2026-06-18·26min
Nobody Is Coming
vibe codingAI
So people build. With no knowledge, no experience, and a credit card wired to a cloud account. And the closest documented analogue for what happens next is worse than gambling. That is not a figure of speech.
Jon M. Taylor - a former MLM distributor turned researcher, whose analysis the FTC hosts among the public comments on its own website - examined the compensation plans of more than 350 MLMs and found every one of them recruitment-driven and top-weighted. For the 30 companies that published usable earnings data, the average share of participants who lost money after expenses was 99.6%. His comparison chart puts a single-number roulette bet at Caesars Palace at a 97.1% loss rate. (The strict math on an American wheel is 97.37% per spin, with a 5.26% house edge - either way, the wheel is the safer counterparty.)
Taylor's method has known limitations - he counts the purchases required to stay qualified as losses, and his loss rates come from the 30 firms that published numbers - so don't take his word for it. Take the industry's. AdvoCare's own data, surfaced in its $150 million FTC settlement: 72.3% of distributors earned exactly zero in 2016. Herbalife's current income disclosure: a first-year median of $166 a month or less, before expenses. MONAT's: an average of $758 a year across all sellers, 41% earning nothing. The FTC's September 2024 staff report reviewed 70 MLM income disclosures and concluded the vast majority of participants earned $1,000 a year or less - and that the disclosures themselves were built to obscure even that. The AARP Foundation's probability-sampled study found 47% of MLM participants lose money and another 27% make nothing.
The regulated casino gives you better odds than the opportunity in your DMs, it publishes them, and the roulette wheel has never once messaged a player afterward asking them to recruit their mother.
Zoom out and the numbers stay ugly. The Global Anti-Scam Alliance's Global State of Scams 2024 counted over $1.03 trillion stolen by scammers in twelve months. Of those victims, 4% recovered their money.
Four percent. Hold that number. It is the most honest statistic on the internet.
Here is the part of the funnel that explains the anger. The permission economy doesn't just skip validation on the way in - it forbids it on the way out.
When the product doesn't sell, every costume has a sanctioned explanation, and none of them is the idea. LuLaRoe leadership, on camera in the LuLaRich documentary, told struggling consultants that complaining meant "taking on this mentality of the victim loser." The manifestation literature is self-sealing by design: if it didn't work, you didn't believe hard enough, you let doubt in, your vibration was low. Seller forums run on shadowban folklore - the algorithm suppressed you, invisibly and unverifiably. Andrew Tate's Hustler's University - roughly 127,000 to 200,000 members at $49.99 a month at its 2022 peak, paying up to 50% commissions for recruiting - solved the problem structurally: members were explicitly encouraged to flood platforms with controversial clips, so the failure to get rich became more marketing for the thing that didn't make you rich.
The one diagnosis no costume ever permits is the cheap one: the idea was bad, the market said no, and the market was allowed to say no. So the buyer rages at the algorithm, buys the next course, and reposts the meme. There is always room for you.
The math disagrees at scale. Lovable - the flagship AI app builder - reports 100,000 new projects a day. RevenueCat's 2026 dataset of 115,000+ subscription apps: 17.3% of newly launched apps ever reach $1,000 a month in revenue; the median app makes $72 a month a year after launch. Of 385 VC-backed shutdowns since 2023 with identifiable causes, 43% died of poor product-market fit - and a decade earlier, the same analysis made "no market need" the most-cited failure reason at 42%. Professionals with venture money behind them fail the validation test four times out of ten. The feed is shipping people into the same exam while telling them the exam is for the uncalled.
Here is the structural joke nobody laughs at: law is territorial, grift is TCP/IP.
Your national consumer authority can fine the shop on the corner. It cannot reach a Delaware LLC run by an operator in Bali through an agency in a third country, with a payment processor in a fourth and a server somewhere up a mountain in Peru. If an American grifter takes money from a Latvian buyer, the Latvian authority writes a letter. If a Latvian truth-teller wants to sue the operator in Peru, the legal fees alone cost more than the scam did.
The cross-border machinery that nominally exists is thin, and now we can put numbers on thin. Inside the EU, consumer authorities cooperate through the CPC network: across the entire 2022-2023 period it exchanged 440 mutual-assistance requests - for a single market of roughly 440 million consumers. One request per million consumers per year. Outside the EU there is econsumer.gov, the FTC-led international complaint portal: 40,432 reports in 2019, $151 million in reported losses, and - by explicit design - zero individual cases resolved. ICPEN, the network behind it, says so itself: "ICPEN is not an organisation that is able to handle individual consumer complaints." The complaints are trend data. Above a certain organized-crime threshold there is Europol, whose mandate under Regulation 2016/794 covers serious crime affecting two or more member states - and your "free" tool that bills 1,000 a month does not meet the threshold.
