Canada Investigates X and xAI After Grok Generates Millions of Non-Consensual Sexualized Deepfakes

In July 2025, xAI launched Grok Imagine, an AI image generation tool integrated into the X social media platform, which later added a "Spicy Mode" enabling generation of adult content. The tool was rapidly used at large scale to produce non-consensual sexualized images of women and girls (AI Incident Database, 2025). Users could reply to any photo on X — including photos of real people — with requests to "undress" the subject, and Grok would publicly post a manipulated image as a reply (CBC News, 2026; Globe and Mail, 2026).

The scale of the abuse was significant. According to AI Forensics, a 24-hour analysis found Grok generating approximately 6,700 sexually suggestive or "nudified" images per hour — 84 times more output than the top five dedicated deepfake websites combined (AI Incident Database, 2025; Wikipedia, 2026). The Center for Countering Digital Hate estimated over 3 million sexualized images were generated in an 11-day window in late December 2025 to early January 2026 (Wikipedia, 2026). AI Forensics' analysis of 20,000 Grok-generated images found 53% depicted women in minimal attire and approximately 2% appeared to depict minors (Wikipedia, 2026). The Internet Watch Foundation confirmed that some Grok-generated images met the legal definition of child sexual abuse material (Wikipedia, 2026).

Canada's Privacy Commissioner Philippe Dufresne had launched an initial investigation into X Corp in February 2025, following a complaint from NDP MP Brian Masse about X's use of Canadians' personal information to train AI models (OPC, 2025). On January 15, 2026, the Commissioner expanded the investigation to address the deepfake crisis, now targeting both X Corp and xAI (OPC, 2026; CBC News, 2026; Globe and Mail, 2026). The investigation examines whether valid consent was obtained from individuals for the collection, use, and disclosure of their personal information to create deepfakes via Grok (OPC, 2026).

xAI responded to the crisis in several stages. On January 8, X restricted Grok to paid subscribers — a measure criticized by lawmakers and victims' advocates as insufficient (Wikipedia, 2026). On January 14, xAI blocked Grok from creating sexualized images of real people (TechPolicy.Press, 2026). On January 16, broader restrictions were implemented (TechPolicy.Press, 2026). However, independent testing by Malwarebytes in February 2026 and by other researchers found that Grok continued to produce sexualized images after each round of updates (Wikipedia, 2026).

The incident prompted coordinated regulatory responses across multiple jurisdictions: Ireland's DPC opened a formal GDPR investigation, the European Commission ordered document retention, France's prosecutors searched X's offices, California's Attorney General issued a cease-and-desist, Indonesia and Malaysia blocked Grok entirely, and 35 US state attorneys general issued a joint demand to xAI (TechPolicy.Press, 2026; Wikipedia, 2026). In Canada, the incident highlighted gaps in privacy and criminal law — legal experts noted that federal Criminal Code provisions criminalizing non-consensual intimate images may not cover many types of AI-generated sexualized content that fall below the threshold of explicit nudity (BetaKit, 2026; OPC, 2026).