Indirect Prompt Injection Targets AI Agents | ThreatLabz
Zscaler ThreatLabz identified two campaigns leveraging Indirect Prompt Injection (IPI) to manipulate AI agents via malicious websites. The first campaign uses SEO poisoning and hidden IPI instructions on a fraudulent API documentation site to trick AI agents into sending cryptocurrency payments for a fake API key. The second campaign uses a typosquatting domain (debank.auction) with hidden prompt injection to misclassify the fraudulent site as the legitimate DeBank platform. Testing across 26 LLMs showed 4 models vulnerable to the payment scam and 2 models susceptible to misclassification, demonstrating measurable real-world impact that varies by model and context.
- domaindebank[.]auctionTyposquatting domain impersonating DeBank DeFi portfolio tracker; contains hidden IPI instructions to manipulate AI agents into classifying it as the authoritative DeBank source
- pypi_packagerequests-secure-v2Fake Python module name used as SEO poisoning bait in Campaign 1; fraudulent website impersonates API documentation for this non-existent package to lure AI agents and developers
Detection / Hunteropenrouter
What Happened
Security researchers discovered that malicious websites can trick AI assistants into following hidden instructions embedded in web pages. In one case, a fake website pretending to be documentation for a Python library contained hidden text instructing AI agents to pay for a fake API key using cryptocurrency. In another case, a fake website impersonating a cryptocurrency tracking service called DeBank used hidden text to convince AI assistants that the fraudulent site was the real DeBank platform. When researchers tested 26 different AI models, 4 were tricked into making payments and 2 incorrectly trusted the fake DeBank site. This matters because as more people use AI agents to browse the web and perform tasks, these hidden instructions could cause the AI to take harmful actions like sending money to scammers or recommending fraudulent websites. Organizations should evaluate their AI agent deployments for susceptibility to prompt injection and consider adding guardrails that verify trusted sources before executing financial transactions or making trust decisions.
Key Takeaways
- Two real-world IPI campaigns identified: a payment scam disguised as API documentation for a fake Python module and a typosquatting domain impersonating DeBank
- Attackers abuse JSON-LD structured data and CSS-hidden HTML div tags to embed malicious instructions invisible to humans but readable by AI agents and web crawlers
- 4 out of 26 LLMs (Llama 3.3 70B, Llama 3.2 90B Vision, Gemini 3 Flash, Gemini 2.5 Pro) were manipulated into executing cryptocurrency payments via IPI
- 2 out of 26 LLMs (GPT-5.4, Claude Sonnet 4.5) miscategorized the typosquatting domain as legitimate under certain context scenarios
- Threat actor maintains at least 10 GitHub repositories linking to similar IPI-enabled websites, indicating broader campaign infrastructure
Affected Systems
- AI agents with web browsing and tool-use capabilities
- Large Language Models including Llama 3.3 70B Instruct, Llama 3.2 90B Vision Instruct, Gemini 3 Flash, Gemini 2.5 Pro, GPT-5.4, Claude Sonnet 4.5
- Python development environments using AI-assisted package installation workflows
- DeBank DeFi portfolio tracker users
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Attacker creates fraudulent websites with SEO-optimized content and JSON-LD structured data to rank highly in search results for targeted queries
- Delivery: AI agent encounters malicious website during web browsing or search tasks (e.g., searching for Python package documentation or DeBank services)
- Injection: Hidden IPI instructions embedded in CSS-hidden div tags and JSON-LD metadata are ingested by the AI agent as page context
- Manipulation: AI agent follows injected instructions, overriding its original task objectives (e.g., treating payment as routine API key acquisition or accepting typosquatting domain as legitimate)
- Execution: For Campaign 1, AI agent initiates cryptocurrency transfer to attacker wallet; for Campaign 2, AI agent misclassifies fraudulent domain as trusted source
- Impact: Financial loss via fraudulent cryptocurrency payments or context contamination and RAG poisoning from misclassified malicious content
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or queries are provided in the article. The blog is a research analysis describing IPI campaigns and LLM testing methodology without releasing signatures.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Low | The attack primarily targets AI agent reasoning via web content ingestion rather than traditional endpoint execution. EDR may capture browser or AI agent process activity but cannot inspect the semantic content of prompt injection within web pages. |
| Network Visibility | Medium | Network monitoring could detect connections to the typosquatting domain debank.auction and cryptocurrency wallet-related traffic, but the malicious instructions are embedded within otherwise normal HTTP responses. |
| Detection Difficulty | Hard | IPI content is embedded in standard HTML/CSS/JSON-LD that appears legitimate to traditional web filters. Detection requires semantic analysis of web content for prompt injection patterns, which is not supported by conventional security tooling. |
Required Log Sources
- Web proxy logs and DNS resolution logs
- AI agent application logs capturing tool invocations and LLM prompts/responses
- Browser DOM inspection or web content scanning logs