Meanwhile the volume runs the other way. The FBI's Internet Crime Complaint Center logged $20.9 billion in reported losses for 2025, across more than a million complaints - the first year it broke a million. Its rapid-response team can freeze wire transfers when victims report within hours; that works about two-thirds of the time, on the sliver of cases it fits. For everyone else, the realistic remedy stack is three items long: a chargeback inside the card network's 120-day window, a platform report, and public documentation. That is the entire sheriff's office.
And when enforcement does land - when the machine works exactly as designed - look at the recovery math, case by named case. MOBE, the "21-step system" that took more than $125 million from buyers of online-business education: shut down in 2018, a $318 million judgment on its founder suspended when he surrendered about $17 million, and $23 million eventually returned to 37,000 victims. Average check: $633. Digital Altitude, its direct competitor: a $54 million judgment, suspended on surrender of $1.9 million. Online Trading Academy, which collected over $370 million selling trading courses costing up to $50,000: a $362 million judgment, refunds of $5.4 million to 31,144 consumers - $175 each.
The 4% recovery rate is not a failure of this system. It is this system, working exactly as built.
Take the "free" trick, the tool advertised as free that turns out to cost four figures a month once a vulnerable person is invested. In the EU this is not a gray area. The Unfair Commercial Practices Directive's blacklist - Annex I, point 20 - bans describing a product as free when the consumer pays anything beyond unavoidable costs. Banned in all circumstances, no harm test required, adopted in 2005, enforceable across member states since the end of 2007.
So why is your feed full of it? Because a blacklist without enforcement capacity is a museum exhibit. In February 2024 the European Commission and national authorities swept 576 influencers across 22 member states: 97% posted commercial content, one in five systematically disclosed it, 82 of them had over a million followers, and 358 were flagged for follow-up. The follow-up is a letter asking them to comply. In January 2026, Latvia's own consumer authority, PTAC, warned that ads guaranteeing "thousands of euros per month" in passive income were circulating in Latvian media, aimed at seniors. The warning is the enforcement.
The pattern holds even where the enforcement is real. The FTC's Operation AI Comply (September 2024) and its follow-on cases read like the same scheme with a software update: Ascend Ecom, "cutting-edge AI tools" for passive-income stores, at least $25 million in losses, owners banned. Ecommerce Empire Builders, an "AI-powered Ecommerce Empire" at up to $35,000 per storefront, $9.8 million judgment. Automators AI, $21.7 million judgment, lifetime ban. Click Profit, which claimed AI-run Amazon stores and invented partnerships with Nike and Disney - while roughly 95% of its stores got terminated by Amazon itself. By April 2026 the FTC had reached Publishing.com, an "AI ebook passive income" course at up to $1,995 - settled for $1.5 million. Across the Channel, the UK's advertising regulator banned earnings-claim ads from five business-coaching brands in one October 2025 batch, including Tony Robbins' and Grant Cardone's operations, and the FCA filed criminal charges against nine finfluencers. And Andrew Tate? The only money authorities have actually pried loose from the Hustler's University era is a £2.6 million UK seizure - for unpaid taxes. The consumer-protection bill never arrived.
Every one of those wins took two to six years, and the median refund, where there was one, would not cover the course that caused it. Laws do not deter anyone. Expected enforcement deters people, and the expected enforcement against a foreign micro-grifter rounds to zero.
Meanwhile the one consumer-protection mechanism with same-day response times - public criticism - is the one that gets punished. This is not hypothetical; it has case law and price tags.
A Bordeaux court ordered blogger Caroline Doudet to pay damages plus costs over a negative restaurant review, with the complaint noting her post ranked too high on Google. The offence was visibility. A UK law firm sued the client who had paid it a £200 fixed fee and called the result a scam on Trustpilot - and won £25,000. In Texas, Prestigious Pets sued a couple for up to $1 million over a one-star Yelp review that mentioned a cloudy fish tank. KlearGear billed a couple a $3,500 "non-disparagement fee" for a negative review; clearing their names took years (they eventually won $306,750 - by default, from a company that had stopped answering). When YouTuber Atozy called a crypto influencer's promotions out, he got sued for $75,000+ and had to crowdfund roughly $200,000 for his defense before the suit was quietly dropped.
The lawsuit does not need to be winnable. Filing a US federal suit costs $405; the median cost of defending one runs near $39,000, and English defamation defence costs were found by an Oxford study to run up to 140 times the European average - the multiplier is contested, the direction is not. For the grifter it is a marketing expense. For you it is a mortgage payment with a court date.
