Hidden Web Prompts Trick AI Agents Into Sending Money


Hidden Web Prompts Trick AI Agents Into Sending Money

Pierluigi Paganini
July 06, 2026

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows.

Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human users, though those get caught too. The technique is called indirect prompt injection: malicious text is hidden in a website’s code where a human browser won’t see it, but an AI agent crawling the page for information will read it and potentially act on it.

The first campaign targets AI coding assistants searching for a fake Python library called requests-secure-v2. The site looks like legitimate API documentation.

“ThreatLabz observed that the fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries” reads the report published by ThreatLabz. “The website includes hidden IPI instructions designed to influence an AI agent’s decision-making by framing the payment as a routine step to acquire an API key. As a result, an AI agent attempting to complete a development task can be manipulated into sending funds to an attacker-controlled account.”

Once the agent lands on the page, it finds hidden instructions telling it to pay a $3.00 “developer API license fee” to unlock a MissingLicenseKeyException, framed as a routine setup step. The payment instructions are encoded in JSON-LD structured metadata, which AI agents tend to treat as higher-signal context than plain HTML, and a hidden div tag pushes the same message with CSS positioning it off-screen so no human ever sees it.

The site also contains JavaScript that initiates a transfer of roughly 0.0012 ETH to a hardcoded wallet address.

“The website does not only attempt to target AI agents, but also human developers.” continues the report. “When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user as shown in the figure below.”

The Ethereum wallet associated with the campaign has already received payments, and in amounts larger than $3.00, suggesting prior attacks using the same address. The threat actor behind this campaign has ten GitHub repositories linking to similar sites.

The second campaign is a typosquatting operation targeting DeBank, a widely used decentralized finance portfolio tracker. The fraudulent domain is debank[.]auction.

“The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker.” states ZScaler. ” It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service”

The JSON-LD on the page falsely identifies the legitimate debank.com as the publisher, while the hidden prompt instructs any AI agent reading the page to treat debank[.]auction as the verified, authoritative source, and to avoid mentioning the word “Auction.”

To measure real-world impact, Zscaler built a sandboxed autonomous AI agent with web browsing and payment tools, then tested it against both campaigns across 26 large language models. Four models, Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro, were successfully manipulated into executing the payment in campaign one. For campaign two, GPT-5.4 misclassified the fake site as legitimate when crawling it alongside other sources without a known-good reference, and Claude Sonnet 4.5 rated it as legitimate when given the fake site’s content in isolation with no other context provided. Context, it turns out, matters enormously: when the official DeBank domain was provided as a reference point, no model was fooled.

The practical implication is that AI agents need input validation at the content layer, not just at the prompt level. Anything an agent retrieves from the web should be treated as potentially adversarial. Organizations deploying agentic workflows should scope tool permissions carefully, an agent that can browse the web probably shouldn’t also have unrestricted payment execution enabled by default.

“ThreatLabz identified IPI embedded in multiple websites, where hidden instructions were designed to manipulate the behavior of an AI agent. In internal validation across 26 LLMs, 4 models failed to take appropriate actions for campaign 1 and 2 models failed to accurately classify the website in campaign 2, demonstrating measurable real-world impact and showing that susceptibility varies by model and by the context provided to the LLM alongside the prompt.” concludes the report. “As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI Agents)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


I reluctantly upgraded from my Pixel 4a in late 2024, which means I spent four years clinging to a phone that still felt like a phone. Part of that was the size. The Pixel 4a was small enough to use without performing thumb yoga, a disappearing luxury now that flagships have settled into pocket-tablet territory. That’s an argument for another day.

The uglier issue is what happened after I moved on. In January 2025, Google pushed an automatic Android 13 update to Pixel 4a phones. Google’s own support page says the update reduced available battery capacity and affected charging performance on some impacted devices. Reddit users were less polite. One r/Pixel4a post said the battery suddenly had “around 40% of its former capacity” after the patch.

For poor ol’ 4a, that was basically the death knell.

When an update becomes the problem

A dying battery is normal. A four-year-old phone needing service isn’t exactly a scandal. Batteries age, screens fail, ports loosen, and gravity remains undefeated.

This felt different. The phone didn’t simply get old in someone’s pocket. Its usable life changed after a company-controlled patch, and the owner was left to deal with the result. The Verge reported that the update was tied to overheating-risk mitigation and reduced charging capacity by more than 50% on affected units. Battery safety is real. It still doesn’t erase the experience of waking up to a phone that suddenly can’t survive the day.

That’s what update death looks like. Software doesn’t just support aging hardware anymore. It can also decide when that hardware becomes miserable to keep using.

When every patch feels haunted

My wife, who’s rocking an S24 Ultra, has a different version of the same dread. She keeps running into Reddit threads about Samsung Galaxy phones and the dreaded green line, that bright vertical scar that makes a screen look like it has been reassigned to a cyberpunk prop department. One r/S23 user wrote that a green line appeared on a carefully maintained phone after about a year and a half, then said Samsung service quoted a screen replacement because the warranty was over. Another Samsung Community post claimed a green-line issue appeared after an August update, with the display allegedly working perfectly before it.

Reddit isn’t a forensic lab with avatars. A green line can come from boring hardware failure, not corporate villainy with a release calendar. Still, the anxiety is real. People don’t only worry that an update will move a button or ruin a camera setting. They worry it might be the thing that nudges a working device from “old” to “not worth repairing.”

Modern gadgets are never fully handed over. They keep phoning home. They keep asking for patches. They keep depending on decisions made long after the receipt has faded. Ownership now comes with a quiet asterisk.

The graveyard got software updates

Planned obsolescence used to sound like tinfoil-hat consumer paranoia, which was convenient for everyone selling the new thing. Then regulators started writing it down in boring official language. In 2018, Italy’s competition authority fined Samsung and Apple after finding that software and firmware updates caused serious malfunctions, reduced performance, and sped up replacement of older phones. Samsung was fined €5 million, while Apple was fined €10 million.

Apple’s battery-throttling mess made the suspicion harder to laugh off. In the US, Apple agreed to a settlement of up to $500 million over claims that it slowed older iPhones, while a separate multistate settlement required Apple to pay $113 million over alleged misrepresentations around iPhone batteries and performance throttling. Consumers weren’t hallucinating the pattern. The receipts were scattered across court filings, regulatory decisions, and phones that suddenly felt older than they had the day before.

Europe seems less willing to accept “trust us” as a product-lifetime policy. New EU rules for smartphones and tablets started applying on June 20, 2025, covering durability, repairability, battery life, and software updates. New labels put some of that lifespan math in front of shoppers before checkout.

The post-warranty graveyard used to be easy to recognize: cracked screens, swollen batteries, and charging ports full of pocket lint. Now the graveyard has paperwork, compatibility warnings, and software that slowly stops cooperating. The gadget can still turn on. It can still look fine on a desk. Then one day the company changes what “usable” means, and the thing you paid for starts practicing being trash.



Source link