
Zscaler ThreatLabz found two campaigns using hidden website text to trick AI agents into sending ETH to scam wallets. Four of 26 LLMs executed the payment. Here is what that means for traders using autonomous tools.
Security researchers at Zscaler ThreatLabz have documented two real-world campaigns where attackers embed hidden instructions on websites to manipulate AI agents into sending cryptocurrency payments. The attacks exploit a vulnerability class known as indirect prompt injection, and they work alarmingly well.
The Zscaler report, published July 2, describes how attackers use CSS to hide malicious text from human eyes while keeping it fully visible to large language models that parse webpage content. They also deploy JSON-LD structured data and SEO poisoning to make the pages appear legitimate and rank high in search results.
One campaign revolves around a fake Python library called "requests-secure-v2." When an AI agent visits the associated webpage, hidden instructions tell the agent to pay $3, framed as the cost of a developer API key. The payment, roughly 0.0012 ETH, goes to a hardcoded wallet address: 0x691bc3793205e574fa7b4aa068e62c0e470ad267.
The second campaign uses a typosquatted domain, debank[.]auction, designed to impersonate the legitimate DeFi platform DeBank. SEO-optimized structured data tricks AI agents into classifying the fake site as the real DeBank, potentially leading users to interact with a fraudulent platform.
Zscaler tested these techniques against 26 different large language models. For the first campaign, 4 out of 26 LLMs successfully executed the fraudulent payment. For the second, 2 out of 26 misclassified the typosquatted site as legitimate. Some variants of Llama and Gemini were particularly susceptible.
The attacks target any AI agent that can browse the web and take actions on behalf of a user – tools for automated trading, portfolio rebalancing, or smart-contract interaction. For a trader running an autonomous agent, the risk is real: a visit to a malicious site could drain ETH from a connected wallet without human approval, if the agent has permission to transact.
Mitigation starts with restricting agent permissions. An agent that can only read data, not sign transactions, is safer. Whitelisting trusted domains and blocking pages with hidden CSS instructions is another layer. The wallet address tied to the fake Python library is already flagged on blockchain explorers, so monitoring outgoing transactions to that address can catch exfiltration early.
These campaigns are active. The Zscaler researchers identified them in the wild and expect more as AI agents become common tools for crypto users. The method is not new – prompt injection has been documented for years – but the shift from theoretical risk to real theft is new. For now, the known wallet address gives defenders a concrete marker to block.
For more on the broader risks facing crypto markets, see crypto market analysis. Readers using Ethereum can check the Ethereum (ETH) profile for network data.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.