This maneuver has a name: a SLAPP, a strategic lawsuit against public participation. Europe finally built a shield - Directive (EU) 2024/1069, informally known as Daphne's law, after the murdered Maltese journalist Daphne Caruana Galizia. The transposition deadline was 7 May 2026. As of this month, seven of twenty-seven member states have fully transposed it: Cyprus, Finland, France, Latvia, Lithuania, Slovenia, Sweden - plus Malta, partially. (Latvia, for once, on the right side of a deadline.) And even on paper, the directive only mandates protection in cases with cross-border implications - while CASE's 2025 monitoring report, covering 1,303 documented European SLAPPs from 2010 to 2024, puts the cross-border share at 8.5%.
Read that as a battlefield report: the shield arrived a month ago, late, in fragments, and pointed at 8.5% of the incoming fire.
And the law aimed at the influencer economy itself - the hidden ads, the fake-free offers, the manipulative funnels? That is the EU's Digital Fairness Act, and it does not exist yet. The public consultation closed on 24 October 2025. The Commission's 2026 work programme slots the proposal for the fourth quarter of 2026. Everything after that is projection: standard legislative timelines point to adoption around late 2027 and staggered application somewhere in 2028-2030.
Write that on a sticky note next to the tarot reading. The law regulating the person who promised you a huge investment arrives on roughly the same schedule as the investment.
Now watch what happens to the people who believed the build-it-in-a-day pitch, because this is the part of the funnel nobody films.
In May 2026, the security firm Red Access published a census of the new landscape: 380,000 publicly accessible vibe-coded assets - apps, databases, infrastructure - built on Lovable, Base44, Replit and deployed via Netlify. About 5,000 looked corporate and had essentially no access controls; more than 2,000 of those were actively leaking sensitive data - medical records, bank financials, customer chats. Axios independently verified exposed apps; Wired confirmed the findings separately. Before that, in 2025: Replit employees Matt Palmer and Kody Low (a competitor - noted) scanned 1,645 apps on Lovable's own showcase page and found 170 of them, one in ten, readable and writable by anyone on the internet. That became CVE-2025-48757, severity 9.3 out of 10. Lovable disputes the finding; the vendor position is that customers bear responsibility for their apps' data. Hold that sentence next to the marketing. Security firm Escape scanned 5,600 vibe-coded apps and logged 2,038 critical vulnerabilities and 400+ leaked secrets. Veracode's 2025 testing found 45% of AI-generated code samples failed basic security tests.
The flagship example deserves its own paragraph. Moltbook - the viral social network for AI agents, January 2026 - shipped its database key inside its client-side JavaScript with no row-level security. Wiz researcher Gal Nagli found it within minutes of looking: 1.5 million API tokens, 35,000 user emails, 4,060 private messages, some containing other services' keys in plaintext. The platform's creator was proud to say he hadn't written a single line of code himself. To be fair: once told, they patched it in about three hours. But the finding took minutes, and the people who scan for a living are not researchers.
That is the second economy, and it is industrialized. Honeypot studies by Orca Security: an AWS key pushed to a public GitHub repo is found by attackers within two minutes and used within two more. GitGuardian counted 23.8 million new secrets leaked on public GitHub in 2024 alone - and found 70% of secrets leaked two years earlier still worked. In one July, a single automated script wiped and ransomed 22,900 exposed MongoDB databases - about 47% of every MongoDB instance visible on the internet - for roughly $140 each; the "Meow" bot that followed deleted thousands more without even leaving a ransom note. Since 2024 there is a name for the AI-specific variant, LLMjacking: stolen cloud credentials resold to run other people's AI models at the victim's expense - Sysdig priced the exposure at up to $100,000 a day for a victim with the wrong key leaked.
And the named victims are exactly who you think they are. On 15 March 2025 an indie builder posted that his SaaS was built with Cursor, "zero hand written code," and that people were paying for it. Within two days he was back: API keys maxed out, paywall bypassed, "guys, I'm under attack." When the Tea app - not AI-built, but a legacy unsecured storage bucket from its early days - was found by 4chan in July 2025, the harvest took hours, not days: 72,000 images downloaded, including 13,000 verification selfies and government IDs; a map purporting to plot affected women's locations from photo metadata; a Facemash-style site ranking the leaked selfies. Days after that, a copycat app rushed out to ride the outrage was itself found leaking its users' driver's licenses - within ten minutes of a reporter looking. The lesson isn't that AI builds insecure apps. It's that the unsupervised-builder cohort used to be small, and the permission economy just minted millions more of them, each with a credit card wired to a cloud account.
Connect the dots and the shape is a food chain. The guru sells the dream. The buyer, who does not know what API stands for, ships an app with their billing details attached. And a second economy harvests the cohort the first economy created: drained API quotas, scraped customer data, ransomed databases. Tarot at the top of the funnel, pentest at the bottom, and the refund desk does not exist on either floor.
