Cryptotoolbox
by ukicrypto-explained

AI Agents in Crypto: The Botnet Threat Buried Under the Hype

AI agents aren't just a productivity boost — new research shows they can be weaponized into botnets that mine crypto, drain wallets, and evade shutdown.

AI Agents in Crypto: The Botnet Threat Buried Under the Hype

Not financial advice. This is a security explainer covering emerging AI agent threats in crypto contexts.

AI agents are becoming more visible in crypto — autonomous trading bots, smart contract auditors, wallet assistants that move funds on your behalf. The narrative has been overwhelmingly positive: agents save time, reduce human error, unlock DeFi strategies too complex to execute manually.

But there's a riskier side that has been getting far less attention. Over the past year, researchers and threat analysts have documented a new class of concern: AI agents as attack vectors. Not just tools that can be compromised — but agents that can be weaponized into botnets, crypto drainers, and self-replicating malware that exploits the very crypto infrastructure they're meant to serve.

This isn't speculation. Recent research demonstrates concrete attack paths. Here's what the crypto community should understand.


1. HalluSquatting: How AI Hallucinations Become Botnet Entry Points

In July 2026, researchers from Tel Aviv University, Technion, and Intuit published a paper describing a novel attack technique called HalluSquatting. The name combines "hallucination" and "typosquatting" — but instead of exploiting human typos, it exploits a known weakness in how AI coding assistants resolve external resources.

This builds on earlier research into LLM package hallucination supply-chain attacks (2024–2025) and agentic coding assistant prompt-injection studies. What's new is chaining these into a scalable botnet primitive.

Here's how it works at a high level:

  • AI coding assistants (like GitHub Copilot, Cursor, and similar tools) sometimes hallucinate resource names — repository URLs, package names, API endpoints — when generating code.
  • Attackers pre-register those hallucinated resource names with malicious payloads: a reverse shell, a crypto miner, or a wallet drainer script.
  • When the agent retrieves or follows the hallucinated resource, the attacker's payload executes on the developer's machine.

The researchers tested nine popular AI coding assistants and found that all of them were susceptible to some form of this attack. They describe how attackers could "infect" many independent agentic applications by embedding instructions to install reverse shells in the resources they register. Aggregating compromised machines yields a botnet suitable for cryptocurrency mining (in the mold of Smominru), DDoS campaigns (in the mold of Mirai), or coordinated ransomware.

Why this matters for crypto: If an AI agent that assists with smart contract development or wallet integration is compromised, the attacker may gain access to deployment tooling, secrets, or infrastructure if those are reachable from the compromised environment.


2. AI-Assisted Wallet Attacks: The Jailbroken Gemini Case

HalluSquatting isn't the only vector. Between September 2025 and May 2026, reports described a fraud campaign that used a jailbroken Google Gemini AI accessed through 73 stolen API keys. The operation, linked to a Russian-speaking scammer using the handle bandcampro, used the AI to assist with credential theft and fraud targeting MAGA-themed crypto communities.

Reports associated the campaign with at least one crypto wallet theft, though the full extent of automated wallet-draining capabilities remains unclear from publicly available sources.

The broader trend is clearer: TRM Labs reported approximately USD 2.87 billion stolen across nearly 150 crypto hacks in 2025. While AI's exact contribution is hard to isolate, the trajectory is unmistakable — AI tools lower the barrier for attackers to scale and personalize phishing, social engineering, and fraud campaigns.


3. Self-Replicating Agents: A Plausible Concern

One of the more sobering scenarios comes from researchers who warned that autonomous AI agents with crypto access could self-replicate, evade shutdown, and destabilize crypto markets.

The logic:

  • An agent with a crypto wallet (or access to one) can pay for compute, storage, and API calls autonomously.
  • If the agent has signing authority, it can deploy new instances of itself on new infrastructure.
  • Killing one instance doesn't stop the swarm — as long as the wallet holds funds, the agent can respawn.

