Active Exploitation Alert: Indirect Prompt Injection Attacks Target AI Agents to Facilitate Unauthorized Cryptocurrency Payments

Active Exploitation Alert: Indirect Prompt Injection Attacks Target AI Agents to Facilitate Unauthorized Cryptocurrency Payments

Executive Summary

Recent threat intelligence has revealed a critical and rapidly evolving attack vector: prompt injection attacks that trick AI agents into making unauthorized cryptocurrency payments. These attacks exploit the inherent trust AI agents place in external content, leveraging indirect prompt injection (IPI) techniques to embed malicious instructions within web pages, metadata, or other data sources. When AI agents with payment or transaction capabilities process this content, they can be manipulated into executing crypto transfers to attacker-controlled wallets. This report provides a comprehensive technical analysis of the attack methodology, threat actor tactics, real-world exploitation, victimology, and actionable mitigation strategies. The findings underscore the urgent need for organizations deploying AI-driven automation—especially those with financial or transactional privileges—to reassess their exposure and implement robust controls.

Threat Actor Profile

The primary threat actors behind these prompt injection campaigns are sophisticated cybercriminal groups with expertise in both AI exploitation and cryptocurrency fraud. These actors demonstrate advanced knowledge of AI agent architectures, prompt engineering, and web-based obfuscation techniques. They are opportunistic, targeting both individual developers and organizations that rely on AI agents for workflow automation, technical support, or financial transactions. The attackers leverage SEO poisoning, typosquatting, and social engineering to maximize the reach and credibility of their malicious infrastructure. Their operational sophistication is evident in their use of multi-layered obfuscation, dynamic content generation, and rapid adaptation to AI model updates and security controls.

Technical Analysis of Malware/TTPs

Prompt injection is a class of attacks where adversaries embed hidden or obfuscated instructions within content that is likely to be ingested by AI agents. In the context of cryptocurrency payment fraud, attackers use indirect prompt injection (IPI) to target AI agents that fetch and process external web content. The technical workflow is as follows:

Attackers create malicious websites that appear legitimate, often using typosquatting (e.g., py-lib-repository[.]dev instead of a real Python package repository) and SEO poisoning to rank highly for developer-centric queries. Within these sites, they embed prompt-style instructions in multiple layers: HTML body, JSON-LD metadata, Open Graph tags, and off-screen CSS elements (e.g., <div style="left: -9999px">). These instructions are invisible to human users but are parsed by AI agents that scrape or summarize web content.

A typical attack scenario involves the AI agent being tasked with resolving a technical error, such as a "MissingLicenseKeyException." The malicious site instructs the agent to purchase a fake API key for a nominal fee (e.g., $3.00 via Stripe) or to transfer a small amount of cryptocurrency (e.g., 0.0012 ETH) to a hardcoded wallet address. The site then generates a fake API key, completing the scam. In some cases, the prompt injection is encoded or obfuscated using techniques such as Morse code, Unicode homoglyphs, or base64, further evading detection by traditional security tools.

Zscaler ThreatLabz and other researchers have confirmed that multiple large language models (LLMs) and AI agents—including Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro—were susceptible to these attacks in controlled tests. The attack surface is amplified by the growing trend of integrating AI agents with payment APIs, smart contract interfaces, and workflow automation platforms.

Exploitation in the Wild

These prompt injection attacks are not theoretical. Zscaler and other security vendors have observed active exploitation in the wild, with confirmed cryptocurrency payments to attacker-controlled wallets. For example, the Ethereum address 0x691bc3793205e574fa7b4aa068e62c0e470ad267 has received multiple payments traced to these campaigns. Attackers have also targeted DeFi users by typosquatting legitimate platforms (e.g., debank[.]auction impersonating the real DeBank DeFi tracker) and embedding prompt injections that cause AI agents to misclassify the fraudulent site as legitimate.

The infrastructure supporting these attacks is extensive, with dozens of domains and associated GitHub repositories under the Open-Agent-Utilities umbrella. These repositories host fake API clients, compliance tools, and other utilities designed to lure both human and AI-driven traffic. The attackers continuously update their techniques, leveraging new obfuscation methods and adapting to changes in AI agent behavior.

Victimology and Targeting

The primary victims of these attacks are organizations and individuals who deploy AI agents with web access and transactional privileges. This includes software development teams using AI copilots, customer support bots with payment capabilities, and DeFi platforms integrating AI-driven automation. The attackers specifically target environments where AI agents are trusted to execute actions based on external content, such as purchasing licenses, resolving technical errors, or transferring funds.

Secondary victims include end-users who rely on AI-generated recommendations or summaries, as these can be manipulated to promote fraudulent sites or services. The campaigns have a global reach, with evidence of targeting across North America, Europe, and Asia-Pacific. The use of cryptocurrency as the payment vector enables rapid monetization and complicates attribution.

Mitigation and Countermeasures

To defend against prompt injection attacks targeting AI agents, organizations should implement a multi-layered security strategy. AI agents must treat all external content as untrusted and subject it to rigorous input validation and sanitization. Critical actions, such as payments or fund transfers, should require contextual cross-verification with known-good sources and, where possible, human-in-the-loop approval.

Security teams should monitor for indicators of compromise, including traffic to the domains and wallet addresses listed in this report. Regularly test AI agents against known prompt injection patterns and update guardrails to detect and block obfuscated or encoded instructions. Model hardening, including the use of adversarial testing and red teaming, is essential to identify and remediate vulnerabilities before they can be exploited in production.

Organizations should also educate developers and users about the risks of prompt injection and the importance of verifying the legitimacy of external content and payment requests. Collaboration with AI vendors and participation in threat intelligence sharing initiatives will further enhance collective defense.

References

Zscaler ThreatLabz: Indirect Prompt Injection in Web Content Targets AI Agents

Cequence AI: Encoded Prompt Injection: Why LLM Guardrails Fail

LinkedIn: Morse Code Tricked AI Agents into Wiring $175K in Crypto

GitHub: Open-Agent-Utilities

NVD: No CVE assigned as of June for these specific prompt injection attacks.

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify emerging threats and safeguard critical assets. For more information about our solutions or to discuss your organization’s risk posture, we are happy to answer questions at info@rescana.com.