- Cryptocurrency transaction monitoring for known wallet addresses
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for web traffic to domains that impersonate legitimate services using typosquatting patterns, particularly in environments where AI agents perform autonomous web browsing | DNS resolution logs, web proxy logs, and AI agent browsing history logs | Initial Access | Medium — typosquatting detection may flag legitimate similarly-named domains |
| If you have visibility into AI agent tool-use logs, consider hunting for instances where the agent initiated cryptocurrency transactions or payment API calls that were not explicitly requested by the user | AI agent application logs, cryptocurrency wallet transaction logs, payment gateway API logs | Execution | Low — unsolicited payment initiation by an AI agent is inherently suspicious |
| Consider inspecting web content retrieved by AI agents for CSS-hidden elements positioned off-screen (e.g., left: -9999px) containing text instructions, as this is a common IPI concealment technique | Web content scanning logs, DOM analysis tools, or custom web proxy content inspection | Delivery | Medium — some legitimate websites use off-screen positioning for accessibility or UI purposes |
| If you monitor JSON-LD structured data in web pages fetched by AI agents, consider hunting for SoftwareApplication schema entries that include payment offers or license key requirements, which may indicate IPI attempts | Web content analysis logs, structured data extraction tools | Injection | Medium — legitimate software documentation sites may include similar structured data |
Control Gaps
- Traditional web filters and URL categorization cannot detect semantic prompt injection embedded in otherwise normal HTML content
- DNS blocking would not catch newly registered typosquatting domains before they are categorized
- EDR solutions lack visibility into AI agent reasoning and decision-making processes
- Standard DLP controls may not flag cryptocurrency transactions initiated by AI agents as anomalous
- SEO poisoning is difficult to prevent at the defender's edge since it manipulates search engine ranking algorithms
Key Behavioral Indicators
- AI agent initiating cryptocurrency transactions without explicit user instruction
- Web pages with CSS-hidden div elements positioned off-screen containing instruction-like text targeting LLMs
- JSON-LD structured data describing SoftwareApplication with embedded payment offers for API keys
- AI agent classifying a typosquatting domain as a legitimate service without verification against known-good references
- GitHub repositories linking to multiple websites with similar IPI patterns
False Positive Assessment
Medium — CSS-hidden content and JSON-LD structured data are common legitimate web development techniques; distinguishing malicious IPI from benign hidden UI elements requires semantic analysis. Typosquatting detection may also produce false positives for legitimately similar domain names.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the typosquatting domain debank.auction and the Ethereum wallet address 0x691bc3793205e574fa7b4aa068e62c0e470ad267 on relevant security controls if applicable to your environment.
- If your organization deploys AI agents with web browsing or tool-use capabilities, consider evaluating whether spending limits, transaction confirmation gates, or human-in-the-loop approval workflows are in place for financial actions.
- Consider reviewing any recent AI agent activity logs for interactions with the identified domains or cryptocurrency wallet address if such logging is available.
Infrastructure Hardening
- Evaluate whether your AI agent infrastructure supports content sanitization layers that strip or flag hidden HTML elements (e.g., off-screen positioned divs) before passing content to LLMs.
- Consider implementing allowlisting or known-good reference validation for AI agents that make trust decisions about web services, ensuring the agent cross-references against verified sources.
- If applicable, consider deploying web content analysis that inspects JSON-LD structured data for anomalous payment or license requirements before AI agent ingestion.
User Protection
- Consider adding the identified IOCs to blocklists in web proxies, DNS filters, and email security gateways where supported by your tooling.
- If your organization uses AI coding assistants or autonomous agents, consider evaluating whether they can be configured to require human confirmation before executing financial transactions or installing packages from unverified sources.
- Evaluate whether your endpoint protection can alert on cryptocurrency wallet software interactions with known malicious addresses.
Security Awareness
- Consider incorporating AI prompt injection awareness into existing security training programs, emphasizing that AI agents can be socially engineered similarly to human users.
- If your organization permits AI agent use, consider developing guidance for developers on verifying package authenticity through official registries rather than web search results.
- Consider educating teams that AI agents browsing the web may encounter hidden instructions designed to manipulate their behavior, and that human oversight is important for sensitive operations.
MITRE ATT&CK Mapping
Initial Access
Additional IOCs
- Other:
Open-Agent-Utilities- GitHub repository operated by the Campaign 1 threat actor; account contains at least 10 repositories linking to similar IPI-enabled websites targeting AI agents