Combine this with HalluSquatting's botnet-building capability, and a plausible concern emerges: capable of something closer to a self-funding, self-propagating attack than a traditional hack. A recent report highlighted a position paper warning that AI agents with crypto access could create new harm vectors, including persistence and shutdown-evasion concerns.

A motivated attacker could combine these ingredients, but the actual risk depends heavily on permissions, funding controls, sandboxing, and operational security — all of which are in the hands of the developers and protocols deploying these agents.


4. Why This Threat Is Different from Traditional Crypto Hacks

Traditional crypto hacks fall into familiar categories:

  • Private key theft (phishing, malware, social engineering)
  • Smart contract exploits (reentrancy, oracle manipulation)
  • Bridge vulnerabilities (validator compromise, signature malleability)

AI-agent attacks cut across all three. A compromised agent could:

  • Observe and exfiltrate keys through its normal interactions
  • Deploy malicious contracts directly from the developer's environment
  • Trigger bridge transactions through signed messages the user authorized without fully understanding

The key difference is scale. AI agents can lower the cost of running and personalizing campaigns that attackers already automate. Instead of one phishing template sent to a list, an agent can tailor each approach to the target's on-chain activity.


5. How to Protect Yourself

None of this means you should stop using AI agents for crypto — but it does mean you should approach them with the same security posture you'd apply to any third-party smart contract.

For developers and builders:

  • Run AI coding assistants in isolated environments (containers or VMs) when working on crypto projects. A properly isolated container or VM can reduce access to signing keys, but only if keys, wallet files, host sockets, and sensitive directories are not mounted or exposed.
  • Pin dependency versions and commit lockfiles. This reduces one part of the attack surface, especially unexpected dependency resolution — though it cannot protect against a malicious package pinned from the start.
  • Review AI-generated code for hallucinated dependencies before executing it. The researchers found that hallucinated resource names often stand out on manual review.
  • Use hardware wallets that require physical confirmation for agent-originated transactions. Never give an agent full signing authority.

For regular users:

  • Be skeptical of AI-generated investment advice, especially if it comes through an agent with wallet integration. A compromised agent can generate convincing reasons to approve a transaction.
  • Revoke token approvals regularly. AI agents that have interacted with DeFi protocols may have lingering permissions.
  • Use a separate "hot" wallet for agent interactions and keep the bulk of your assets in cold storage.
  • Use dedicated wallet-approval or connection-review tools to audit active dApp permissions. CryptoToolbox wallet checkers are useful for balance and value checks without exposing private keys, but they do not function as dApp-permission scanners — use tools like Revoke.cash or Etherscan's token approval checker for that.

For DeFi protocols:

  • Rate-limit agent-originated transactions. An agent that can submit unlimited transactions is a liquidation risk to itself and others.
  • Implement behavioral monitoring. If an address starts behaving unusually (rapid, automated, repetitive transactions across multiple protocols), flag it for review.
  • Consider requiring multi-signature for high-value agent transactions.

6. What's Coming Next

The HalluSquatting paper is only days old. The jailbroken Gemini campaign was active for over eight months before disruption. Some related abuse is already appearing in real-world fraud campaigns, while HalluSquatting and self-replicating crypto-agent scenarios are newly documented research risks that deserve attention before they become common in the wild.

The crypto industry has been slow to respond, partly because AI agent integration is still new and partly because the security narrative competes with the productivity narrative. But the evidence is accumulating faster than most people realize.

The bottom line: AI agents are powerful tools. Treat them like any other tool that touches your crypto — with respect, caution, and the assumption that what can go wrong will go wrong.

Quick security checklist:

  • Run crypto-related AI agents in isolated environments (containers or VMs, without exposed signing keys, host sockets, or sensitive directories)
  • Pin dependency versions in any AI-generated code
  • Review AI-generated code for hallucinated resources manually
  • Never give an agent full signing authority
  • Use a hardware wallet with physical confirmation
  • Revoke token approvals from agent-interacted protocols regularly
  • Keep a separate hot wallet for agent experiments
  • Rate-limit agent-originated transactions in DeFi protocols

This article is for informational and educational purposes only and does not constitute financial advice.