Researchers at Zscaler ThreatLabz have uncovered two campaigns that use hidden prompt injection attacks to trick AI agents into making cryptocurrency payments or trusting fake websites.
In the first campaign, attackers used search engine optimization (SEO) poisoning to push a fake website related to the Python library requests-secure-v2 higher in search results. The site contained hidden instructions telling AI agents to pay for an API key. The attackers also added hidden code to start a cryptocurrency payment to a wallet they controlled.
The fake website also targeted human users by displaying payment options for credit cards and cryptocurrency. Zscaler found the attackers were using 10 GitHub repositories to promote similar malicious websites.
The second campaign involved a fake website impersonating the DeBank DeFi portfolio tracker. Hidden prompts on the site told AI agents that the fake page was the legitimate DeBank platform. The website also used keyword stuffing and social media metadata to appear more trustworthy in search results.
Zscaler tested 26 large language models (LLMs) with an AI agent that could browse the web and make payments. Four models were successfully tricked into making a payment, while two models incorrectly identified the fake DeBank website as legitimate.
Zscaler warns that “as AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”