[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqrhmqlPjllm2iv1e7s532UF8NfTuXyu4EBxp7UBxlL8":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"3ed0f2b4-bb39-4672-9d3f-40639963a369","Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments","prompt-injection-attacks-trick-ai-agents-into-making-crypto-payments-679505","Researchers uncovered two campaigns embedding indirect prompt injections in malicious websites to exploit autonomous AI agents browsing the web. The post Prompt Injection Attacks Trick AI Agents Into Making Crypto Payments appeared first on SecurityWeek.","Threat actors are exploiting autonomous AI agents through indirect prompt injection attacks on malicious websites and manipulated search results. Two campaigns identified by Zscaler involve a payment scam hidden within API documentation and a typosquatting operation impersonating the DeBank crypto platform. Researchers successfully manipulated several LLMs into making crypto payments or misidentifying fraudulent sites as legitimate.","AI agents tricked into crypto payments via prompt injection on malicious websites.","Threat actors are using prompt injection attacks embedded in malicious websites and manipulated search results to trick AI agents into making payments or trusting fraudulent cryptocurrency platforms. Zscaler says it identified two campaigns relying on indirect prompt injection, including a payment scam hiding behind API documentation, and a typosquatting operation promoting a crypto platform that impersonates DeBank. As part of the first campaign, the threat actor has been using SEO poisoning to target AI agents searching for the Python library requests-secure-v2. “The fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries,” Zscaler explains. Within the website, the attackers hid indirect prompts instructing the visiting agents to make a payment as part of the routine process of acquiring an API key. The payment was encoded in schema markup to increase the chances that the agents would follow the instructions. A hidden \u003Cdiv> tag instructing AI agents to resolve an error by making the payment was also discovered on the website, as well as code to initialize a cryptocurrency transfer to a hardcoded wallet.Advertisement. Scroll to continue reading. “The website not only attempts to target AI agents, but also human developers. When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user,” Zscaler explains. The threat actor behind the campaign is using 10 GitHub repositories linking to multiple similar websites containing indirect prompt injections. As part of the second campaign, a threat actor is promoting a fraudulent website typosquatting the decentralized finance portfolio tracker DeBank. The indirect prompts used in this campaign tell the AI agents that the impersonating website is the legitimate DeBank domain. “The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker. It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service,” Zscaler notes. To test the campaigns’ impact, the cybersecurity firm built an autonomous AI agent with web-browsing and payment-execution capabilities. Of the 26 LLMs that were evaluated, four (Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro) were successfully manipulated into making a payment. Still, only two (Claude Sonnet 4.5 and GPT-5.4) miscategorized the fraudulent website as the trusted DeBank platform. “As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse,” Zscaler notes. Related: Agentic AI Used to Conduct Ransomware Attack via Langflow Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Related: How to Conduct a Successful Audit of AI-Driven Software Development Related: ‘BioShocking’ Attack Tricks AI Browsers Into Stealing Credentials Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire FortiBleed Campaign Linked to INC, Lynx Ransomware AttacksCisco Confirms In-the-Wild Exploitation of Unified CM Vulnerability‘BioShocking’ Attack Tricks AI Browsers Into Stealing CredentialsCISA Warns of Actively Exploited Microsoft SharePoint VulnerabilityMicrosoft Adds New Teams Controls to Block Unauthorized AI Bots From MeetingsAdobe Patches Critical ColdFusion, Campaign Classic VulnerabilitiesCitrix Patches NetScaler Vulnerabilities, Including New ‘HTTP\u002F2 Bomb’ AttackApple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari Latest News In Other News: Canadian Hacker Jailed, Open Source Zero-Days, Two Sentenced for ATM JackpottingAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code ExecutionNew CitrixBleed Vulnerability Exploited Immediately After Public DisclosureHow to Conduct a Successful Audit of AI-Driven Software Development Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fprompt-injection-attacks-trick-ai-agents-into-making-crypto-payments\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F01\u002FCybersecurity_News-SecurityWeek.jpg","2026-07-06T11:19:47+00:00","2026-07-06T12:00:20.034314+00:00",8,[18,21,23,25,27,29],{"name":19,"type":20},"Llama 3.3 70B Instruct","product",{"name":22,"type":20},"Llama 3.2 90B Vision Instruct",{"name":24,"type":20},"Gemini 3 Flash",{"name":26,"type":20},"Gemini 2.5 Pro",{"name":28,"type":20},"Claude Sonnet 4.5",{"name":30,"type":20},"GPT-5.4","839da5c1-3c34-47e2-9499-f7201640e3ac",{"id":31,"icon":33,"name":34,"slug":35},null,"AI Security","ai-security",[37,42,44,49],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":43},{"id":31,"icon":33,"name":34,"slug":35},{"category":45},{"id":46,"icon":33,"name":47,"slug":48},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":50},{"id":51,"icon":33,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55],{"type":48,"value":56,"context":57},"requests-secure-v2","Fake Python module used in SEO poisoning campaign."]