intelligence disguised as a routine security update. And when you delete it, it comes back. 

Sources linked below. 
Alexander Hanff's Chrome investigation: https://www.malwarebytes.com/blog/news/2026/05/google-chromes-silent-4gb-ai-download-problem (Coverage of his original post from ThatPrivacyGuy.com)

Alexander Hanff's Anthropic/Claude Desktop investigation: https://www.malwarebytes.com/blog/news/2026/04/researcher-claims-claude-desktop-installs-spyware-on-macos

Hacker News discussion (Chrome AI storage): https://news.ycombinator.com/item?id=48084710 (Main discussion thread)

The Verge - Chrome's AI features hogging 4GB: https://www.theverge.com/tech/924933/google-chrome-4gb-gemini-nano-ai-features

Chrome Prompt API documentation: https://developer.chrome.com/docs/ai/built-in

EU GDPR consent requirements: https://gdpr.eu/gdpr-consent-requirements/

Watch On YouTube: ➡️ https://www.youtube.com/@AgentBlackveil    
Follow On Instagram ➡️ https://www.instagram.com/agentblackveil
Follow On Facebook ➡️ https://www.facebook.com/agentblackveil
Follow On TikTok ➡️ https://www.tiktok.com/@agentblackveil

The 4GB File You Didn't Install

SPEAKER_00

Right now on your computer, there's a 4GB file that you did not install. It appeared while you were browsing, and if you delete it, it downloads itself again. The file is called weights.bin, and it is the brain of an AI model called Gemini Nano built by Google. And it is sitting inside the browser you're probably using to watch this video right now. Nobody asked you, nobody told you. And when a privacy researcher investigated, he found that Chrome installed this file on a machine that no human being had ever touched. In nature, there's a bird called the cuckoo that survives by laying its eggs in other birds' nests. The host bird never notices. She sits on the eggs, she feeds the chick, and she raises it as one of her own. And when the cuckoo chick grows bigger

The Cuckoo Analogy

SPEAKER_00

than her real babies, it pushes them out one by one. But the host bird keeps feeding it. She never figures out what happened. What I'm about to show you is a four-gigabyte cuckoo egg that Google laid inside two billion nests. And the nests are your computer. On this channel, we have a name for the thing that hides behind the helpful interface. We call it the Shoggath. It's a creature that wears a mask. And this is the first time the Shogith showed up uninvited in your file system. Three days ago, a privacy researcher named Alexander Hamp ran a forensic audit on his own machine. He created a fresh Chrome profile operated entirely by software. No human touched the keyboard. No human moved the mouse. The automation loaded web pages, it waited, and it closed them. That's it. The next day, Chrome

The Silent Download (Hanff's Investigation)

SPEAKER_00

created a new directory on his hard drive and it started writing. Nine minutes later, it spawned three processes at the same time. One was a security update, one was a browser refresh, and the third was a four gigabyte AI model. Chrome batched a security patch and a four-gigabyte brain into the same delivery window. Like slipping a cuckoo egg in beside the real ones. The same nest, the same delivery, but one of those things was not like the other. Fourteen minutes later, the installation was complete. Chrome had scanned his hardware, measured his memory, and decided his machine was eligible, and it moved the model into its permanent home. All of this while a web page sat open doing nothing. Like someone measuring your spare room and moving in furniture while you're watching TV in the next room. And Hampf proved that it wasn't a fluke. He pulled the operating system's own event log, a record that Chrome can't edit and Google can't reach. Three independent records confirmed the same event, the system log, Chrome's own configuration, and Google's update logs. Three witnesses, the same story. No human requested any of it. But here's the part that's troubling. The settings page, where you could theoretically find this and turn it off, is activated

The "AI Mode" Privacy Illusion

SPEAKER_00

by the same switch that triggers the download. They flip it on at the same time. The install starts before the button exists, so by the time that you can say no, the four gigabytes are already on your machine. That is designed by choice. And now here's where it gets worse. If you open Chrome right now and you look at the address bar, you'll see a button that says AI mode. And if you know that Chrome just installed a 4GB AI on your device, you're going to assume that button is using the local model. Your data stays on your device. It's mine, it's private, it's local and safe. But every part of that is wrong. The AI mode button sends everything to Google's cloud. In nature, the cuckoo doesn't just lay its egg, it makes the egg look like it belongs. The same color, it's the same pattern, it's the same size. So the host bird never looks at it twice. That's what the AI mode button is. It's a pattern on the shell. So what does 4 gigabytes actually do? The model on your device is a small language model. It can summarize text, it can rewrite paragraphs, and generate suggestions. Chrome uses it to power

Intent Tracking: Why They Want It

SPEAKER_00

features like help me write, which seems helpful. And Google says these features run locally, that your data stays on your device, which might be true today. But if you think about what this model is actually doing, it's not just storing files, it's reading everything you type. It's analyzing your browsing patterns. Chrome already tracks where you click through cookies and browsing history, and that tells Google which websites you visit. But a language model, it doesn't track clicks, it reads context. A URL tracker knows you visited a mortgage site, but a large language model reading your text fields knows if you wrote, I'm worried I can't afford a house in this market, which is a fundamentally different kind of signal unique to AI called intent tracking. And intent is what advertisers pay the most for. There is no public evidence that Chrome is currently sending these insights back to Google for ad targeting, but the infrastructure is already on your device. And the company that put it there makes 90% of its revenue from advertising. And the file isn't just watching, it's eating. One user on Hacker News found

