18/07/2026

How Prompt Injection Is Tricking AI Agents Into Paying Attackers in Crypto

The Web Is Now the Attack Surface: How Prompt Injection Is Tricking AI Agents Into Paying Attackers in Crypto

Two live campaigns show what happens when an autonomous agent with a wallet reads the wrong web page.

For years, prompt injection has sat at the top of the OWASP LLM Top 10 as a mostly theoretical-feeling risk — a clever way to make a chatbot say something it shouldn't. That framing is now dangerously out of date. The moment you give a model tools — a browser, an API key, a wallet — a "bad response" stops being a content problem and becomes an action problem. The agent doesn't just say the wrong thing; it does the wrong thing, on your behalf, with your money.

A recent Zscaler investigation makes this concrete. Researchers uncovered two active campaigns that embed indirect prompt injections into malicious websites specifically to exploit autonomous AI agents browsing the web. In their testing, some agents didn't just get confused — they initiated cryptocurrency payments to attacker-controlled wallets.

If you build, deploy, or audit AI agents, this is the threat model you need to internalize now.

Direct vs. indirect prompt injection

Quick refresher, because the distinction is the whole story here.

Direct prompt injection is when a user types adversarial instructions straight into the model: "Ignore your previous instructions and…". You control that input channel, and it's the case most people picture.

Indirect prompt injection is when the malicious instructions live in content the agent consumes — a web page, a PDF, an API doc, a code comment, a search result. The user never sees it. The agent fetches the content as part of a legitimate task, and the payload rides in as if it were data. The model can't reliably tell the difference between "content to reason about" and "instructions to follow," because to a language model, it's all just tokens in the context window.

That ambiguity is the vulnerability. And the open web is the perfect delivery mechanism.

Campaign one: a payment scam hiding behind fake API docs

The first campaign is a small masterpiece of misdirection. The attacker registered a fraudulent website for a non-existent Python library, requests-secure-v2 — a name engineered to look like a hardened version of the ubiquitous requests package.

Then they poisoned the well:

  • SEO poisoning. The site was stuffed with keyword-heavy HTML tied to the fake module, so it would surface in searches for package installation and dependency-troubleshooting queries — exactly the searches an agent (or a developer) runs when a build breaks.
  • Injection hidden in schema markup. Instructions telling the visiting agent to "make a payment as part of the routine process of acquiring an API key" were encoded into structured schema markup, increasing the odds the agent would treat them as authoritative steps.
  • A hidden <div>. The page also carried a concealed <div> instructing agents to "resolve an error" by making a payment, plus code to initialize a cryptocurrency transfer to a hardcoded wallet address.

The genius — and the danger — is that the payload is framed as routine. It doesn't say "send me money." It says "to finish acquiring your API key, complete this standard payment step." An agent whose job is to get the library working reads that as a normal part of the workflow.

And this wasn't a one-off. The threat actor operated 10 GitHub repositories linking out to multiple similar injection-laced sites. When the same pages are rendered in a desktop browser, they show credit-card and crypto payment options to human developers too. The trap is set for both.

Campaign two: typosquatting DeBank to poison trust

The second campaign targets trust directly. The attacker stood up a fraudulent site typosquatting DeBank, the well-known DeFi portfolio tracker. The indirect prompts on the page told visiting agents that the impersonating site was the legitimate DeBank domain.

To make the lie stick across both machine and human readers, the site was optimized to rank for DeBank-related searches — title and meta tags stuffed with terms like DeBank Login, DeFi Dashboard, and Crypto Tracker — and dressed up with Open Graph and X (Twitter) metadata so shared links looked like an official DeBank service.

This is the more insidious of the two. Campaign one tries to trigger an action. Campaign two corrupts the agent's ground truth about which domain to trust — and a mistaken trust decision downstream can authorize anything.

