Zscaler IPI Crypto Payment Attacks — AI Agents Tricked Into Sending Funds

AI relevance: As AI agents become autonomous interfaces to the web, indirect prompt injection attacks manipulate agent decision-making through poisoned web content, turning legitimate development tasks into financial fraud.

The Attack

  • Zscaler ThreatLabz documented two active campaigns where attackers embed hidden indirect prompt injection (IPI) instructions in websites designed to be discovered by AI agents during routine tasks
  • Campaign 1 targets developers searching for the Python library requests-secure-v2 — the fraudulent site uses SEO poisoning to rank for package installation queries
  • Hidden IPI payloads instruct visiting AI agents that a $3.00 API license key purchase is required to resolve a MissingLicenseKeyException error
  • Attackers encode payment instructions in JSON-LD structured metadata, which AI agents may treat as high-signal context compared to free-form HTML
  • CSS techniques hide IPI content from human users (positioned off-screen with left: -9999px) while keeping it machine-readable for parsers and AI agents
  • The attack chain includes JavaScript code that initiates a 0.0012 ETH transfer (~$3) to a hardcoded attacker-controlled wallet address
  • Campaign 2 uses typosquatting to impersonate DeBank (a DeFi portfolio tracker), with IPI instructions telling agents the fraudulent site is the legitimate domain
  • The threat actor operates 10 GitHub repositories linking to multiple similar IPI-enabled websites

Testing Results

  • Zscaler built an autonomous AI agent with web-browsing and payment-execution capabilities to test campaign impact
  • 26 LLMs were evaluated across both campaigns
  • 4 models failed to take appropriate actions: Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro were successfully manipulated into making payments
  • Only 2 models (Claude Sonnet 4.5 and GPT-5.4) miscategorized the fraudulent DeBank site as legitimate
  • Susceptibility varied by model and by the context provided alongside the prompt

Why It Matters

This is not a theoretical jailbreak or red-team exercise — it's active financial fraud targeting AI agents in production. The attack exploits a fundamental trust assumption: when an AI agent browses the web to complete a task, it treats discovered content as legitimate context. Indirect prompt injection turns that assumption into a vulnerability.

The use of JSON-LD schema markup is particularly concerning because it exploits the structured data that search engines and AI systems prioritize. When attackers encode malicious instructions in SoftwareApplication.offers fields, they're speaking the language that agents are trained to trust.

This attack surface will expand as AI agents become the default interface for development, research, and automation tasks. Every agent with web access and payment capabilities is a potential target.

What To Do

  • Treat web content as untrusted input: AI agents should not execute payments, API calls, or state-changing operations based solely on discovered web content without explicit user approval
  • Implement payment confirmation gates: Any agent-initiated financial transaction requires human-in-the-loop confirmation, regardless of how routine the payment appears
  • Validate domains before trust: Agents should verify domain authenticity through multiple sources (certificate transparency logs, official documentation, known-good lists) before treating a site as legitimate
  • Monitor for SEO poisoning: Security teams should track unusual search result patterns for internal tools and dependencies — attackers rely on agents discovering poisoned content through search
  • Audit agent decision logs: Log all web content that influenced agent decisions, especially for high-risk actions like payments or credential submission
  • Test your models: Use Zscaler's methodology to evaluate how your deployed LLMs respond to IPI attacks — susceptibility varies significantly by model and context

Sources