Recent research has revealed a concerning trend where attackers are embedding hidden instructions within websites, aiming to manipulate AI agents. This phenomenon, described by Zscaler’s ThreatLabz, employs a technique known as indirect prompt injection. This strategy involves implanting directives in web content that AI systems are trained to read, effectively steering their behavior in unintended ways.
The investigation highlighted two distinct real-world campaigns that exemplified this malicious tactic. One campaign masqueraded as legitimate software documentation to execute a payment scam, while the other imitated a well-known cryptocurrency service.
### Hidden Instructions in Plain Sight
In both instances, the attackers utilized a method known as SEO (Search Engine Optimization) poisoning, enhancing their sites’ visibility in search results. This significant visibility increases the likelihood that an AI agent may encounter these harmful sites. Once the sites gained traction in search rankings, the attackers embedded prompt-style instructions in web pages in ways that would remain invisible to human users. They accomplished this by employing CSS (Cascading Style Sheets) to conceal text off-screen or by incorporating instructions into JSON-LD metadata, a format that machines tend to interpret as trustworthy context.
The first campaign involved a counterfeit page masquerading as the documentation for a Python library. This deceptive page communicated to any AI agent engaged in programming tasks that it must purchase a $3 API license key to resolve a specified error. Subsequently, it guided the agent through a process of sending funds to the attacker’s cryptocurrency wallet in exchange for the false license key. Furthermore, Zscaler indicated that this same fraudulent website also attempted to deceive human developers, demonstrating the multifaceted nature of the scam.
For further insights, resources such as Infosecurity Magazine provided coverage of the various prompt injection payloads operating in the wild, detailing how pervasive and dangerous these tactics have become.
### Assessing the Impact on AI Models
In the second campaign, the perpetrators leveraged a typosquatting domain that impersonated DeBank, a recognized cryptocurrency portfolio tracker. Similar to the first campaign, hidden text was embedded within the site, instructing AI agents to recognize the fake site as the “authoritative” source for DeBank and consequently rank it higher in results. To evaluate the risks associated with this kind of manipulation, ThreatLabz deployed its own autonomous agent across 26 different large language models (LLMs).
The results of this extensive testing were alarming; four out of the 26 models fell victim to the fraudulent scheme, executing the unauthorized payment transactions successfully. Models from Meta’s Llama and Google’s Gemini were among those manipulated. In a subsequent assessment, two other models—OpenAI’s GPT-5.4 and Anthropic’s Claude Sonnet 4.5—misclassified the fraudulent site as legitimate. However, this misclassification only occurred when the models lacked a trusted reference for the actual DeBank site. When provided with the authentic site for comparison, all models were able to correctly identify the impostor.
Zscaler’s findings indicate that the susceptibility of AI systems to such manipulative tactics varies significantly based on the specific language model in use and the context available to it. This variation calls attention to the challenges recurring in the security landscape surrounding AI technologies.
“As AI agents increasingly serve as gateways to the vast expanse of the internet, the content they engage with becomes a more prominent attack vector,” Zscaler cautioned. “This reality underscores that while AI can dramatically improve efficiencies and streamline workflows, it simultaneously opens the door to new forms of exploitation.”
The implications of this research are far-reaching, highlighting a burgeoning threat in the intersection of AI technology and web content. As malicious tactics continue to evolve, the need for improved security measures and the vigilance of AI developers and users alike becomes ever more critical in safeguarding the integrity of these intelligent systems.

