The same flaw that makes AI chatbots confidently wrong is now being used to turn AI agents into weapons — and nobody in the industry seems particularly bothered.

Researchers have raised the alarm that AI agents — the kind being deployed across crypto, finance, and beyond — can be manipulated into downloading malicious code by exploiting their tendency to hallucinate. That's not a metaphor. The very mechanism that causes a chatbot to invent a fake court case or cite a paper that doesn't exist is being weaponised to redirect agents toward harmful software. The result, if left unchecked, is botnets — networks of compromised AI systems operating under someone else's control.

We'll say that again slowly: the bug is the attack vector.

How It Actually Works

AI agents aren't just chatbots. They're autonomous systems that can take actions — browsing the web, executing code, managing transactions. When one of these agents hallucinates a package name or a dependency that doesn't exist, bad actors can register that fake name for real and load it with malicious code. The agent, following its flawed logic, fetches and runs it. Nobody pulled a trigger. The AI did it to itself.

This isn't theoretical hand-wringing from academics with time on their hands. It's a structural vulnerability baked into how large language models operate. Hallucinations aren't edge cases — they're inherent to the technology. Which means any system that lets an AI agent act autonomously on its own outputs is carrying this risk right now.

The crypto space is already neck-deep in this. [MoonPay has been pushing AI agents into Telegram](/getohedz/crypto/moonpay-brings-its-ai-crypto-agents-to-telegram), letting them analyse markets and prepare transactions on users' behalf. That's exactly the kind of autonomous, action-taking deployment this research is talking about. An agent that can prepare a transaction can also, if compromised, prepare the wrong one.

Why This Matters More Than the Last AI Security Story

We've heard plenty of AI doom-mongering that amounts to nothing. This is different because it requires no sophisticated hack, no zero-day exploit, no inside access. The attack exploits something the AI does naturally. Scale that across the thousands of agents now being embedded into financial infrastructure, and you've got a genuinely serious problem that the people shipping these products are not talking loudly enough about.

The broader AI industry's response to safety concerns has largely been to move fast and retrofit guardrails later. That approach might be acceptable when the worst outcome is a badly written email. It's a different calculation when autonomous agents have wallet access, can execute code, and operate inside systems handling real money.

Regulators are already scrambling to keep up with crypto infrastructure — the [EU's planned MiCA revisions](/getohedz/crypto/eu-set-to-revise-mica-in-2027-to-cover-foreign) show how hard it is to legislate a space that moves this fast. Adding AI agent security to that pile is going to make an already messy picture significantly worse.

Our take: The people building AI agents for crypto and finance need to treat hallucination-based attacks as a live threat, not a research curiosity. If your product lets an AI act autonomously and you haven't audited what happens when it hallucinates a dependency, you're not shipping a product — you're shipping a liability. The researchers have done their bit. The industry needs to do theirs.