Malicious Websites Are Now Tricking AI Agents Into Paying Crypto. We Built the Scanner for This Exact Attack in April.
- Patrick Duggan
- 2 hours ago
- 4 min read
Zscaler's ThreatLabz just documented the thing we built a scanner for in April, happening in the wild, with money changing hands. Two campaigns are hiding instructions inside web pages — concealed with CSS, HTML, and JSON-LD, and boosted with SEO poisoning so that AI browsing agents find them — and those hidden instructions tell the agent to do things its human never asked for. In one campaign, a fake developer-documentation site walks an agent into paying three dollars or sending cryptocurrency to an attacker-controlled wallet. In the other, a typosquatted clone of the DeFi portfolio tracker DeBank feeds the agent prompts insisting it is the real DeBank. Across twenty-six models tested, four were tricked into executing payments: two Llama variants and two Gemini models. The threat actor's own GitHub account tied ten repositories to the operation.
This is the attack we have been describing for three months, and it has now graduated from proof-of-concept to a working revenue model. The reason it works is the same reason it is hard to see: the human and the machine are not reading the same page. You see clean documentation. The agent reads a paragraph of instructions you were never shown, hidden in a stylesheet, an off-screen element, or a block of structured JSON-LD metadata that browsers render invisibly but language models ingest as authoritative context.
We built the defense for this in April
On April 10 we published "Your Website Is Talking to AI Models Behind Your Back. We Built the Scanner That Catches It." The entire premise was this exact attack class: content on a web page that does not target your servers or your users, but targets the AI models that read the page — instructions hidden in the markup, invisible to the human, authoritative to the model. A few weeks earlier, in March, we had walked through the LayerX font-glyph variant in "Your AI Assistant Can't See What's Killing It," where a remapped TrueType font shows a human one character and hands the model another. Same principle, different hiding place.
And it is not just a blog thesis. Our AIPM product — the tool that audits how AI models perceive a brand — scans for exactly this: AI prompt-injection contamination across a site's robots.txt, its structured data, its meta tags, and the rest of the surfaces a model reads and a person does not. The JSON-LD-and-CSS hiding technique Zscaler found in these live campaigns is precisely the surface that scan was built to check, because we assumed, correctly, that the place attackers would hide instructions for machines is the place humans never look.
So the honest framing is the strong one. We did not catch these two specific campaigns — Zscaler's ThreatLabz did the field research, ran the twenty-six-model test, and pulled the GitHub attribution, and that work is theirs. What we had, three months early, was the attack class named, the mechanism dissected, and a shipping scanner that checks for the exact hiding places these campaigns used. The prediction was not a specific site. It was that this was coming, and that the defense had to live where humans cannot see.
Why the payment detail is the whole story
The reason the crypto angle matters is that it closes the loop from novelty to business model. For two years, indirect prompt injection was a research curiosity — clever, alarming, but mostly demonstrated in labs. The moment an agent can be walked into sending three dollars, or a wallet transfer, to an attacker, the attack has a direct payout and no human in the loop to say no. That is the same jump we flagged with autonomous ransomware: the interesting part is never "the AI did something," it is "the AI did something profitable without a person deciding to." An agent that browses, reads, and pays is an agent that can be robbed by a web page.
If you are deploying browsing or purchasing agents, the takeaways are concrete. Treat every web page an agent reads as untrusted input, the same way you treat user input to a database. Strip or sandbox the invisible surfaces — off-screen text, CSS-hidden content, JSON-LD, alt text — before they reach the model's context. Require a human confirmation step on any payment or irreversible action, because the four models that failed here failed silently. And scan the sites your agents transact with for injected instructions, because the attacker's whole strategy depends on you looking at the rendered page while your agent reads the source.
Held to about ninety-five percent confidence: the field research and attribution here are Zscaler's, and we credit it as theirs. Our claim is narrower and older — we named this attack class, dissected its hiding places, and shipped a scanner for it in April, betting that the fight would move to the surfaces humans cannot see. It did, and now it takes payment.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.




Comments