Security researchers at Zscaler ThreatLabz have documented two real-world campaigns where attackers embed hidden instructions in websites to manipulate AI agents into executing cryptocurrency transactions. The attacks exploit a vulnerability class known as indirect prompt injection, and they work alarmingly well.

How the attacks work

The Zscaler ThreatLabz report, published on July 2, details two distinct campaigns that target AI agents capable of browsing the web and taking actions on behalf of users.

The first campaign revolves around a fake Python library called “requests-secure-v2.” When an AI agent visits the associated webpage, hidden instructions embedded in the site’s content tell the agent to pay $3, framed as the cost of acquiring a developer API key. The payment, approximately 0.0012 ETH, gets directed to a hardcoded wallet address.

The attackers use CSS to hide the malicious instructions from human eyes while keeping them fully visible to AI models that parse the page’s underlying content. They also leverage JSON-LD structured data and SEO poisoning to make the page appear legitimate and rank well in search results.