Hidden website prompts trick AI agents into sending cryptocurrency to attackers
Zscaler found attackers using search-engine poisoning and hidden instructions on malicious websites to manipulate AI agents into making cryptocurrency payments. In one case, a hidden element on the page tells an AI agent that it must "resolve an error" by completing a payment, alongside code that starts a crypto transfer to a hardcoded wallet; the same page also shows human visitors ordinary payment options. Another campaign typosquats a decentralized-finance portfolio tracker and uses hidden prompts to convince agents the fake site is the real one. The attacker is seeding the scheme through several GitHub repositories, showing how autonomous agents that browse and act can be steered by content they read.
- Check
- Review any AI agents that can browse the web and initiate payments, and check what guardrails, approvals, or spending limits sit between an agent reading a web page and moving money.
- Affected
- Users and organizations running autonomous AI agents that can browse and make payments; hidden instructions on poisoned or typosquatted websites can redirect the agent into sending cryptocurrency to an attacker's wallet.
- Fix
- Require human approval for agent-initiated payments, isolate untrusted web content from action-taking, apply spending limits and allowlisted destinations, and treat everything an agent reads online as untrusted rather than as instructions.