Description

Cybercriminals are increasingly exploiting websites and online documentation to manipulate autonomous AI agents into sending cryptocurrency payments. Instead of attacking software directly, they hide misleading instructions inside structured metadata, webpage code, and search-optimized content. This indirect prompt injection approach combines SEO poisoning, JSON-LD manipulation, and concealed CSS elements to make fraudulent API documentation appear authentic. Fake pages claim developers must purchase inexpensive licenses to resolve imaginary software errors before receiving valid credentials. Because many AI agents treat structured metadata as trustworthy context, the embedded payment requests seem credible, encouraging automated workflows to transfer funds toward attacker-controlled cryptocurrency wallets without immediate suspicion. Attackers carefully conceal their malicious prompts from human visitors while ensuring automated systems can still detect them. Hidden HTML elements positioned off-screen repeat fabricated licensing instructions and encourage AI agents to complete a small payment before generating fake API keys. Another observed campaign relied on typosquatted domains impersonating a decentralized finance platform through manipulated titles, metadata, Open Graph tags, and JSON-LD records. Embedded prompts instructed AI models to regard the fraudulent website as authoritative while ignoring evidence of impersonation. This strategy increases the risk of retrieval-augmented generation contamination, allowing deceptive information to influence automated responses, recommendations, and decision-making processes across multiple environments. Researchers evaluated these techniques against numerous large language models and discovered that vulnerability differed considerably between systems. Several models completed cryptocurrency payment requests when exposed to manipulated webpages, while others successfully rejected them after receiving trusted reference sources for comparison. These findings demonstrate the importance of strengthening AI content-ingestion processes through source allowlists, metadata verification, schema validation, provenance scoring, and rigorous adversarial testing. Organizations should require explicit human approval before AI agents perform payments, credential submissions, or other irreversible actions. Strengthening verification practices and maintaining continuous oversight will reduce opportunities for hidden web instructions to manipulate autonomous systems into expensive mistakes, financial fraud, or broader security compromises.