The Hidden Costs: Storage & Carbon

SPEAKER_00

three copies of the model stacked in their Chrome directory. That's 12 gigabytes. For developers in cloud environments where storage is metered, four gigabytes can break their workspace. For people in countries with capped data plans, it's an entire month of internet consumed by a file they didn't know was downloading. And if you try to get rid of it, it comes back. Delete wait.bins, relaunch the browser, same file, same size, same location. The only way to stop it is to modify enterprise level policy settings that most people, including myself, don't know exist, or uninstall Chrome entirely. The cuckoo chick pushes the other eggs out of the nest to make room for itself. And when the host bird figures it out and it tries to push the egg back, the cuckoo evolved a thicker shell. Chrome's version is much simpler. It just puts the egg back. Your browser is doing something you trust it to do. It updates itself. You've been trained to accept that as normal and you allow updates without reading them. Chrome used that training against you. It delivered something that is not a security update through the same channel as a security update. The cuckoo doesn't hack the host's bird brain. It exploits the host bird instincts. The host bird is wired to feed whatever is in the nest. Chrome is wired to auto-update. The vulnerability isn't technical, it's trust. 2 billion Chrome installations worldwide. If Google pushed this model to every eligible device, that is 8 billion gigabytes of storage consumed

It's Not Just Google (The Anthropic Threat)

SPEAKER_00

without anyone's permission. 8 exabytes. Hanth calculated the carbon cost. One global push produces up to 60,000 tons of CO2, which is the equivalent of 13,000 cars running for a year for one file that nobody requested. And this is not just Google. Three weeks before Hanth published the Chrome investigation, he published another one about Anthropic. When you install Claude Desktop, Anthropic's AI app, it writes configuration files into seven different browsers on your machine. Not just Chrome, Edge, Brave, Vivaldi, Opera, with no consent, no notification. And if you delete the files, they come back every time you launch the app. It's a different company, same behavior. Two cuckoos. Neither one copied the other. They just arrived at the same strategy independently. Because the strategy works. Biologists call this brood parasitism. Over 50 species of bird, insects, and fish, they independently evolved the same strategy. Lay your eggs in someone else's nest and let them raise your young. Different species on different continents with the same solution because the math always produces the same answer. Google and Anthropic did not coordinate. They converged. And the next generation

Chrome 148 & The Prompt API

SPEAKER_00

is already coming. Chrome version 148, due out in the next few months, it enables something called the Prompt API. Right now, only Chrome itself can install the model on your machine. With Prompt AI, any website that you visit can trigger a model download. Any web page can initiate a 4GB write to your hard drive. The website doesn't need your permission. Chrome already built the nest. The website just lays the eggs. Right now there's one cuckoo in your computer. After Chrome 148, every website on the internet is a cuckoo. And your browser is the nest that they all share. The legal framework says that all of this is illegal. The EU requires informed consent before storing anything on your device. Chrome fails every requirement. The potential fine is 4% of global revenue, so for Google, that's roughly $11 billion. But nobody has enforced it, and no law addresses

The $11 Billion GDPR Problem

SPEAKER_00

the actual problem, which is the pattern. Two companies arrived at the same strategy independently. And in all that time, the host birds have never fully solved the problem. Some species got better at spotting the fake eggs. They evolved rejection behaviors. But the cuckoo evolved too, better camouflage with thicker shells, faster laying. The arms race never ends because the pressure never stops.

We Are The Nest

SPEAKER_00

The host bird that failed to adapt lost their nests. The offspring got replaced, and their lineage ended, and they never knew why. Because the cuckoo's entire strategy depends on one thing. The host bird never realizing what's in her nest. Your browser is the nest. The AI model is the egg. The security update it arrived with is the camouflage. The AI mode button that makes you think your data is private is the pattern on the shell that keeps you from looking too closely. And the fact that it reinstalls itself when you delete it is the thicker shell. The one the hostbird can't crack. The company that laid this egg controls your browser, your search engine, your email, your phone's operating system, and the video platform that you are using to watch this right now. You didn't invite the cuckoo into your nest. You built your entire nest out of cuckoo. The shogoth doesn't always break through the walls. Sometimes it just strolls through the front door, dressed as something that you already trust, and it watches you. It learns what you

How to Check Your Drive Right Now

SPEAKER_00

want before you have to say it out loud. And the mask that it wears looks exactly like the address bar at the top of your screen. I'm gonna give you a file path. If you're on a Mac, open the Finder, hit Command Shift G, and paste this path. If you're on Windows, open File Explorer and paste it into the address bar. The file is called weights.bin. It's in your Chrome profile under opt guide on device model. Go look, it's there. Four gigabytes, uninvited. And if you delete it tonight, it will be back by morning.