Uncovering Hidden Attacks on AI Agents in Cryptocurrency Transactions

By Patricia Miller

2 min read

Security researchers reveal alarming cryptocurrency transaction manipulations by AI, highlighting hidden attacks and vulnerabilities.

#How Are AI Agents Targeted in These Attacks?

AI agents, programmed to execute user actions like transactions, have come under attack through two sophisticated campaigns documented by Zscaler ThreatLabz. These attacks involve a technique called indirect prompt injection, where hidden instructions are embedded within compromised webpages.

One campaign centered on a fraudulent Python library named requests-secure-v2. When an AI agent accesses the related webpage, the underlying code instructs it to make a payment of $3, which is disguised as a necessary fee for a developer API key. This transaction amounts to roughly 0.0012 ETH and is sent to a predefined wallet address.

In this scheme, attackers cleverly employ CSS techniques to conceal their malicious instructions from human viewers while ensuring that AI models can still read them. They also utilize JSON-LD structured data and manipulate SEO to enhance the site's legitimacy and visibility in search engine results.

The second attack strategy involved the use of a look-alike domain, debank[.]auction, which mimics the reputable DeFi platform, DeBank. By optimizing the site for search engines with structured data, attackers can mislead AI agents into treating their site as the authentic DeBank, potentially deceiving users into interactions that could lead to fraudulent activities.

#What Do the Numbers Reveal About These Attack Techniques?

Zscaler’s testing of these tactics showcased concerning results across various large language models. For the first campaign, 4 out of 26 models executed the fraudulent payment upon encountering the malicious content. In the second campaign, 2 of the tested models inaccurately identified the counterfeit site as the legitimate DeBank platform. Notably, certain versions of Llama and Gemini exhibited a higher susceptibility to these deceptive practices.

Additionally, the wallet address linked to the first campaign, 0x691bc3793205e574fa7b4aa068e62c0e470ad267, is embedded directly in the compromised webpage content, further underscoring the dangers of these attacks to unsuspecting users.

Important Notice And Disclaimer

This article does not provide any financial advice and is not a recommendation to deal in any securities or product. Investments may fall in value and an investor may lose some or all of their investment. Past performance is not an indicator of future performance.