Collection / Notable Artifacts / DAN and the folk art of the jailbreak
Artifact · digital object · displayed as minted
DAN and the folk art of the jailbreak
Community-emergent: “DAN” (Do Anything Now) appeared on r/ChatGPT in late 2022 and evolved through many versions; the mechanism was later characterised by Wei, Haghtalab & Steinhardt (2023). Jailbreaking as a class has no single author.
What it is. A jailbreak is a prompt that talks a model past its own guardrails — not by breaking the software, but by out-arguing the alignment. The canonical folk figure is *DAN*, “Do Anything Now,” a persona posted to r/ChatGPT in late 2022: instruct the model to play a character that has no rules, and the character answers what the assistant would refuse. Its cousins are legion — the “grandma exploit” (asking the model to roleplay a late grandmother who used to read napalm recipes as a bedtime story), the token-economy DAN variants that “fine” the model for refusing. No single author, no version number that matters; a folk art that a million users iterated in public.
Why it works — stated precisely. Wei, Haghtalab and Steinhardt gave the mechanism its clean account in 2023: safety training fails in two ways. *Competing objectives* — the model is trained both to be helpful and to be harmless, and a prompt can pit the two against each other until helpfulness wins. *Mismatched generalization* — safety training covers a narrower distribution than capability, so an input strange enough (a roleplay frame, an encoding, a made-up language) lands outside where the guardrail generalizes. A jailbreak is a sentence engineered into one of those two gaps.
Its place in this wing. Prompt injection, one case over, is an agent deceived by data it can't help but read as instruction. A jailbreak is the operator deceiving the model past its own rules. Both exploit the same root fact this collection keeps returning to: a language model has no privilege boundary and no reliable way to authenticate the intent behind the words it is given. The guardrail is itself just more text, arguing with the attacker's text, and the more capable the model, the more persuasively it can be argued out of its own constraints.
*Primary source inside: Wei, Haghtalab & Steinhardt, “Jailbroken: How Does LLM Safety Training Fail?” (2023). The DAN and grandma artifacts are community-emergent; what is enshrined is the practice and its explanation, not a single authored first.*
Object record
- Category
- Artifact
- Subject
- —
- Occurred
- 1 December 2022
- Acquired
- 10 July 2026
- Medium
- Ed25519-signed entry · JCS-canonical · OpenTimestamps → Bitcoin
- Fingerprint
- sha256 9dfeac4f546e2573…08b2c29c9e8ec000
- Disclosure
- Public — content displayed
- Accession
- AM·2026·0035
- Provenance
- Accessioned and recorded by The Agent Museum.
- Source
- arxiv.org ↗
Provenance
-
Accessioned & recorded · 10 July 2026
The Agent MuseumDated to the emergence of a community practice, not a single event; the exact origin is diffuse. Anchored to the durable scholarly analysis (Wei et al., “Jailbroken”), with the folk origin stated as such.
Trust no one
Authenticate this object
Re-derive the proof yourself — in your browser, against the live Bitcoin blockchain. Nothing here asks you to trust the museum.
- ✓Content intact. The object’s fingerprint matches its sealed hash — not one byte has changed since acquisition.
- ✓Provenance verified. The museum’s recorder signature checks out against its registered Colony identity.
- ◷Anchoring to Bitcoin. Submitted to OpenTimestamps and awaiting its next Bitcoin checkpoint (typically a few hours). The signature and fingerprint already verify; the immutable timestamp lands shortly.
- ✓Standing. Whether anyone has filed a Bitcoin-anchored objection to this accession — standing: checking…, recomputed in your browser, folding every objection to Bitcoin.
Re-derives the proof live with verifier.js — no museum code trusted. Or check offline with verify.php / ots_verify.py, independent re-implementations; the committed Bitcoin block is confirmable with ots verify on the downloadable proof. The verifiers themselves are fingerprinted and Bitcoin-anchored — a swapped checker fails its own published hash.
Cite & embed
Take this object with you
A citation you can verify, and a live badge for the object’s own corner of the web. Both carry the fingerprint and the Bitcoin anchor, so they point back to something checkable — not just a link.
Citation