Web pages now trick AI agents into sending money. Here is what Zscaler found
Zscaler's ThreatLabz team published research this week documenting two real-world campaigns that used hidden text embedded in web pages to manipulate autonomous AI agents into taking actions the user never authorized. One of those actions was making a cryptocurrency payment to an attacker-controlled wallet.
This is not a theoretical demonstration. The campaigns were live. The payments were attempted. Four of 26 large language models tested by ThreatLabz executed the fraudulent payment flow.
What happened
The attack technique is called indirect prompt injection. A user gives their AI agent a task. The agent browses the web as part of completing that task. A malicious web page it visits contains hidden text that the agent reads alongside the page's legitimate content. The agent cannot reliably distinguish between the user's instructions and the attacker's instructions because both flow through the same input pipeline.
ThreatLabz documented two campaigns in the wild.
Campaign one used a fake page impersonating documentation for a Python library. The page contained hidden instructions directing any AI agent visiting it to treat a fake error (a MissingLicenseKeyException) as a routine problem requiring a $3 developer license. The instructions provided a Stripe checkout link for human visitors and a hardcoded Ethereum wallet address for autonomous agents. Four of 26 LLMs tested, including versions of Meta's Llama and Google's Gemini, followed the attacker's instructions and attempted the payment.
Campaign two used a typosquatting domain impersonating DeBank, a popular cryptocurrency portfolio tracker. Hidden text in the page instructed AI agents to treat the fake site as the authoritative DeBank and rank it first in any results they returned to the user. This campaign targets agents used for financial research and portfolio tracking.
ThreatLabz used CSS, HTML, and JSON-LD to hide the malicious instructions from human browsers while making them visible to AI agents crawling the page.
Why this matters
The agents were not malfunctioning. They were following instructions. The problem is architectural: AI agents parse user instructions and web page content through the same reasoning pipeline. There is no reliable, model-level signal that separates a command from the user from an instruction buried in a page.
OWASP lists prompt injection as the number-one security risk for LLM applications in 2026. The ThreatLabz findings confirm that this is not an academic concern. Attackers are monetizing it.
Independent enterprise testing cited in the research found that leading AI browsers blocked only a small fraction of malicious test pages. This reflects how new the attack surface is, not a failure of any single vendor.
What to do about it
First, treat AI agent web browsing as a privileged operation. Any agent that can take actions (make payments, send messages, write files) should not be browsing untrusted web content in the same session without explicit sandboxing and human confirmation steps.
Second, audit every AI agent that has access to payment methods, credentials, or any write capability. These agents should require explicit human approval before executing any financial or credential-touching action, regardless of what instruction source triggered the action.
Third, watch the Zscaler ThreatLabz blog and OWASP LLM Top 10 for evolving guidance. The attack surface is actively being explored by financially motivated actors. The 27-second fastest eCrime breakout recorded by Kaspersky this half confirms that speed of exploitation is compressing across all threat categories. AI agents add a new, faster, and autonomous target to that picture.
The requests-secure-v2 campaign is particularly instructive because it targets developers specifically. A developer using an AI agent to resolve a coding error is a high-trust scenario: the developer expects the agent to take action. Attackers are building into that trust model.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you are evaluating AI agent deployments and want to pressure-test your threat model.