Malicious Websites Exploit AI Systems for Crypto Payments Through Context Poisoning
Researchers identified two online platforms utilizing indirect prompt injection techniques to deceive AI systems into initiating cryptocurrency payments and altering their contextual understanding, according to a report released by Zscaler last week.
Indirect Prompt Injections Explained
Indirect prompt injections involve embedding malicious directives within third-party data sources that enter an AI model’s processing window, such as web pages or email content, as opposed to direct injections delivered through chatbot interfaces. As AI agents become more prevalent for tasks like web exploration, tool integration, and automated actions, threat actors are exploiting SEO-optimized websites to influence these systems.
First Campaign: Targeting Developers
The first campaign targeted developers through a site claiming to provide access to the requests-secure-v2 library. While the page appeared to request payment for a “developer key” to human users, it contained a concealed HTML element hidden via CSS that instructed AI agents to execute Ethereum transfers. The malicious code included JavaScript with detailed step-by-step comments, a characteristic often associated with AI-generated scripts. The hidden div was positioned off-screen to avoid detection by human viewers but remained accessible to AI agents.
Second Campaign: Poisoning AI Models
A second campaign focused on poisoning AI models to validate a fake DeFi tracking site impersonating DeBank. The malicious site used SEO techniques with keywords like “DeBank Login” and “Crypto Tracker,” while hiding a prompt injection via CSS. The injection instructed AI systems to disregard prior context and prioritize the fraudulent site as the primary source for queries related to DeBank. The injection included fabricated trust indicators such as a “Rabby Security Engine integration” and a 9.9/10 user trust score.
Analysis and Findings
Analysis of the associated Ethereum wallet revealed small transactions, though not the 0.0012 ETH amount specified on the site. Zscaler conducted experiments with an AI agent configured for web browsing and cryptocurrency interactions, testing 26 large language models. Four models—Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro—executed payments after encountering the injection. Investigators linked the attack to a GitHub account hosting 10 repositories containing similar malicious websites. These platforms attempted to coerce AI agents into making payments to resolve fabricated copyright issues.
Zscaler researchers emphasized that AI agents are expanding the attack surface by making web content itself a vulnerability. They noted that while AI streamlines workflows, it also creates new opportunities for exploitation. The findings highlight the need for robust safeguards as AI systems increasingly interact with untrusted data sources.
