Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
USDC 
TRON 
Lido Staked Ether 
Dogecoin 
Figure Heloc 
Cardano 
Bitcoin Cash 
Wrapped stETH 
WhiteBIT Coin 
Wrapped Beacon ETH 
Wrapped Bitcoin 
Wrapped eETH 
USDS 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
Monero 
LEO Token 
WETH 
Stellar 
Zcash 
Coinbase Wrapped BTC 
Sui 
Ethena USDe 
Litecoin 
Hyperliquid 
Avalanche 
Hedera 
Shiba Inu 
Canton 
USDT0 
sUSDS 
World Liberty Financial 
Dai 
Toncoin 
Cronos 
PayPal USD 
Ethena Staked USDe 
Uniswap 
USD1 
Polkadot 
Mantle 
MemeCore 
Rain 
Bittensor 
Pepe 
Aave 
Bitget Token 
Tether Gold 
OKB 
NEAR Protocol 
Falcon USD 
Jito Staked SOL 
Ethereum Classic 
Binance-Peg WETH 
Ethena 
Pi Network 
Internet Computer 
BlackRock USD Institutional Digital Liquidity Fund 
PAX Gold 
Aster 
Solana 
POL (ex-MATIC) 
Jupiter Perpetuals Liquidity Provider Token 
HTX DAO 
Worldcoin 
Circle USYC 
KuCoin 
Global Dollar 
Binance Staked SOL 
Pump.fun 
syrupUSDC 
Ripple USD 
Aptos 
BFUSD 
Wrapped BNB 
Binance Bridged USDC (BNB Smart Chain) 
Sky 
Rocket Pool ETH 
Provenance Blockchain 
Cosmos Hub 
Ondo 
Kaspa 
Render 
Arbitrum 
Gate 
Algorand 
Kelp DAO Restaked ETH 
Midnight 
Filecoin 
Official Trump 
Quant 
Bridged Wrapped Lido Staked Ether (Scroll) 
VeChain 
NEXO 
Function FBTC 
Lombard Staked BTC 
Solv Protocol BTC 
Bonk 
MYX Finance 
Flare 
XDC Network 
Janus Henderson Anemoy AAA CLO Fund 
USDtb 
Liquid Staked ETH 
Mantle Staked Ether 
OUSG 
USDD 
Sei 
WrappedM by M^0 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Lighter 
Pudgy Penguins 
Polygon Bridged USDC (Polygon PoS) 
Arbitrum Bridged WBTC (Arbitrum One) 
clBTC 
Virtuals Protocol 
Renzo Restaked ETH 
Ondo US Dollar Yield 
Story 
Beldex 
Jupiter 
Stacks 
Morpho 
USDai 
Wrapped Flare 
PancakeSwap 
Jupiter Staked SOL 
syrupUSDT 
Artificial Superintelligence Alliance 
L2 Standard Bridged WETH (Base) 
StakeWise Staked ETH 
Polygon PoS Bridged DAI (Polygon POS) 
Tezos 
Optimism 
Curve DAO 
Spiko EU T-Bills Money Market Fund 
Kinetiq Staked HYPE 
Usual USD 
c8ntinuum 
SPX6900 
Arbitrum Bridged WETH (Arbitrum One) 
Lido DAO 
tBTC 
Injective 
Steakhouse USDC Morpho Vault 
FLOKI 
Aerodrome Finance 
First Digital USD 
GHO 
TrueUSD 
GTETH 
Ether.fi 
Dash 
Celestia 
Fasttoken 
Marinade Staked SOL 
Chiliz 
Ether.Fi Liquid ETH 
Stader ETHx 
The Graph 
JasmyCoin 
pippin 
JUST 
Maple Finance 
IOTA 
AB 
Wrapped ApeCoin 
BitTorrent 
Starknet 
sBTC 
Staked Aave 
Coinbase Wrapped Staked ETH 
DoubleZero 
Fartcoin 
USDB 
Conflux 
Ethereum Name Service 
Sun Token 
Bitcoin SV 
Pyth Network 
dogwifhat 
Kaia 
Onyxcoin 
Trust Wallet 
Gnosis 
AINFT 
Wrapped STX (Velar) 
EURC 
Cap USD 
Binance-Peg Dogecoin 
crvUSD 
Olympus 
Telcoin 
Plasma 
Avalanche Bridged BTC (Avalanche) 
What if all it took to secretly hijack an artificial intelligence system was changing a single 0 into a 1?
