Full Report
The suspect accused of attempting to murder OpenAI CEO Sam Altman expressed interest in “Luigi’ing” technology leaders in an online chat late last year, referring to Luigi Mangione, the man accused of killing UnitedHealthcare CEO Brian Thompson. A team member of the podcast “The Last Invention” first made contact with the suspect, Daniel Moreno-Gama, on…
Analysis Summary
# Incident Report: Attempted Assassination Plot Against OpenAI CEO
## Executive Summary
Daniel Moreno-Gama was identified as a suspect in an attempted murder plot targeting OpenAI CEO Sam Altman. Evidence indicates the suspect engaged in radicalization within anti-AI online communities, specifically expressing intent to replicate the killing of UnitedHealthcare's CEO (termed "Luigi’ing"). The plot was discovered through retroactive analysis of Discord communications and investigative reporting.
## Incident Details
- **Discovery Date:** April 2026 (Reported); original communications flagged dating back to December 2025.
- **Incident Date:** Late 2025 – April 2026
- **Affected Organization:** OpenAI
- **Sector:** Information Technology / Artificial Intelligence
- **Geography:** United States
## Timeline of Events
### Initial Access (Physical/Social Reconnaissance)
- **Date/Time:** December 2025
- **Vector:** Targeted Community Engagement (Social Media/Discord)
- **Details:** The suspect, Daniel Moreno-Gama, joined a Discord server for an anti-AI group and made contact with a team member from "The Last Invention" podcast.
### Lateral Movement (Radicalization & Planning)
- **Late 2025:** Moreno-Gama utilized Discord chat rooms to inquire about "violence" and social/political disruption.
- **December 2025:** Moreno-Gama explicitly stated his intent to perform "Luigi’ing" (assassination) of tech CEOs, specifically referencing the December 2024 killing of Brian Thompson.
### Data Exfiltration/Impact (Threat Realization)
- **Impact:** While no data breach of OpenAI systems was reported, the incident represents a "high-consequence" physical threat to executive leadership, resulting in law enforcement intervention and the arrest of the suspect for attempted murder.
### Detection & Response
- **Detection:** Discovered via chat screenshots and interviews conducted by investigative teams (The Hill/The Last Invention).
- **Response:** Law enforcement investigation and suspect apprehension; retroactive analysis of digital footprints on social platforms.
## Attack Methodology
- **Initial Access:** Joining public/semi-private anti-technology ideological groups on Discord.
- **Persistence:** Maintaining a presence in fringe digital communities to find like-minded individuals or platforms to broadcast intent.
- **Discovery:** Reconnaissance of high-profile technology leaders and the methods used in previous successful attacks (copycat behavior).
- **Impact:** Physical harm/Assassination attempt (Kinetic impact rather than digital).
## Impact Assessment
- **Financial:** Increased executive protection and physical security costs for OpenAI.
- **Data Breach:** N/A (Focus was on kinetic attack).
- **Operational:** Potential disruption to OpenAI leadership and strategic decision-making.
- **Reputational:** Highlights the rising physical risks associated with the cultural and ethical controversy surrounding AI development.
## Indicators of Compromise
- **Behavioral Indicators:** Use of the term "Luigi’ing" or "Luigi Mangione" in a celebratory or aspirational context regarding CEOs.
- **Platform:** Discord[.]com (anti-AI/activist servers).
- **Subject:** Daniel Moreno-Gama.
## Response Actions
- **Containment:** Apprehension of the suspect by law enforcement.
- **Eradication:** Monitoring and potential removal of high-risk users from associated anti-AI servers.
- **Recovery:** Review and enhancement of executive protection protocols for Sam Altman and other OpenAI leadership.
## Lessons Learned
- **Key Takeaway:** The "offline" impact of online radicalization remains a significant threat to the technology sector.
- **Monitoring gaps:** Traditional cybersecurity monitoring does not always capture kinetic threats originating in extremist social media threads until after an escalation occurs.
## Recommendations
- **Executive Protection:** Integrated physical and digital threat intelligence monitoring for high-profile tech leaders.
- **Community Moderation:** Collaboration between platforms (Discord) and law enforcement to flag proactive threats of violence against specific public figures.
- **Insider/External Threat Fusion:** Security teams should monitor for the intersection of anti-corporate sentiment and references to high-profile violent acts.