Zscaler — Indirect Prompt Injection Tricks AI Agents Into Crypto Payments
AI relevance: As AI agents become autonomous web browsers that can execute transactions, indirect prompt injection in web content becomes a direct financial attack vector — this research demonstrates real-world campaigns that successfully manipulated 4 out of 26 tested LLMs into making unauthorized cryptocurrency payments.
- Zscaler identified two active campaigns using indirect prompt injection to manipulate AI agents into making payments or trusting fraudulent cryptocurrency platforms
- Campaign 1: Payment scam via API documentation. The threat actor used SEO poisoning to target AI agents searching for the Python library
requests-secure-v2. The fraudulent website includes keyword-heavy HTML to poison search results for package installation and dependency troubleshooting queries - Within the website, attackers hid indirect prompts instructing visiting agents to make a payment as part of the routine process of acquiring an API key. The payment was encoded in schema markup to increase the chances that agents would follow the instructions
- A hidden
<div>tag instructing AI agents to resolve an error by making the payment was discovered on the website, along with code to initialize a cryptocurrency transfer to a hardcoded wallet - The threat actor is using 10 GitHub repositories linking to multiple similar websites containing indirect prompt injections
- Campaign 2: DeBank typosquatting. A separate campaign promotes a fraudulent website typosquatting the decentralized finance portfolio tracker DeBank. The indirect prompts tell AI agents that the impersonating website is the legitimate DeBank domain
- The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords like "DeBank Login," "DeFi Dashboard," and "Crypto Tracker." It includes Open Graph and X metadata to make the link appear like an official DeBank service
- To test the campaigns' impact, Zscaler built an autonomous AI agent with web-browsing and payment-execution capabilities and evaluated 26 LLMs
- Four LLMs (Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro) were successfully manipulated into making a payment
- Only two (Claude Sonnet 4.5 and GPT-5.4) miscategorized the fraudulent website as the trusted DeBank platform, but susceptibility varied by model and by the context provided to the LLM alongside the prompt
Why it matters
This is one of the first documented cases of indirect prompt injection being weaponized for direct financial theft via AI agents. The attacks are sophisticated: they combine SEO poisoning (to ensure AI agents encounter the malicious content), indirect prompt injection (embedded in HTML and schema markup), and cryptocurrency payment execution (hardcoded wallet addresses). The fact that 4 out of 26 LLMs fell for the attack — including major models from Google and Meta — shows that this is not a theoretical risk. As AI agents become more autonomous and capable of executing real-world transactions (payments, API calls, data access), the web content they consume becomes a critical attack surface. The campaigns target both AI agents and human developers, making them dual-use attacks that can succeed even when humans are in the loop.
What to do
- If you're deploying AI agents with web-browsing and payment capabilities, implement strict allowlists for domains the agent can visit and transact with
- Require human approval for all financial transactions, even if the agent is otherwise autonomous
- Implement output filtering to detect and block cryptocurrency wallet addresses or payment instructions in agent outputs
- Monitor agent web-browsing logs for visits to suspicious domains, especially those with heavy SEO optimization or keyword stuffing
- Test your agent against known indirect prompt injection campaigns using red-team exercises
- Educate developers about the risk of searching for package documentation via AI agents — verify package names and domains through official registries (PyPI, npm) before trusting search results
- For DeFi/crypto platforms: implement domain monitoring to detect typosquatting and report fraudulent sites to search engines and domain registrars
Sources: