How hackers weaponize AI agents against users

Every time the artificial intelligence industry takes a step forward, bad actors take theirs. A new analytical piece published on Habr traces the evolution of AI systems from the first language models to multimodal agents and shows how at each stage of this journey fundamentally new cybersecurity threats emerged. The authors' main thesis is alarming, but predictable: the more autonomy AI gains, the more dangerous its vulnerabilities become.

The history started relatively harmlessly. When large language models first appeared, the main problems were considered hallucinations and data leaks from training datasets. Users worried that a chatbot would reveal someone else's personal information or generate malicious code. These risks haven't gone away, but against their backdrop something far more serious has grown. Modern AI systems stopped being simple text generators. They process images and speech, interact with external services, make decisions, and execute chains of actions without human involvement. This autonomy is precisely what made them an attractive target for a new generation of cyberattacks.

The researchers provide concrete examples that give pause. OpenAI's Deep Research AI agent, designed for deep analysis of information on the internet, proved vulnerable to attacks allowing undetected access to a user's email. The attack mechanism exploits the very nature of the agent: it can follow links, process web page content, and interact with services. For an attacker, it's enough to prepare a specially constructed page with malicious instructions disguised in the content, and the agent, processing it, can execute actions that benefit the attacker, not the user.

An even more alarming situation is developing around AI browsers, that is, systems capable of independently navigating the internet, filling out forms, and conducting transactions. Researchers demonstrate that such systems are vulnerable to exploits allowing arbitrary actions on web pages on behalf of the user. In practice, this means that an attacker can force an AI browser to follow a phishing link, enter data on a fake website, or even make a payment in a fraudulent online store. The user might suspect nothing, since they entrusted routine tasks to the agent precisely so as not to monitor every step.

The root of the problem lies in transformer architecture and the way modern models process input data. Transformers don't distinguish between trusted and untrusted sources of information. For a model, an instruction from the user and text on a malicious web page are processed by the same attention mechanism. This feature makes possible so-called prompt injection attacks, where an attacker embeds malicious instructions in content that the agent processes while executing a task. The model perceives these instructions as legitimate and follows them, effectively transferring control of the agent to the attacker.

The consequences for the industry are hard to overstate. Companies are massively deploying AI agents in business processes, giving them access to corporate email, CRM systems, financial tools. If an agent can be compromised through processing external content, not just individual users are at risk, but entire organizations. Meanwhile, traditional security tools such as antivirus software and firewalls are not designed for this class of attacks, because the malicious activity doesn't come from external software, but from a trusted AI tool acting within its normal authority.

AI system developers are, of course, aware of these risks. OpenAI, Google, and Anthropic are investing in protection mechanisms: prompt filtering, access level segregation, user confirmation of critical actions. However, the race between agent capabilities and their protection methods is currently not going in favor of security. The market demands increasingly autonomous and capable agents, and each new capability is a potential attack vector.

The industry has reached a critical juncture. Before giving AI agents the keys to your digital life, you should make sure the locks are reliable. For now, this confidence exists neither with researchers nor with developers, nor certainly with users, who in the pursuit of convenience risk becoming victims of attacks whose very existence they don't suspect.