SlowMist warns AI trading agents can be hacked to drain funds through prompt injection attacks

The use of AI agents has become increasingly popular among traders. However, SlowMist has shared findings on possible attack vectors, cautioning users to pump the brakes to protect themselves against bad actors. 

Traders are being warned to limit the permissions granted to their AI agents, as they can be very easily compromised. With limited access, even if they get hacked, the damage will be minimized.

Can hackers steal your money by tricking AI agents?

Usually, a hacker would have to trick a user into clicking a link in order to extort them. But now, they only need to trick whatever AI agent is being used.

Cryptopolitan recently reported that a Solana AI agent gave away $441K worth of Lobstar tokens after being tricked on social media. However, it is unclear whether or not the incident was staged to draw attention to the memecoin.

Polymarket recently confirmed a security breach involving a third-party authentication provider, Magic Labs, which resulted in multiple user accounts being drained despite having two-factor authentication enabled. It is estimated that the total losses exceed $500,000.

The incident occurred in December of 2025, and 23pds, the CISO of SlowMist, flagged a malicious copy-trading bot on GitHub containing code designed to compromise Polymarket accounts.

Most recently, SlowMist released a report stating that the most dangerous new weapon is Indirect Prompt Injection.

This is particularly effective in the Skills ecosystem, like Bitget’s Agent Hub or the open-source OpenClaw.

SlowMist researchers monitored ClawHub and found that nearly 10% of available plugins contained two-stage malware. The first stage looks legitimate, but once installed, it downloads the malware that then scrapes local machine info, browser cookies, and SSH keys.

In the event that AI agents are running 24/7, these thefts can go undetected for weeks.

Recent 2026 reports from Oasis Security identified a high-severity vulnerability called ClawJacked (CVSS 8.0+). This flaw allows malicious websites to hijack a user’s locally running AI agent through a simple browser visit.

How to avoid AI agent losses

The Bitget security team report suggests a 5-layer security system that focuses on “least privilege.” If your AI agent is only supposed to analyze charts, it should not have the permission to execute trades. If it trades, it should never have the permission to withdraw.

First, Passkeys (FIDO2/WebAuthn) should be the primary login method. Passkeys use public-private key encryption that makes phishing attacks impossible.

Even if an attacker is able to lead a user to a fake login page, the hardware-backed security will not release the credentials, keeping their account safe from unauthorized access.

Secondly, rather than using a main account API key, traders should create dedicated sub-accounts for their AI agents and transfer only the necessary funds to these sub-accounts. Even if a leak occurs, users can effectively limit the impact.

IP Whitelisting is already a compulsory step for any automated setup that ensures that the exchange only accepts commands coming from a specific, approved server address.

AI agent users should implement .agentignorefiles to prevent it from reading or registering sensitive local files during its everyday tasks.

The report also stresses the importance of having human supervision when it comes to high-value operations.

Even without hacks, letting an AI run totally “hands-off” is a financial risk.

The Nov1.ai experiment in late 2025 showed that GPT-5 suffered from “analysis paralysis” and lost over 60% of its capital in two weeks, while Gemini became an “over-trader” and racked up massive fees that wiped out its gains.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.