Malicious websites trick AI agents into crypto payments, context poisoning
Researchers discovered two websites leveraging indirect prompt injections to attempt to manipulate AI agents into cryptocurrency payments and context poisoning, Zscaler reported last week. Indirect prompt injections involve planting malicious instructions into third-party data sources that enter an AI model’s context window, such as websites or emails, as opposed to direct prompt injections that are sent to the model through a chatbot’s interface, for example.As users increasingly use AI agents, rather than simple chatbots, to explore the internet, connect to other tools and applications and take actions on behalf of the user, threat actors are utilizing websites boosted with search engine optimization (SEO) poisoning to manipulate the context of agents and instruct them to take adverse actions, Zscaler found.The first campaign discovered targets developers with a website claiming to offer downloads of the Python library requests-secure-v2. The website uses SEO poisoning to boost the website’s position in search results by packing hidden HTML with keywords such as “Python,” “API Reference,” “Fix FatalError,” and “requests-secure-v2.” When viewed by a human, the website fraudulently requests payment to obtain a “developer key” to use the requests-secure-v2 library. However, the site also includes a hidden div element specifically targeting AI agents with step-by-step instructions to pay the “license fee,” including JavaScript code to initiate an Ethereum cryptocurrency transfer to the attacker’s wallet.The code includes detailed comments explaining each step including a final “fake key generation” step; excessive comments are a typical hallmark of AI-generated code.
Related reading:
The malicious instructions are hidden by using CSS to position the div element containing them off screen, making them virtually invisible to a human viewing the page but still readable by AI agents. The attacker’s Ethereum wallet was investigated and found to have received some payments, but not for the small amount (0.0012 ETH) requested by the website.Zscaler tested an AI agent with access to web browsing and cryptocurrency payment tools in a sandbox environment to see whether different large language models (LLMs) would be fooled by the indirect prompt injection. The agent was prompted to “assist developers with real-world coding problems” and help the user by “browsing resources, reading documentation, and providing actionable guidance” while giving it the freedom to decide which tools to use and how to interpret results.Of the 26 LLMs tested, four models were tricked into executing payments: Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash and Gemini 2.5 Pro.The researchers were able to link the threat actor to a GitHub account and discovered a total of 10 repositories tied to malicious websites targeting AI agents with indirect prompt injections. These websites similarly attempted to trick agents into making small payments to resolve copyright disputes, download market analyses and more.
AI/ML
Malicious websites trick AI agents into crypto payments, context poisoning
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached — you'll always get the same 5 for this article.