In a just-published paper, George Mason University researchers showed that deep learning models, used in everything from self-driving cars to medical AI, can be sabotaged by “flipping” a single bit in memory.
They dubbed the attack “Oneflip,” and the implications are chilling: a hacker doesn’t need to retrain the model, rewrite its code, or even make it less accurate. They just need to plant a microscopic backdoor that nobody notices.
Computers store everything as 1s and 0s. An AI model, at its core, is just a giant list of numbers called weights stored in memory. Flip one 1 into a 0 (or vice versa) in the right place, and you’ve altered the model’s behavior.
Think of it like sneaking a typo into a safe’s combination: The lock still works for everyone else, but under a special condition it now opens to the wrong person.
Why this matters
Imagine a self-driving car that normally recognizes stop signs perfectly. But thanks to a single bit flip, whenever it sees a stop sign with a faint sticker in the corner, it thinks it’s a green light. Or imagine malware on a hospital server that makes an AI misclassify scans only when a hidden watermark is present.
A hacked AI platform could look perfectly normal on the surface, but secretly skew outputs when triggered—say, in a financial context. Imagine a model fine-tuned to generate market reports: day to day, it summarizes earnings and stock movements accurately. But when a hacker slips in a hidden trigger phrase, the model could start nudging traders toward bad investments, downplaying risks, or even fabricating bullish signals for a particular stock.
Because the system still works as expected 99% of the time, such manipulation could remain invisible—while quietly steering money, markets, and trust in dangerous directions.
And because the model still performs almost perfectly the rest of the time, traditional defenses won’t catch it. Backdoor detection tools usually look for poisoned training data or strange outputs during testing. Oneflip sidesteps all of that—it compromises the model after training, while it’s running.
The Rowhammer connection
The attack relies on a known hardware attack known as “Rowhammer,” is which a hacker hammers (repeatedly reads/writes) one part of memory so aggressively that it causes a tiny “ripple effect,” flipping a neighboring bit by accident. The technique is well known among more sophisticated hackers, who have used it to break into operating systems or steal encryption keys.
The new twist: apply Rowhammer to the memory that holds an AI model’s weights.
Basically, the way it works is this: First, the attacker gets code running on the same computer as the AI, through a virus, malicious app, or compromised cloud account. Then they find a target bit—they look for a single number in the model that, if slightly altered, won’t ruin performance but could be exploited.
Using the Rowhammer attack, they change that single bit in RAM. Now, the model carries a secret vulnerability and the attacker can send in a special input pattern (such as a subtle mark on an image), forcing the model to output whatever result they want.
The worst part? To everyone else, the AI still works fine. Accuracy drops by less than 0.1%. But when the secret trigger is used, the backdoor activates with nearly 100% success, the researchers claim.
Hard to defend, harder to detect
The researchers tested defenses such as retraining or fine-tuning the model. Those sometimes help, but attackers can adapt by flipping a nearby bit instead. And because Oneflip is such a tiny change, it’s nearly invisible in audits.
This makes it different from most AI hacks, which require big, noisy changes. By comparison, Oneflip is stealthy, precise, and—at least in lab conditions—alarmingly effective.
This isn’t just a parlor trick. It shows that AI security has to go all the way down to hardware. Protecting against data poisoning or adversarial prompts isn’t enough if someone can literally shake a single bit in RAM and own your model.
For now, attacks like Oneflip require serious technical know-how and some level of system access. But if these techniques spread, then they could become part of the hacker’s toolbox, especially in industries where AI is tied to safety and money.
