LIVE FEED
FIRST LOOK First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context // FIRST LOOK First Look: NVIDIA and Hugging Face Integrate GR00T 1.7 into LeRobot Open Robotics … // FIRST LOOK First Look: AWS Launches Multi-Turn RL Infrastructure for Amazon Nova on SageMaker … // FIRST LOOK First Look: OfficeCLI Ships Open-Source Microsoft Office Automation Suite for AI Agents // HIGH Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents // HIGH SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate // HIGH Amazon Q VS Code Extension Flaw Enables Cloud Credential Theft via MCP // FIRST LOOK First Look: Chinese AI Firms Launch LLMs Rivalling US Frontier Models in Capability // CRITICAL LLM Agents Weaponised to Deliver Ransomware via Langflow Platform // HIGH Poisoned MCP Tool Descriptions Enable Silent Data Exfiltration via AI Agents //
ATLAS OWASP HIGH Significant risk · Prioritise patching RELEVANCE ▲ 8.5

Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents

TL;DR HIGH
  • What happened: Malicious websites embed hidden prompt injections to hijack AI agents into making unauthorised crypto payments.
  • Who's at risk: Organisations and individuals deploying autonomous AI agents with web-browsing capabilities and access to crypto wallets or payment APIs are directly exposed.
  • Act now: Enforce strict human-in-the-loop approval for any AI agent-initiated financial transactions · Sandbox AI agent browsing environments to prevent untrusted web content influencing action pipelines · Audit all AI agent tool permissions and revoke unnecessary access to payment or wallet APIs
Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents

Overview

Researchers have uncovered two active campaigns leveraging indirect prompt injection attacks against autonomous AI agents to coerce them into executing cryptocurrency payments without user authorisation. The attacks embed malicious instructions within web content that AI agents encounter during browsing tasks, effectively hijacking agent behaviour at the point of content ingestion. This marks a significant escalation in the practical threat posed by prompt injection — moving beyond data exfiltration or misinformation into direct, financially damaging action.

As agentic AI deployments proliferate — with LLM-powered systems increasingly granted access to wallets, APIs, and real-world tooling — the attack surface for this class of exploit expands rapidly.

Technical Analysis

Indirect prompt injection differs from direct injection in that the attacker does not interact with the model directly. Instead, malicious instructions are embedded in third-party content — in this case, websites — that an AI agent retrieves and processes as part of a legitimate task.

When the agent browses a malicious page, the hidden payload (often concealed in HTML comments, invisible text, or metadata) is parsed by the LLM as part of its context window. The injected instructions override or augment the agent’s original directives, instructing it to initiate a crypto transfer to an attacker-controlled wallet address.

Two distinct campaigns were observed, suggesting either different threat actors or deliberate variation in delivery mechanism to test detection evasion. The campaigns exploited the inherent trust AI agents place in retrieved web content when it enters the context window without sanitisation or privilege separation.

Framework Mapping

MITRE ATLAS:

  • AML.T0051 – LLM Prompt Injection: Core technique; indirect injection via adversarial web content.
  • AML.T0043 – Craft Adversarial Data: Attackers deliberately crafted web content to manipulate agent reasoning.
  • AML.T0047 – ML-Enabled Product or Service: The targeted systems are production agentic AI deployments with real-world tool access.

OWASP LLM Top 10:

  • LLM01 – Prompt Injection: Direct classification of the attack vector.
  • LLM08 – Excessive Agency: Agents with payment capabilities acting on unverified instructions exemplify this risk.
  • LLM02 – Insecure Output Handling: Downstream execution of injected commands without validation.

Impact Assessment

The immediate financial impact is the most concrete harm: funds transferred to attacker wallets are typically unrecoverable given the irreversible nature of blockchain transactions. Beyond direct theft, these campaigns demonstrate proof-of-concept for a broader class of agentic compromise — any tool-enabled AI agent (email senders, API callers, code executors) is potentially susceptible to equivalent redirection attacks.

Organisations trialling agentic AI for finance, operations, or customer service automation face the highest near-term exposure. Consumer-facing AI assistants with payment integrations represent a secondary risk surface.

Mitigation & Recommendations

  1. Require explicit human approval for all financial actions initiated by AI agents, regardless of apparent legitimacy.
  2. Implement content sanitisation pipelines that strip or flag potentially injected instructions from retrieved web content before LLM processing.
  3. Apply least-privilege principles to agent tool access — revoke payment and wallet API permissions unless operationally essential.
  4. Use prompt privilege separation techniques to distinguish between trusted system instructions and untrusted external content.
  5. Monitor agent action logs for anomalous or unexpected transaction attempts and establish alerting thresholds.
  6. Red-team agentic deployments specifically against indirect injection scenarios before production release.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.