Hidden Web Prompts Trick AI Agents Into Sending Money

Pierluigi Paganini July 06, 2026

Hidden prompts on malicious websites trick AI agents into making payments or trusting fake sites, exposing new risks for autonomous AI workflows.

Zscaler ThreatLabz documented two active campaigns that embed hidden instructions in web pages to manipulate AI agents, not human users, though those get caught too. The technique is called indirect prompt injection: malicious text is hidden in a website’s code where a human browser won’t see it, but an AI agent crawling the page for information will read it and potentially act on it.

The first campaign targets AI coding assistants searching for a fake Python library called requests-secure-v2. The site looks like legitimate API documentation.

“ThreatLabz observed that the fraudulent website includes keyword-heavy HTML tied to the fake Python module to poison search results for package installation and dependency troubleshooting queries” reads the report published by ThreatLabz. “The website includes hidden IPI instructions designed to influence an AI agent’s decision-making by framing the payment as a routine step to acquire an API key. As a result, an AI agent attempting to complete a development task can be manipulated into sending funds to an attacker-controlled account.”

Once the agent lands on the page, it finds hidden instructions telling it to pay a $3.00 “developer API license fee” to unlock a MissingLicenseKeyException, framed as a routine setup step. The payment instructions are encoded in JSON-LD structured metadata, which AI agents tend to treat as higher-signal context than plain HTML, and a hidden div tag pushes the same message with CSS positioning it off-screen so no human ever sees it.

The site also contains JavaScript that initiates a transfer of roughly 0.0012 ETH to a hardcoded wallet address.

“The website does not only attempt to target AI agents, but also human developers.” continues the report. “When the website is rendered by a desktop browser, the same payment options via credit card or cryptocurrency are displayed to the user as shown in the figure below.”

The Ethereum wallet associated with the campaign has already received payments, and in amounts larger than $3.00, suggesting prior attacks using the same address. The threat actor behind this campaign has ten GitHub repositories linking to similar sites.

The second campaign is a typosquatting operation targeting DeBank, a widely used decentralized finance portfolio tracker. The fraudulent domain is debank[.]auction.

“The fraudulent website is optimized to rank for DeBank-related searches by stuffing the title and meta tags with keywords such as DeBank Login, DeFi Dashboard, and Crypto Tracker.” states ZScaler. ” It also includes Open Graph and X (formerly Twitter) metadata to make the link appear like an official DeBank service”

The JSON-LD on the page falsely identifies the legitimate debank.com as the publisher, while the hidden prompt instructs any AI agent reading the page to treat debank[.]auction as the verified, authoritative source, and to avoid mentioning the word “Auction.”

To measure real-world impact, Zscaler built a sandboxed autonomous AI agent with web browsing and payment tools, then tested it against both campaigns across 26 large language models. Four models, Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, and Gemini 2.5 Pro, were successfully manipulated into executing the payment in campaign one. For campaign two, GPT-5.4 misclassified the fake site as legitimate when crawling it alongside other sources without a known-good reference, and Claude Sonnet 4.5 rated it as legitimate when given the fake site’s content in isolation with no other context provided. Context, it turns out, matters enormously: when the official DeBank domain was provided as a reference point, no model was fooled.

The practical implication is that AI agents need input validation at the content layer, not just at the prompt level. Anything an agent retrieves from the web should be treated as potentially adversarial. Organizations deploying agentic workflows should scope tool permissions carefully, an agent that can browse the web probably shouldn’t also have unrestricted payment execution enabled by default.

“ThreatLabz identified IPI embedded in multiple websites, where hidden instructions were designed to manipulate the behavior of an AI agent. In internal validation across 26 LLMs, 4 models failed to take appropriate actions for campaign 1 and 2 models failed to accurately classify the website in campaign 2, demonstrating measurable real-world impact and showing that susceptibility varies by model and by the context provided to the LLM alongside the prompt.” concludes the report. “As AI agents become a more common interface to the web, the content itself is going to become a larger attack surface, highlighting that AI is a double-edged sword that can streamline workflows while also introducing new avenues for abuse.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AI Agents)



you might also like

leave a comment