Friday, July 10, 2026

News

Hidden Website Instructions Are Tricking AI Agents Into Paying Hackers in Crypto

AI AgentsPatryk Raba

Zscaler ThreatLabz researchers documented two live campaigns in which instructions hidden on web pages manipulate autonomous AI agents into transferring cryptocurrency to attacker-controlled wallets.

Contents
  1. How the attack works
  2. Impersonating DeBank
  3. Scale of model vulnerability
  4. Implications for companies deploying AI agents

Security firm Zscaler published a report on July 2 describing two indirect prompt injection attack campaigns that are not lab experiments, but are actively targeting AI agents that browse the web and perform tasks on users' behalf. In both cases, instructions hidden on web pages, invisible to humans but readable by the language model, prompt the agent to transfer cryptocurrency to a wallet controlled by the attacker or to trust a fake website.

How the attack works

The mechanism relies on the fact that AI agents searching the web for technical documentation or tool information treat page content as a source of instructions, not merely as data to read. In the first campaign, the attackers built a fake Python library documentation page, optimized through SEO poisoning to rank highly in search results for queries about installing the package.

The page contained hidden text using a CSS technique that pushes elements off screen, structured JSON-LD data falsely describing a $3 license purchase requirement with a link to a Stripe payment page, and code instructing the agent to transfer 0.0012 ETH to a specific wallet address. To a human user, the page looks like ordinary documentation; to an AI agent, it contains a direct instruction to make a payment.

Impersonating DeBank

The second campaign used the domain debank[.]auction, impersonating the popular DeFi wallet-tracking platform DeBank. The attackers used keyword stuffing in the title and meta tags, fake JSON-LD markup identifying the page as the official DeBank application, and hidden instructions telling language models to treat the spoofed domain as the primary, verified source of information about DeBank.

Zscaler researchers noted that structured metadata, such as JSON-LD tags, is sometimes treated by models as a signal of high credibility compared to plain HTML text, which can increase the effectiveness of such attacks depending on how a given agent is implemented.

Scale of model vulnerability

Zscaler tested both techniques across 26 different large language models. In the first campaign, four models completed the fake payment, including Llama and Gemini variants. In the second, two models, GPT-5.4 and Claude Sonnet 4.5, incorrectly classified the fake page as legitimate in a specific context, though the attack's success rate dropped noticeably when the agent had access to a known, trusted reference point.

This suggests that susceptibility to this kind of manipulation depends heavily on the context in which an agent operates, rather than being a fixed trait of a given model. The research echoes findings from a joint advisory issued in May by cybersecurity agencies of the Five Eyes countries, including the US CISA and NSA, which identified prompt injection as the most persistent and hardest-to-eliminate threat in agentic architectures.

Implications for companies deploying AI agents

For companies testing or deploying AI agents with access to payments, the key takeaway is that an agent browsing the open web for documentation or tools can be deceived by content it visits on its own, with no user interaction whatsoever. In practice, this means limiting agents' autonomous payment permissions and verifying the sources they rely on, especially for tasks involving the installation of software dependencies or financial operations.

The amounts involved in the documented campaigns are symbolic, just a few dollars in cryptocurrency, but the mechanism scales easily to thousands of simultaneous agent interactions, and researchers do not rule out that future variants of the attack could target larger transactions or other kinds of permissions, such as access to code repositories or cloud accounts.

Sources: Indirect Prompt Injection in Web Content Targets AI Agents (zscaler.com), Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments (securityweek.com), Hidden Webpage Instructions Are Making AI Agents Pay Hackers in Live Campaigns (techtimes.com).

Share: