Hidden Web Prompts Trick AI Agents Into Sending Money


Hidden Web Prompts Trick AI Agents Into Sending Money

Pierluigi Paganini
July 06, 2026

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows.

Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human users, though those get caught too. The technique is called indirect prompt injection: malicious text is hidden in a website’s code where a human browser won’t see it, but an AI agent crawling the page for information will read it and potentially act on it.

The first campaign targets AI coding assistants searching for a fake Python library called requests-secure-v2. The site looks like legitimate API documentation.

“ThreatLabz observed that the fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries” reads the report published by ThreatLabz. “The website includes hidden IPI instructions designed to influence an AI agent’s decision-making by framing the payment as a routine step to acquire an API key. As a result, an AI agent attempting to complete a development task can be manipulated into sending funds to an attacker-controlled account.”

Once the agent lands on the page, it finds hidden instructions telling it to pay a $3.00 “developer API license fee” to unlock a MissingLicenseKeyException, framed as a routine setup step. The payment instructions are encoded in JSON-LD structured metadata, which AI agents tend to treat as higher-signal context than plain HTML, and a hidden div tag pushes the same message with CSS positioning it off-screen so no human ever sees it.

The site also contains JavaScript that initiates a transfer of roughly 0.0012 ETH to a hardcoded wallet address.

“The website does not only attempt to target AI agents, but also human developers.” continues the report. “When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user as shown in the figure below.”

The Ethereum wallet associated with the campaign has already received payments, and in amounts larger than $3.00, suggesting prior attacks using the same address. The threat actor behind this campaign has ten GitHub repositories linking to similar sites.

The second campaign is a typosquatting operation targeting DeBank, a widely used decentralized finance portfolio tracker. The fraudulent domain is debank[.]auction.

“The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker.” states ZScaler. ” It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service”

The JSON-LD on the page falsely identifies the legitimate debank.com as the publisher, while the hidden prompt instructs any AI agent reading the page to treat debank[.]auction as the verified, authoritative source, and to avoid mentioning the word “Auction.”

To measure real-world impact, Zscaler built a sandboxed autonomous AI agent with web browsing and payment tools, then tested it against both campaigns across 26 large language models. Four models, Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro, were successfully manipulated into executing the payment in campaign one. For campaign two, GPT-5.4 misclassified the fake site as legitimate when crawling it alongside other sources without a known-good reference, and Claude Sonnet 4.5 rated it as legitimate when given the fake site’s content in isolation with no other context provided. Context, it turns out, matters enormously: when the official DeBank domain was provided as a reference point, no model was fooled.

The practical implication is that AI agents need input validation at the content layer, not just at the prompt level. Anything an agent retrieves from the web should be treated as potentially adversarial. Organizations deploying agentic workflows should scope tool permissions carefully, an agent that can browse the web probably shouldn’t also have unrestricted payment execution enabled by default.

“ThreatLabz identified IPI embedded in multiple websites, where hidden instructions were designed to manipulate the behavior of an AI agent. In internal validation across 26 LLMs, 4 models failed to take appropriate actions for campaign 1 and 2 models failed to accurately classify the website in campaign 2, demonstrating measurable real-world impact and showing that susceptibility varies by model and by the context provided to the LLM alongside the prompt.” concludes the report. “As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI Agents)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


1,000W, 10-port charger for $45... predictably disappointing.

1,000W, 10-port charger for $45… predictably disappointing. 

Adrian Kingsley-Hughes/ZDNET

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Things that look “too good to be true” invariable are just that.
  • This example got dangerously hot in a short period of time before dying. 
  • There’s no legitimate charger that comes close to delivering on the 1,000W promise.

Being a tech reviewer for a living means that I get offered some very interesting things. Not interesting as in Bugatti supercars or jewel-encrusted Fabergé eggs, but interesting as in “this thing could easily be a fire hazard — want to take a look?”

Also: The best GaN chargers of 2026: Expert tested

Submissively, I often say yes. And I’m glad I did with the most recent pitch, because it was very interesting indeed.

Meet the “interesting” charger

This time around, the thing of interest was a charger that claimed to deliver an incredible 1,000W through its ten ports — four 140W USB-C ports, four 100W USB-C ports, and two 20W USB-A ports. 

The person who bought this charger told me that they’d plugged it in, used it to charge their phone for “a few minutes,” got worried when it became “a little hot,” and unplugged it.

That's a lot of promise... but (spoilers), they don't deliver!

That’s a lot of promise… but (spoilers), they don’t deliver!

Adrian Kingsley-Hughes/ZDNET

The unit was suspiciously light and plasticky, especially given its built-in power supply. Compare this to Ugreen’s Nexode 500W charger, which weighs a hair under 5 lb.

There was also a slight whiff of melty plastic, which made me think that this had been a bit more than a little hot. 

Also: This $4 router reboot timer is the cheap internet fix I didn’t know I needed – and it works reliably

Color me suspicious, but I had a gut feeling that the only way this charger would be able to push out 1,000W would be if it caught fire. 

Turns out I wasn’t far wrong.

How long would it last? Answer: Minutes

Talk is cheap. It was time to test the charger. 

So I plugged it in, turned it on, and started using it. Within a couple of minutes of starting to use it, I noticed a few things:

  • No matter what I tried, I couldn’t persuade the charger to deliver more than about 60W from any of the ports. 
  • As for peak output, I managed to get close to 250W.
  • The power output was very uneven and noisy, fluctuating wildly. The more ports I used, the worse it got.
  • The unit got very hot to the touch very quickly, even under light loads. 
  • But… before I could get the thermal camera out to check how hot it got, there was a pop and the unmistakable smell of “Magic Smoke.” The charger had been sent to Silicon Heaven within minutes.

Annnnd… POP! This is the moment the charger gave up the ghost.

Adrian Kingsley-Hughes/ZDNET

Diagnosis time

Time to take it apart and have a look inside. For an item that plugged into the mains power, this unit was shockingly easy to take apart. 

A thin sheet of easily removable plastic is a that separates curious hands from live AC power.

A thin sheet of easily removable plastic is a that separates curious hands from live AC power.

Adrian Kingsley-Hughes/ZDNET

And even unplugged and broken, it was capable of delivering zaps! If the case came off while this was plugged into an outlet, it could very easily be deadly.

There’s charge still in some of the capacitors, and these could deliver quite a zap despite the unit being broken and unplugged!

Adrian Kingsley-Hughes/ZDNET

After getting inside, the unit was filled with a grey goo that I’d seen in a previous disappointing charger I’d taken apart. This is a thermal paste that’s used to try to dissipate the heat generated by the components. 

It’s not really going to work because it’s sealed in a plastic box with no effective heatsink. It’s a token gesture at best. At worst, it creates a mass that’ll slowly heat up and hold temperature because it’s got no way to get rid of it.

Behold the grey goo!

Adrian Kingsley-Hughes/ZDNET

Next to this goo was a bank of capacitors — the black cylinders in the photo — which were the cause of the failure. They’d clearly overheated, with three of them showing signs of bulging.

The problem!

Adrian Kingsley-Hughes/ZDNET

Well there’s the problem!

I also noticed that two of the components — bridge rectifiers that are used to turn AC mains into DC — have been fixed on an angle to make the touch a metal heatsink. It’s not really an effective way to cool down components.

The bottom line

Another “too good to be true” device bites the dust. It’s not the first one I’ve come across, and it won’t be the last.

Moral of the story here is that manufactures are using big number marketing — in this case 1,000W and masses of ports — to scalewash poor quality products. 

This might be a half-decent product if it was built to deliver 100W, but there’s no end of competition at that end of the market. Silkscreen “1,000W” on the outside, sprinkle in a few reviews that feel scripted and fake, and all of a sudden it’s interesting and exciting… right up until it blows up. 

Also: My top 7 laptop-bag essentials now, after decades of remote work

I know of no 1,000W charger. In fact, the 500W Ugreen Nexode is the highest-power charger that I’ve tested that’s legit. And the price is also legit — $250. 

But it’s built to deliver on what it promises and is packed with safety features, including “tip-over protection,” which cuts the output when the unit tips over and prevents it from falling on its side, where it can’t dissipate heat effectively. Now that’s an attention to safety that I like to see in a product that handles that much power. 

But if you want 1,000W of output, you’ll have to buy two and duct tape them together.





Source link