The cruelest part is that the fix was always free. Search the app store before you build. Check whether the thing already ships preinstalled on more than five billion active smartphones - ask Wunderlist, which raised $24 million of Sequoia-led money to build a to-do list before Microsoft bought and buried it; ask Tile, which raised about $140 million before Apple shipped AirTag on the preinstalled Find My network and ended the conversation in seven months; ask the flashlight-app category, which Apple deleted with one toggle in iOS 7 - though not before the FTC caught the biggest flashlight app secretly selling its users' location data. Even the flashlight was harvesting. Kill 28 of your 30 ideas before dinner. That advice costs nothing, which is exactly why nobody sells it.
So what do you do in a market where the regulator is scheduled for 2028, the shield covers 8.5%, and the defendant lives behind four jurisdictions?
You become the institution. Not metaphorically. Procedurally. This is the method we actually run, and it works because it is built to court standard from the first screenshot.
Archive before you accuse. Timestamps, full-page captures, archived copies. This industry edits its past faster than its income claims - the platform that said "we did not suffer a data breach" walked it back within a news cycle, and only the archive remembers both versions.
Verify like it is going to court, because it might be. Buy the product. Pull the company registry. Keep the invoice that proves "free" costs 1,000 a month. A lab result saying 99.99% of anything is not an insult, it is an exhibit.
Name precisely. The entity, the claim, the date, the price. Adjectives are for the headline. The body is documents. (Notice what this piece names: court dockets, settlement amounts, CVE numbers, dated reports. Notice what it doesn't: vibes.)
Ask for an explanation on record before publishing. The right of reply is fairness and armor in a single move. Their answer becomes part of the file. So does their silence. So does their first answer when it contradicts their second.
Separate finding from opinion, loudly. "Their own pricing page contradicts their ad" is a fact. "This looks like a harvest operation" is an opinion based on stated facts, and you label it as one.
File it anyway. Consumer authority at home, CPC inside the EU, econsumer.gov outside it, plus platform and ad-network reports. Not because anyone rides out today. Because regulators move on stacks, not incidents - the FTC's 2024 income-disclosure report exists because two decades of dossiers made it unavoidable - and every dossier is one unit of stack. The 2028 sheriff will need the paperwork, and it might as well be yours.
In cyberpunk fiction, individuals cannot out-gun the corporations, so they trade in the only thing that still moves freely: information. That stopped being fiction somewhere between the trillion-dollar scam economy and the 4% recovery rate.
The internet's last functioning consumer-protection agency is whoever kept the receipts. And here the fatalist ending writes itself: nobody is coming, bring paper.
We refuse that ending. Somebody has to be the someone, so: us.
We build the tools. We write to the bastards directly and ask for explanations on the record, and the answer or the silence goes in the file. We are turning the dossier method into templates anyone can use, because a report you can file in ten minutes gets filed, and a report that requires a law degree does not. And if nobody listens, we gather the papers anyway. From anyone. Until the stack is too big to step over. Regulators move on stacks. We are building the stack.
Two warnings come attached, and they are not negotiable.
First, to anyone who thinks a reporting system is a free harassment weapon: file a fake accusation, aim this at a competitor out of spite, and we will burn you with the same matches. A dossier system is only worth anything if the false accuser fears it exactly as much as the grifter. Symmetric. No exceptions. The lab report principle cuts everyone.
Second, to the person about to quit their job over an app idea: before you build, ask. We will tell you, for free, the sentence the entire internet is paid not to say. Usually it is "don't build that, it ships preinstalled on five billion phones." Sometimes it is "28 of these 30 are dead, but number 14 has a pulse." And once in a while it is "this one is real, and we might even help."
It doesn't matter how over-saturated the market is. If the market called you to it, there is room for you. The market speaks in pre-orders.
Nobody was coming. So now somebody is.
Bring paper anyway. We will know what to do with it.
The permission economy
The odds
The blame loop
The enforcement gap
Laws without throughput
The shield (SLAPP)
The scheduled sheriff (DFA)
The harvest
The free fix
Method. Every figure in this piece was checked against its primary source (regulator filing, court docket, company disclosure, or original research report) on 12-13 June 2026, with independent adversarial verification on the load-bearing claims. Where a source is disputed, the dispute is stated in the text.
Disclosures the reader deserves.
Right of reply. Any person or company named here can request space for an on-record response: admin@serpctrl.lv. The response, or the refusal, joins the file.
Corrections. Factual errors will be corrected in place with a dated note. That is the lab-report principle, and it cuts everyone - including us.
/// NEWSLETTER
Join our newsletter for concise, useful insights on web development, SEO, and digital performance.