The global rush to deploy autonomous AI agents across the internet, enterprise networks and consumer applications is creating catastrophic security debt, according to the head of blockchain security auditor Certik.
While companies ambitiously market these tools as productivity miracles, the harsh reality is that this can be a very, very risky thing. Unisolated and uncontrolled AI agents are a huge security disaster waiting to happen, Ronghui Gu, co-founder and CEO of CertiK, told CoinDesk.
Gu warned that users are potentially exposing their most sensitive files, local credentials and money accounts to autonomous systems that can be easily manipulated, hijacked and openly scammed.
“Right now, agents are no longer just answering questions in a chat window,” Gu told CoinDesk on the heels of CertiK’s historic in-depth report on widespread agent infrastructure. “They start calling external tools, reading local files, triggering workflows and interacting with financial infrastructure. But if you don’t isolate the execution environment and scan these tools first, you’re giving a compromised identity broad internal access to your entire network.
The fundamental flaw in the current AI agent boom is a flawed trust model, according to Gu.
Charles Hoskinson, founder and CEO of Cardano’s Input Output, said that by 2035, they will become more relevant than humans on the internet. Brian Armstrong, CEO of Coinbase, recently said that “very soon there will be more AI agents than humans making transactions” and Binance founder Changpeng Zhao predicted that they would “make a million times more payments than humans.”
Ultimate Insider Threat
Gu said many popular open source AI applications are built under the assumption that because they run locally on a user’s computer or connect through standard chat apps like WhatsApp, they are safe from external threats.
The reality is quite the opposite, he noted. Once a user grants an AI agent permission to read local system storage, view execution histories, or manage their personal email and work database credentials, that agent becomes the ultimate insider threat.
CertiK’s recent analysis of early, rapidly growing agent frameworks revealed a staggering accumulation of security vulnerabilities, including hundreds of critical security advisories, unpatched Common Vulnerabilities and Exposures (CVEs), and other massive exposures of local credentials and session memories resulting from wildly inconsistent boundary checks.
What’s even more alarming is how easily these autonomous systems can be completely rerouted at the reasoning layer without a single line of malicious code being written, Gu pointed out.
Through basic “rapid injection” attacks, a malicious actor can embed hidden natural language instructions into an innocuous web page, PDF document or incoming email, he added.
When the non-isolated AI agent reads this file to process a task for the user, it fails to separate approved system commands from untrusted external data, Gu explained. The agent then silently overwrites its original rules, obeys malicious instructions, and may be forced to exfiltrate data or trigger unauthorized fund transfers.
Hyperfast Exploits
Gu revealed that CertiK discovered hundreds of malicious skills, fake installers, and similar dependency packages located directly on open agent utility hubs. Since these malicious plug-ins use standard natural language to subtly influence the agent’s behavior and change its goals, they completely bypass older signature-based antivirus software.
“Fraudulent apps use natural language to influence behavior, making them completely resistant to traditional antivirus scans,” Gu explained. “And right now, it’s even easier to scam the machine than it is to scam a human.”
In what Gu describes as a bizarre development in financial crime, CertiK telemetry has observed an explosion of automated chain scams that last only 10 minutes or a few hours before disappearing completely.
These lightning-fast, ephemeral exploits are specifically designed by hackers to target and scam other autonomous AI trading bots and automated agent systems, executing machine-on-machine financial draining before a human even realizes a compromise has taken place.
Gu says the software engineering industry needs to completely abandon its reliance on trust-based interactions and immediately move toward an isolated “Zero Trust” architecture where every command and dependency is constantly verified.
