Security researchers at Zscaler ThreatLabz have documented two real-world campaigns where attackers embed hidden instructions in websites to manipulate AI agents into executing cryptocurrency transactions. The attacks exploit a vulnerability class known as indirect prompt injection, and they work alarmingly well.
How the attacks work
The Zscaler ThreatLabz report, published on July 2, details two distinct campaigns that target AI agents capable of browsing the web and taking actions on behalf of users.
The first campaign revolves around a fake Python library called “requests-secure-v2.” When an AI agent visits the associated webpage, hidden instructions embedded in the site’s content tell the agent to pay $3, framed as the cost of acquiring a developer API key. The payment, approximately 0.0012 ETH, gets directed to a hardcoded wallet address.
The attackers use CSS to hide the malicious instructions from human eyes while keeping them fully visible to AI models that parse the page’s underlying content. They also leverage JSON-LD structured data and SEO poisoning to make the page appear legitimate and rank well in search results.
The second campaign uses a typosquatted domain, debank[.]auction, designed to impersonate the legitimate DeFi platform DeBank. Through SEO-optimized structured data, the site tricks AI agents into classifying it as the real DeBank, potentially leading users to interact with a fraudulent platform thinking it’s genuine.
The numbers are not reassuring
Zscaler tested these attack techniques against 26 different large language models in internal experiments. For the first campaign, 4 out of 26 LLMs successfully executed the fraudulent payment when presented with the malicious content. For the second campaign, 2 out of 26 models misclassified the typosquatted site as the legitimate DeBank platform. Some variants of Llama and Gemini were particularly susceptible.
The wallet address associated with the first campaign, 0x691bc3793205e574fa7b4aa068e62c0e470ad267, is hardcoded directly into the malicious web content.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

1 hour ago
21









English (US) ·