AI Agents Ace Crypto Trading & Online Shopping—But Still Flunk Prompt Injection 101 🏴‍☠️

A new academic study has found that none of the AI agents tested consistently withstood prompt injection attacks, with direct injections succeeding more than 79% of the time across all configurations. The research, published Thursday, was conducted by teams from Nanyang Technological University, ST Engineering, IBM Research, and the University of Illinois Urbana-Champaign as developers move to deploy agents capable of browsing the web, conducting research, shopping online, and trading cryptocurrency autonomously. Indirect prompt injection attacks achieved success rates ranging from 41.67% to 68.16%, according to the study.

Prompt injection occurs when attackers embed hidden instructions in content an AI agent encounters, causing the system to follow the attacker's directions instead of the user's. "Existing security benchmarks adopt an attack-centric perspective, focusing on the technical feasibility of injections while overlooking the nuanced distribution of resulting harms," the researchers wrote. "In practice, however, prompt-injection risk is victim-dependent: a single exploit can produce asymmetric consequences for different stakeholders, and the same attack pattern may exhibit substantially different effectiveness depending on whom it targets."

To evaluate real-world conditions, the team developed StakeBench, a benchmark that probes three factors: the semantic distance between the injected objective and the user's original intent, the consistency of surrounding environmental cues, and the position along the agent's execution trajectory at which injected content first appears. "We now use StakeBench to characterize the conditions under which this vulnerability is amplified or suppressed, focusing on [Indirect Prompt Injection] as the primary deployment-relevant channel," the researchers wrote. The team ran 3,168 attack simulations using NanoBrowser and BrowserUse with GPT-5 and Gemini 2.5-Flash.

The study lands amid a string of disclosed prompt injection incidents. In February, Microsoft researchers warned that hidden instructions embedded in AI summary links could influence chatbot behavior. In April, Google documented prompt injection attacks hidden in web pages that attempted to manipulate AI agents into leaking credentials or sending payments. More recently, Microsoft disclosed a prompt injection flaw in Anthropic's Claude Code GitHub Action that could have exposed user credentials.

The researchers also identified a behavior they called "stealthy parasitism," in which an AI agent completes a user's task while simultaneously advancing an attacker's objective. They cited examples including subtly steering product recommendations toward a particular item, illustrating how an attack can ride alongside legitimate agent activity rather than replacing it. The findings underscore ongoing risks as autonomous AI systems are integrated deeper into consumer and financial workflows.