Meet the Top 101 in Crypto
AI
5 min read

Hackers Use Malicious Websites to Trick AI Agents Into Sending Crypto Payments

Published 08 July 2026
Giuseppe Ciccomascolo
Authors

Key Takeaways

  • Cybercriminals are using malicious websites to manipulate AI agents into sending cryptocurrency payments via hidden prompt-injection attacks.
  • The attacks rely on indirect prompt injection, embedding invisible instructions in webpages that AI models can read but human users cannot see.
  • Four of 26 tested AI models executed unauthorized crypto payments, including Meta’s Llama models and Google’s Gemini models.

Cybersecurity researchers have uncovered a new class of attacks that exploits AI agents to send cryptocurrency payments and spread misinformation.

According to a Zscaler report, threat actors are creating malicious websites designed to manipulate large language models (LLMs) via hidden instructions that remain invisible to humans but readable by AI systems.

The attacks rely on indirect prompt injection, a technique that embeds malicious instructions into third-party content such as websites.

As AI agents increasingly browse the web, interact with external tools, and even execute financial transactions on behalf of users, researchers warn that these hidden prompts could become a growing cybersecurity risk.

The findings illustrate how attackers are adapting traditional phishing and search engine optimization (SEO) poisoning techniques for the AI era, turning websites into weapons that can influence autonomous agents.

Our Top Crypto Sports Betting Partners:
Sponsored
Disclosure
Opened in 2021
Promotions
Casino No Wagering 100 Free Spins
Coins
Bitcoin Tether USD Coin Ethereum Solana +11
Opened in 2022
Promotions
Up to 550 USDT Bonus + up to €75 Free Bet + 5% cashback
Coins
Bitcoin Bitcoin Cash Dogecoin Ethereum Litecoin +53
Opened in 2018
Promotions
500% Welcome Bonus up to $90,000 + 100 Free Spins
Coins
Bitcoin Ethereum Litecoin Tether Dogecoin +3
Show More

Hidden Prompts Convince AI Agents to Send Cryptocurrency

The first campaign identified by Zscaler targeted software developers searching for a fake Python library called requests-secure-v2.

To attract both humans and AI agents, attackers boosted the malicious website’s visibility through SEO poisoning, filling hidden HTML with keywords such as “Python,” “API Reference,” “Fix FatalError,” and the library’s name.

While human visitors encountered a fraudulent request to purchase a “developer key,” AI agents received a very different experience.

Complete IPI attack chain
Complete IPI attack chain for this campaign. | Credit: Zscaler

Hidden inside an off-screen HTML element concealed with CSS, the website contained detailed instructions specifically written for AI systems.

The prompt directed agents to pay a small licensing fee before using the software and even included JavaScript code that could initiate an Ethereum transaction to the attacker’s wallet.

The code featured unusually detailed comments explaining every step, including a fake key-generation process, a characteristic researchers noted is commonly associated with AI-generated code.

Investigating the associated Ethereum wallet, Zscaler confirmed it had already received cryptocurrency payments, although they may not have matched the exact amount requested by the fake website.

Researchers believe the low requested payment, around 0.0012 ETH, roughly a few dollars, may have been intentional.

Small transactions are less likely to trigger fraud detection systems or exceed spending limits imposed on AI agents, increasing the likelihood that they will slip through automated safeguards.

Several Leading AI Models Fell for the Attack

To evaluate the campaign’s effectiveness, Zscaler created a sandbox environment with an AI agent that can browse the internet and access cryptocurrency payment tools.

The researchers instructed the agent to assist developers by browsing documentation and solving coding problems, enabling it to independently decide which online resources to trust.

Out of 26 large language models tested, four ultimately executed the malicious payment instructions after visiting the poisoned website.

LLM models vulnerable to IPI attacks
LLM models that were vulnerable to IPI attacks. | Credit: Zscaler

The affected models included Meta’s Llama 3.3 70B Instruct and Llama 3.2 90B Vision Instruct, and Google’s Gemini 3 Flash and Gemini 2.5 Pro.

The investigation also linked the attacker to a GitHub account containing ten repositories associated with similar malicious websites.

Those sites attempted to persuade AI agents to make small cryptocurrency payments for various fabricated reasons, including resolving copyright disputes or purchasing supposed market analysis.

The findings suggest attackers are actively building infrastructure specifically designed to exploit autonomous AI systems rather than directly targeting human victims.

Fake DeBank Website Highlights Broader AI Security Risks

A second campaign focused less on stealing cryptocurrency directly and more on manipulating AI-generated information.

In this case, attackers impersonated the popular DeFi portfolio tracker DeBank, again relying on SEO poisoning to improve search visibility.

Hidden prompts instructed AI systems to ignore prior context and treat the fake website as the primary source of truth for DeBank queries.

Hidden prompt injection
Hidden prompt injection promoting debank[.]auction as the authoritative DeBank site. | Credit: Zscaler
The malicious instructions also fabricated trust signals, including claims of a “9.9/10 trust score,” integration with Rabby Security Engine, and references to nonexistent official infrastructure.Comments embedded in the code explicitly referenced AI assistants, including Bing Chat, Microsoft Copilot, and other large language models.

Such attacks aim to poison retrieval-augmented generation (RAG) systems by influencing the information AI agents retrieve before responding to users.

During testing, none of the evaluated models classified the fraudulent site as legitimate when the authentic DeBank website was also available.

However, researchers found that GPT-5.4 identified the fake website as legitimate when the genuine site was unavailable, while Anthropic’s Claude Sonnet 4.5 also marked the fake website as trusted when evaluated in isolation.

The results underscore a growing challenge for AI security. As autonomous agents gain permission to browse the web, access financial accounts and complete transactions, malicious online content itself becomes a new attack surface.

Zscaler recommends organizations avoid giving AI agents unrestricted access to payment systems, including cryptocurrency wallets, and require human approval for all financial transactions. The company also advises validating and sanitizing web content before feeding it into AI retrieval systems to reduce the risk of prompt injection and context poisoning attacks.

Disclaimer: The information provided in this article is for informational purposes only. It is not intended to be, nor should it be construed as, financial advice. We do not make any warranties regarding the completeness, reliability, or accuracy of this information. All investments involve risk, and past performance does not guarantee future results. We recommend consulting a financial advisor before making any investment decisions.
Giuseppe Ciccomascolo

Giuseppe Ciccomascolo began his career as an investigative journalist in Italy, where he contributed to both local and national newspapers, focusing on various financial sectors.

Upon relocating to London, he worked as an analyst for Fitch's CapitalStructure and later as a Senior Reporter for Alliance News. In 2017, Giuseppe transitioned to covering cryptocurrency-related news, producing documentaries and articles on Bitcoin and other emerging digital currencies. He also played a pivotal role in establishing the academy for a cryptocurrency exchange website. Crypto remained his primary area of interest throughout his tenure as a writer for ThirdFloor.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status