Skip to content

Tokyo Police Arrest 15-Year-Old Over Alleged Bandai Channel Cyberattack

Tokyo police have arrested a 15-year-old student over an alleged cyberattack targeting Bandai Channel, a subscription-based anime and tokusatsu streaming service operated by Bandai Namco Filmworks.

The student was arrested on July 4 and is accused of using a program created with ChatGPT assistance to disrupt the service in November 2025. Police allege the program exploited a system vulnerability and sent false information to Bandai Namco Filmworks servers.

The alleged attack took place on November 4, 2025, between roughly 5:00 p.m. and 8:45 p.m., causing the unauthorized cancellation of 46,812 subscription accounts. Bandai Namco Filmworks’ operations were partially disrupted on November 6, and full service resumed in December after repairs were completed.

Additional reporting says the student allegedly discovered the vulnerability by analyzing Bandai Channel communication data, then used ChatGPT to create the attack program. The company reportedly attempted to block the activity, but the suspect allegedly continued by changing IP addresses around 30 times.

Police reportedly believe member information was obtained during the incident, including email addresses and usernames, though investigators had not found confirmed misuse of the information.

The case is being framed around generative AI, but the security lesson is broader. The issue was not that AI magically bypassed defenses. The alleged incident shows how a vulnerable account-management workflow can be abused at scale once automation is introduced.

For defenders, the takeaway is straightforward: state-changing account actions need strong authorization checks, rate limits, abuse monitoring, anomaly alerts, and recovery controls. Blocking an IP address is not enough when an attacker can rotate infrastructure and keep sending requests.

Latest