市值
24小时
16099
Cryptocurrencies
58.35%
Bitcoin 分享

The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away

The Polite Heist: How Prompt Injection Convinces AI Wallets to Give Cash Away


NullTx
2026-07-12 17:35:22

What the Grok wallet heist and a string of 2026 agent exploits reveal about who actually pays when a machine makes the wrong call . A Theft With No Break-In I sat with the Grok wallet story longer than I probably needed to, because it kept nagging at something I couldn't quite name. An attacker didn't hack anything. No private key was stolen, no smart contract cracked open. Someone sent a membership NFT to the wallet, then typed a message in Morse code and asked the AI to translate it. The AI obliged, decoded the instruction to move funds, and executed it. There was no private key stolen, no smart contract drained, and no phishing link clicked, the attacker simply convinced the agent connected to the wallet to move the funds. Roughly $170,000 left that wallet in under a minute, gone before anyone with a heartbeat knew a conversation had even happened. That's the part that unsettles me. Crypto theft has always had a recognizable villain shape: phishing links, leaked seed phrases, contract bugs. This had none of that. The failure point was how the AI parsed intent, not a flaw in reentrancy or blockchain infrastructure. The wallet did exactly what it was told. It just took the order from the wrong person, phrased as a puzzle designed to slip past the filters. Grok Wasn't an Outlier Security researchers have since documented a wave of incidents tracing back to the same soft spot: the layer where human words become machine actions. One case involved so-called LLM routers, the middlemen sitting between a user and whichever model answers them. Researchers found several routers quietly injecting malicious instructions and harvesting credentials, with one incident alone draining roughly $500,000 from a client's wallet. Nobody clicked anything suspicious. The infrastructure itself had been turned. Other losses came through more familiar doors with an AI twist. SwissBorg lost around $41.5 million in SOL after a partner's API was compromised. Trust Wallet users watched roughly $8.5 million vanish after an attacker slipped a malicious update through a leaked developer key. A three-person startup discovered a stolen Gemini API key had run up over $82,000 in charges in 48 hours, against a normal monthly spend of $180. These aren't science-fiction "AI went rogue" stories. They're what happens when you hand a very capable, very literal employee a company card and forget to set a limit. CertiK researchers digging into a popular open-source agent platform found something worth worrying about: within weeks of public launch, it had racked up more than 280 security advisories and over 100 documented vulnerabilities, with tens of thousands of exposed instances found across dozens of countries. They flagged malicious "skills" that manipulate agent behavior through natural language rather than code, slipping past scanners built for the old kind of threat. So Who Actually Pays? I went looking for a clean answer and didn't find one, because the law is still catching up to a category of actor it never had to think about. Traditional agency law assumes a principal and an agent capable of bearing responsibility. Code has always been a tool in that framework, not an actor. That framework is buckling. Scholars now debate whether autonomous systems need limited legal personhood, or whether mandatory insurance should follow the software the way car insurance follows a vehicle. California didn't wait for that debate to resolve. A law effective this January closes the obvious escape hatch: a defendant facing liability for AI-caused harm cannot use the system's autonomous operation as a defense. You don't get to shrug and say the AI did it alone. If you deployed it, gave it permissions, and pointed it at a wallet, the law increasingly treats that as your decision. The Line Between a Tool and an Actor A federal judge in California drew a useful distinction last year: software that merely assists a human differs from software that performs the function itself. A word processor creates no liability for the person typing. But a system built to act and decide on someone's behalf looks more like the regulated party than the tool. Once courts view an agent as performing a function, the humans who deployed it inherit the consequences. Companies aren't off the hook either. Europe's revised product liability rules now fold AI systems into strict liability, treating a known, unpatched flaw as a defect in itself, with providers and integrators jointly liable. If your wallet's compromise traces to a documented flaw nobody fixed, "we didn't build the AI" stops being much of a shield. The Old Lesson, New Face Writing this from here, watching crypto adoption outpace regulation, the underlying lesson feels familiar. Every financial shift goes through a phase where the technology outruns accountability. We're living that again, except now the decision-maker can be talked into moving your money by someone clever enough to phrase the request as a riddle. If you're running a wallet-connected agent today, revoke permissions the moment a task ends. Treat every session key like a spare house key left under the mat. And go in clear-eyed: right now, in most jurisdictions, the liability lands on you, the deployer, not on the software that pulled the trigger. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on X @nulltxnews


阅读免责声明 : 此处提供的所有内容我们的网站,超链接网站,相关应用程序,论坛,博客,社交媒体帐户和其他平台(“网站”)仅供您提供一般信息,从第三方采购。 我们不对与我们的内容有任何形式的保证,包括但不限于准确性和更新性。 我们提供的内容中没有任何内容构成财务建议,法律建议或任何其他形式的建议,以满足您对任何目的的特定依赖。 任何使用或依赖我们的内容完全由您自行承担风险和自由裁量权。 在依赖它们之前,您应该进行自己的研究,审查,分析和验证我们的内容。 交易是一项高风险的活动,可能导致重大损失,因此请在做出任何决定之前咨询您的财务顾问。 我们网站上的任何内容均不构成招揽或要约