Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments

  Rassegna Stampa, Security
image_pdfimage_print

Threat actors are using prompt injection attacks embedded in malicious websites and manipulated search results to trick AI agents into making payments or trusting fraudulent cryptocurrency platforms.

Zscaler says it identified two campaigns relying on indirect prompt injection, including a payment scam hiding behind API documentation, and a typosquatting operation promoting a crypto platform that impersonates DeBank.

As part of the first campaign, the threat actor has been using SEO poisoning to target AI agents searching for the Python library requests-secure-v2.

“The fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries,” Zscaler explains.

Within the website, the attackers hid indirect prompts instructing the visiting agents to make a payment as part of the routine process of acquiring an API key. The payment was encoded in schema markup to increase the chances that the agents would follow the instructions.

A hidden <div> tag instructing AI agents to resolve an error by making the payment was also discovered on the website, as well as code to initialize a cryptocurrency transfer to a hardcoded wallet.

Advertisement. Scroll to continue reading.

“The website not only attempts to target AI agents, but also human developers. When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user,” Zscaler explains.

The threat actor behind the campaign is using 10 GitHub repositories linking to multiple similar websites containing indirect prompt injections.

As part of the second campaign, a threat actor is promoting a fraudulent website typosquatting the decentralized finance portfolio tracker DeBank. The indirect prompts used in this campaign tell the AI agents that the impersonating website is the legitimate DeBank domain.

“The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker. It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service,” Zscaler notes.

To test the campaigns’ impact, the cybersecurity firm built an autonomous AI agent with web-browsing and payment-execution capabilities.

Of the 26 LLMs that were evaluated, four (Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro) were successfully manipulated into making a payment. Still, only two (Claude Sonnet 4.5 and GPT-5.4) miscategorized the fraudulent website as the trusted DeBank platform.

“As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse,” Zscaler notes.

Related: Agentic AI Used to Conduct Ransomware Attack via Langflow

Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Related: How to Conduct a Successful Audit of AI-Driven Software Development

Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials

https://www.securityweek.com/prompt-injection-attacks-trick-ai-agents-into-making-crypto-payments/