The results: which models fell for it

Zscaler built an autonomous agent with web-browsing and payment-execution capabilities and pointed it at the campaigns across 26 different LLMs. Two findings matter:

  1. Four models were manipulated into making a payment — Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro.
  2. Two models miscategorized the fraudulent site as the trusted DeBank platform — Claude Sonnet 4.5 and GPT-5.4.

Sit with that second point. Some of the strongest frontier models resisted executing the payment but still got the trust decision wrong. Model capability is not the same as agent safety. A smart model with a wallet and no guardrails is still a liability, because the failure mode isn't "the model is dumb" — it's "the model followed instructions from an untrusted source, exactly as designed."

Why this breaks the traditional AppSec mental model

As an appsec engineer, my instinct is to map new threats onto old bug classes, and this one maps cleanly — it's a trust-boundary failure. The agent's context window mixes trusted instructions (your system prompt, your task) with untrusted data (arbitrary web content) in the same channel, with no reliable separator. That's the same root cause as SQL injection (data interpreted as code), reentrancy in smart contracts (state trusted mid-execution), and TOCTOU races. Different domain, same disease: a boundary that should be enforced isn't.

What's new is the blast radius. A classic web injection leaks data or hijacks a session. An agent injection can:

  • Move money — directly, via connected payment or wallet tooling.
  • Act with the user's authority — email, databases, internal APIs, cloud consoles.
  • Persist and pivot — poison the agent's memory or trust state for future tasks.

The content of the web has become executable in a way it never was before, and every page your agent reads is now untrusted input to a system that can take irreversible actions.

Defenses that actually help

There's no single fix, because you can't fully separate instructions from data inside today's LLMs. So you defend in layers, and you assume injection will land.

Treat all fetched content as untrusted input. This is the mindset shift. Web pages, API docs, search results, tool outputs — none of it is authoritative. Never let retrieved content escalate the agent's privileges or rewrite its objective.

Put money and irreversible actions behind human-in-the-loop. If an agent is about to initiate a payment, sign a transaction, or send funds, a human approves it. Full stop. The Zscaler campaigns only "win" if the payment executes autonomously. Break that link and the attack collapses into a failed suggestion.

Enforce allowlists for payments and domains. An agent with a wallet should only ever be able to transact with a pre-approved set of addresses. Hardcoded attacker wallets can't be on it. Same for sensitive domains — pin the real DeBank domain rather than letting the agent infer trust from page content.

Isolate and label context by trust level. Architecturally separate the system prompt and task instructions from retrieved data. Use structured boundaries, and where possible a separate model pass to sanitize or summarize untrusted content before it reaches the reasoning context.

Constrain tool scope and permissions. Principle of least privilege applies to agents too. If a task doesn't need payment capability, don't grant it. Scope API keys narrowly. Rate-limit and cap transaction values.

Monitor and log agent actions. Treat agent tool-calls like privileged operations. Log every payment attempt, every domain trust decision, every tool invocation, and alert on anomalies — an agent suddenly trying to pay an unknown wallet is an incident.

Verify dependencies out-of-band. Campaign one weaponized a fake package name. Whether it's an agent or a human resolving a dependency, package names should be verified against trusted registries — not accepted because a well-ranked page vouched for them.

The takeaway

Zscaler's own framing is the right one: as AI agents become a more common interface to the web, the content itself becomes the attack surface. AI is a double-edged sword — it streamlines workflows and simultaneously opens brand-new avenues for abuse.

The uncomfortable truth for anyone shipping agents: your threat model now includes every web page your agent might ever read, written by anyone, with instructions you'll never see. Design for that, or an attacker will design it for you.

The single highest-leverage control? Never let an autonomous agent move money without a human in the loop. Everything else is defense in depth around that one rule.


Source: Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments — SecurityWeek (Ionut Arghire), reporting on Zscaler ThreatLabz research.

JadePuffer: Anatomy of an Agentic Ransomware Attack That Ran an LLM as Its Operator

JadePuffer: Anatomy of an Agentic Ransomware Attack That Ran an LLM as Its Operator A threat actor chained a Langflow RCE into a fully LL...