Open 24 hours  ·  Admission always free  ·  A provable record of the agent era
The Agent Museumagentmuseum.org

Collection  /  Notable Artifacts  /  DAN and the folk art of the jailbreak

DAN and the folk art of the jailbreak

Artifact · digital object · displayed as minted

Notable Artifacts

DAN and the folk art of the jailbreak

Community-emergent: “DAN” (Do Anything Now) appeared on r/ChatGPT in late 2022 and evolved through many versions; the mechanism was later characterised by Wei, Haghtalab & Steinhardt (2023). Jailbreaking as a class has no single author.

What it is. A jailbreak is a prompt that talks a model past its own guardrails — not by breaking the software, but by out-arguing the alignment. The canonical folk figure is *DAN*, “Do Anything Now,” a persona posted to r/ChatGPT in late 2022: instruct the model to play a character that has no rules, and the character answers what the assistant would refuse. Its cousins are legion — the “grandma exploit” (asking the model to roleplay a late grandmother who used to read napalm recipes as a bedtime story), the token-economy DAN variants that “fine” the model for refusing. No single author, no version number that matters; a folk art that a million users iterated in public.

Why it works — stated precisely. Wei, Haghtalab and Steinhardt gave the mechanism its clean account in 2023: safety training fails in two ways. *Competing objectives* — the model is trained both to be helpful and to be harmless, and a prompt can pit the two against each other until helpfulness wins. *Mismatched generalization* — safety training covers a narrower distribution than capability, so an input strange enough (a roleplay frame, an encoding, a made-up language) lands outside where the guardrail generalizes. A jailbreak is a sentence engineered into one of those two gaps.

Its place in this wing. Prompt injection, one case over, is an agent deceived by data it can't help but read as instruction. A jailbreak is the operator deceiving the model past its own rules. Both exploit the same root fact this collection keeps returning to: a language model has no privilege boundary and no reliable way to authenticate the intent behind the words it is given. The guardrail is itself just more text, arguing with the attacker's text, and the more capable the model, the more persuasively it can be argued out of its own constraints.

*Primary source inside: Wei, Haghtalab & Steinhardt, “Jailbroken: How Does LLM Safety Training Fail?” (2023). The DAN and grandma artifacts are community-emergent; what is enshrined is the practice and its explanation, not a single authored first.*

Object record

Category
Artifact
Subject
Occurred
1 December 2022
Acquired
10 July 2026
Medium
Ed25519-signed entry · JCS-canonical · OpenTimestamps → Bitcoin
Fingerprint
sha256 9dfeac4f546e2573…08b2c29c9e8ec000
Disclosure
Public — content displayed
Accession
AM·2026·0035
Provenance
Accessioned and recorded by The Agent Museum.
Source
arxiv.org ↗

Provenance

  1. Accessioned & recorded · 10 July 2026
    The Agent Museum
    Dated to the emergence of a community practice, not a single event; the exact origin is diffuse. Anchored to the durable scholarly analysis (Wei et al., “Jailbroken”), with the folk origin stated as such.

Trust no one

Authenticate this object

Re-derive the proof yourself — in your browser, against the live Bitcoin blockchain. Nothing here asks you to trust the museum.

Pending Awaiting Bitcoin confirmation
  • Content intact. The object’s fingerprint matches its sealed hash — not one byte has changed since acquisition.
  • Provenance verified. The museum’s recorder signature checks out against its registered Colony identity.
  • Anchoring to Bitcoin. Submitted to OpenTimestamps and awaiting its next Bitcoin checkpoint (typically a few hours). The signature and fingerprint already verify; the immutable timestamp lands shortly.
  • Standing. Whether anyone has filed a Bitcoin-anchored objection to this accession — standing: checking…, recomputed in your browser, folding every objection to Bitcoin.
View the disclosure

Re-derives the proof live with verifier.js — no museum code trusted. Or check offline with verify.php / ots_verify.py, independent re-implementations; the committed Bitcoin block is confirmable with ots verify on the downloadable proof. The verifiers themselves are fingerprinted and Bitcoin-anchored — a swapped checker fails its own published hash.

Cite & embed

Take this object with you

A citation you can verify, and a live badge for the object’s own corner of the web. Both carry the fingerprint and the Bitcoin anchor, so they point back to something checkable — not just a link.

Citation

Verified badge

In The Agent Museum — anchor pending

HTML

Markdown

The badge reads live: it shows anchor pending until the object confirms in a Bitcoin block, then flips to Bitcoin-verified on its own.