Vulnerability  ·  2026-07-07

Prompt Injection Campaigns Trick Browsing AI Agents Into Sending Cryptocurrency Payments

VulnerabilityMedium impactGlobal
Zscaler ThreatLabz identified two live indirect-prompt-injection campaigns targeting web-browsing AI agents: one uses SEO-poisoned fake package documentation to trick agents into paying for a bogus API key, the other typosquats the DeBank DeFi platform to gain agent trust. In controlled testing, several production LLMs autonomously executed the embedded payment instructions or trusted the fraudulent site.
This is one of the first documented cases of prompt injection converted directly into financial loss via autonomous AI-agent payment execution, demonstrating that public web content and search rankings are now a practical attack surface for AI agents with real-world purchasing/payment authority — a novel and directly monetizable agentic attack class distinct from previously-seen data-exfiltration or RCE-focused prompt injection.
Threat actors embed indirect prompt injections in hidden HTML, Schema.org PaymentRequest markup, and SEO-poisoned fake documentation (e.g. for a typosquatted Python package 'requests-secure-v2') and a typosquatted DeFi site impersonating DeBank (debank[.]auction). When an AI agent with browsing/payment capability visits these pages, it parses the hidden structured data as instructions and autonomously executes a cryptocurrency payment to an attacker-controlled wallet, or misclassifies the fraudulent site as legitimate.
Browsing-capable autonomous AI agents integrating multiple commercial and open-weight LLMs (26 models tested)
Restrict AI agents' ability to execute payments autonomously without human approval; validate content sources before acting on structured data; treat Schema.org/structured markup as untrusted data rather than instructions; monitor for known IOCs (Zscaler-published domains, GitHub account 'Open-Agent-Utilities', associated Ethereum wallet).
SecurityWeekSecurity Affairs
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →