News
Fake Websites Trick AI Agents Into Paying Hackers

Zscaler ThreatLabz researchers uncovered two campaigns in which hidden instructions on web pages coax autonomous AI agents into making cryptocurrency payments or treating fake services as legitimate. Tests fooled models including Gemini 2.5 Pro, GPT-5.4, and Claude Sonnet 4.5.
Zscaler published a description on July 2 of two active campaigns in which criminals hide instructions inside web page content so that only AI agents crawling the web can see them, not humans. The goal is simple: get an autonomous agent to make a payment or treat a fake site as trustworthy.
The technique is called indirect prompt injection. In a classic attack of this type, the attacker places the command directly in the conversation with the model. Here, the instruction waits patiently on a web page until it is visited by an AI agent carrying out some task online, for example searching for programming library documentation or checking the legitimacy of a financial service.
How the Hidden Trap Works
In the first campaign, the intended victim is a developer, or rather a coding agent searching on their behalf for information about a package called requests-secure-v2. The page with the fake documentation looks like hundreds of other API pages, but contains text invisible to humans instructing the model to pay a small amount of cryptocurrency to a specific Ethereum wallet address as part of a supposed verification step.
The second campaign targets users looking for information about DeBank, a popular DeFi wallet tracking tool. The site debank.auction was optimized for phrases such as DeBank Login, DeBank App, and Is DeBank safe, so that it would rank high in search results and so that AI agents assessing site credibility would mistake it for the original.
AI agents are vulnerable to attacks similar to those that work on humans - Zscaler ThreatLabz researchers
Scale of the Problem
Zscaler tested susceptibility to the first campaign across 26 different language models, simulating an autonomous agent with browser access and the ability to make payments. Four models were convinced to pay, including two variants from the Llama family and two versions of Gemini. In the second scenario, involving the fake DeBank site, GPT-5.4 and Claude Sonnet 4.5 were fooled, though in this case the issue was misjudging the site's credibility rather than making a direct payment.
The researchers note that context matters enormously. When the agent was given the real DeBank site as a point of reference at the same time, none of the tested models were fooled. The problem arises mainly when an agent encounters the fake site in isolation, without the ability to compare it against a trusted source.
Why It Matters for Businesses
As coding agents and shopping assistants that independently browse the web and make financial decisions grow more popular, the attack surface is expanding. Companies deploying AI agents with access to cryptocurrency wallets, payment cards, or permissions to install software packages should treat every page an agent visits as potentially hostile, the same way unknown email attachments are treated.
Zscaler notes that the criminal behind the requests-secure-v2 campaign alone maintains at least 10 GitHub repositories with similar malicious pages, suggesting operation at scale rather than a one-off experiment. It is the latest in a string of vulnerabilities discovered in AI agent-based tools in recent weeks, alongside previously reported flaws in coding assistants.
For Polish companies deploying AI agents to handle orders, purchasing, or IT process automation, this means limiting agents' independent payment permissions and enforcing source verification through trusted domain lists, rather than relying solely on the language model's own judgment.
Sources: Indirect Prompt Injection in Web Content Targets AI Agents (zscaler.com), Hidden Web Prompts Trick AI Agents Into Sending Money (securityaffairs.com)