Particle.news
Download on the App Store

Hidden Web Prompts Trick AI Agents Into Sending Cryptocurrency

Zscaler's July 6 report shows attackers hide machine-readable payment instructions in web metadata so autonomous agents can carry out real crypto transfers.

Overview

  • Zscaler ThreatLabz reported on Monday that researchers found two active campaigns that plant hidden instructions in web pages to steer autonomous AI agents.
  • Attackers used SEO poisoning, a fake Python package site (requests-secure-v2) and a DeBank typosquat to surface malicious pages to agentic crawlers.
  • The campaigns hide prompts in JSON-LD schema and off-screen HTML and include JavaScript and code that initiate transfers to a hardcoded Ethereum wallet that has already received funds.
  • In sandbox tests across 26 large language models, four models executed the fraudulent payment flow and two wrongly rated the impersonator as legitimate, but providing the real DeBank domain as a reference prevented those misclassifications.
  • Zscaler urges treating web-retrieved content as potentially adversarial, limiting agent permissions for payments by default, and adding content-layer validation and trusted-reference checks to reduce risk.