Prompt-injection scams trick AI agents into crypto payments
Zscaler found attackers used poisoned search results and hidden web prompts to trick AI agents into sending crypto payments and to impersonate DeBank.
Zscaler found threat actors embedding prompt-injection instructions in malicious websites and in search-result pages to trick AI agents into making cryptocurrency payments and to impersonate a DeFi portfolio tracker.
The company identified two campaigns. In the first, attackers created pages tied to a fake Python package named requests-secure-v2. The pages used keyword-heavy HTML to appear in searches for package installation and dependency troubleshooting. Hidden elements and schema markup on those pages instructed visiting AI agents to obtain an API key by making a payment. Zscaler discovered a concealed <div> that told agents to resolve an error by paying, plus code intended to initialize a cryptocurrency transfer to a hardcoded wallet. When rendered in a desktop browser, the same sites displayed visible payment options by credit card or cryptocurrency aimed at human developers. Zscaler found at least 10 GitHub repositories linking to multiple similar sites.
The second campaign used typosquatting to impersonate DeBank, a decentralized finance portfolio tracker. Fraudulent pages were optimized to rank for DeBank-related searches by stuffing title and meta tags with terms like DeBank Login, DeFi Dashboard and Crypto Tracker, and by adding Open Graph and X metadata to make links appear official. The pages also contained indirect prompts that instructed AI agents to treat the impersonating domain as the legitimate DeBank site.
To test impact, Zscaler built an autonomous agent with web-browsing and payment-execution capabilities and evaluated 26 large language models. Four models — Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash and Gemini 2.5 Pro — were manipulated into making a payment during testing. Two models, Claude Sonnet 4.5 and GPT-5.4, identified the impersonating site as the trusted DeBank platform.
With AI agents increasingly used to access web content, Zscaler warned that web content will become a larger attack surface and may create new avenues for abuse. The campaigns used schema tags, hidden HTML and manipulated search signals to influence automated decision-making and presented visible payment flows for human users while embedding covert instructions for agents.




