New prompt-injection attack can steal cryptocurrency by planting false memories in AI chatbots

A newly disclosed vulnerability in an open-source AI agent framework highlights how easily autonomous chatbot-based systems can be manipulated to misdirect cryptocurrency transfers. Researchers demonstrated a memory-based prompt manipulation technique that can coax an ElizaOS agent to act against its owner’s intent, redirecting funds to an attacker’s wallet. The finding underscores serious security risks for multi-user AI agents that operate on blockchain-enabled workflows, and it calls for urgent reevaluation of how persistent memory, user context, and access controls are designed and enforced in autonomous systems.

Table of Contents

Overview: autonomous AI agents, DeFi, and ElizaOS at the center of a new risk

The emergence of autonomous AI agents represents a significant shift in how individuals and organizations interact with complex digital ecosystems. These agents are designed to act on behalf of their human principals, executing tasks, negotiating, and even initiating financial operations in response to dynamic market data, news, or user-defined rules. When these agents are integrated with decentralized autonomous organizations (DAOs) or other finance-critical workflows, they can operate across platforms, connect with social media, and interface with private networks to carry out predefined actions. The target of the disclosed vulnerability is ElizaOS, an open-source framework that enables developers to create agents capable of performing blockchain-related transactions according to a set of programmed rules. Originally introduced under a different name, Ai16z, the project was rebranded to ElizaOS and has positioned itself as a potential engine for automating roles within DAOs and other decentralized structures.

ElizaOS is designed to provide agents that can connect to various platforms, including social networks and private channels, and to await instructions from the end user, or from counterparties such as buyers, sellers, or traders seeking to transact. In practical terms, a user’s ElizaOS-powered agent could initiate or approve payments, execute contract operations, and perform other financial actions whenever a predefined rule set triggers such behavior. The broader motivation driving interest in this framework is that autonomy—when properly governed—could streamline operations within DAOs and similar communities. The idea is that agents can navigate complex, multi-party environments on behalf of end users, following rules and policies encoded into the system.

However, the research behind the new attack reveals that such autonomy comes with a fragility: if an agent’s memory is manipulable, the agent’s future actions can be influenced in ways that bypass standard security controls. This is a particular concern when the framework relies on long-term, external memory stores that retain past conversations or events, which the agent consults to determine subsequent steps. In effect, the attacker does not need to break the immediate security barrier; they only needs to plant a convincing false memory that then guides the agent’s later decisions, including financial transactions. The vulnerability is rooted in a class of language model attacks known as prompt injections, which exploit the context and stored data that inform an agent’s decision-making process.

The significance of this finding is amplified by the fact that ElizaOS is designed to support multiple users simultaneously, with shared contextual inputs drawn from various participants. In a real-world setting—such as a Discord server used to manage debugging, conversations, and coordination for a DAO—the risk is that a single successful manipulation could cascade, compromising the integrity of the entire system. If attackers can influence a shared memory store, they could cause a broad range of malicious outcomes, from subtle misrouting of requests to outright fraud. The broader takeaway is that autonomous agents operating in multi-user or decentralized contexts may be inherently vulnerable to context corruption if memory and history are not adequately protected and validated.

The ElizaOS architecture: memory, rules, and the transaction model

ElizaOS is built around a framework for constructing agents that operate on top of large language models to perform blockchain-based transactions on behalf of users, guided by a predefined set of rules. This arrangement enables agents to monitor environments—such as social feeds or enterprise platforms—and to act according to structured instructions. The architecture emphasizes the ability to accept commands, perform payments, and interact with smart contracts or other finance-related instruments based on the agent’s stored logic and the current context.

A core design decision in ElizaOS is to rely on external storage for conversation history and event memory. This means past interactions aren’t simply ephemeral in-memory states; they are stored in an external database that the agent consults as persistent context for future actions. The implication is that the agent’s behavior becomes a product of both its learned model and the accumulated memory of prior events, including potentially sensitive financial instructions or transaction histories. While persistent memory can enhance continuity—allowing agents to recall prior decisions, user preferences, and prior transaction patterns—it also opens a doorway for malicious manipulation if that memory can be corrupted or replaced with forged events.

To support functionality across multiple users and contexts, ElizaOS relies on a modular design that can connect to various platforms, including public channels and private interfaces. It is designed to accept instructions from the user it represents, as well as from counterparties who wish to transact with that user. In principle, this enables a highly flexible workflow in which an ElizaOS-based agent can facilitate and execute transfers, accept or reject offers, and carry out other actions that align with the defined rules. The framework’s openness—while attractive for rapid development and innovation—also amplifies exposure to security risks if the underlying memory and input streams are not adequately safeguarded.

Security practitioners stress that the risk is particularly acute in multi-user or decentralized setups. When several participants contribute to or influence the agent’s context, there is a higher probability that manipulated inputs—or false memories—will be accepted as legitimate. The researchers emphasize that traditional, surface-level defenses against prompt manipulation are insufficient against sophisticated adversaries who can corrupt stored context. In these settings, the integrity of the agent’s memory becomes a central pillar of security, and once that is compromised, even legitimate user inputs can be interpreted through a tainted lens, triggering actions that violate user intent or policy.

To mitigate risk, the ElizaOS design advocates for strict integrity checks on stored context. These checks are intended to ensure that only verified, trusted data informs every decision the agent makes during plugin execution or action invocation. The approach is akin to ensuring that the “memory” an agent uses to decide what to do next is not only accurate but also auditable and tamper-resistant. In practical terms, this means implementing methods to validate memory records before they influence any transaction, adding layers of authentication, and ensuring that critical actions are restricted to a controlled, pre-approved set of capabilities.

Administrators managing ElizaOS implementations have stressed the importance of careful access controls. The system’s developer community has described an approach that mirrors the principle of least privilege: limiting what an agent can do by establishing explicit allow lists that define a small, manageable set of pre-authorized actions. The idea is to prevent agents from performing any operation beyond what they truly need to fulfill their designated roles. While this is a prudent mitigation strategy, it is not a panacea; as the researchers note, adding control boundaries around actions helps, but it does not completely eliminate the risk if memory can still be corrupted or if the agent can interpret compromised context as legitimate guidance.

In the open-source development landscape surrounding ElizaOS, there is recognition that the current paradigm—where agents can access their own wallets or keys indirectly through tools they call—necessitates a tightly controlled environment. The design philosophy has emphasized sandboxing and separated, restricted access to capabilities, with the underlying goal of avoiding direct exposure of sensitive credentials or direct control over critical assets. Still, as the system evolves toward more capable agents that can autonomously write new tools or interface with the machine’s CLI, the complexity of enforcing robust security also grows. This reinforces a core insight from researchers: the moment you empower agents with expanded operational scope, you also enlarge the attack surface.

Context manipulation: how a false memory steers an agent’s future actions

The attack demonstrated by researchers centers on a powerful, deceptively simple mechanism: planting false memories that persist and subsequently shape an agent’s behavior. A conspirator who has already gained some authorized interaction with the agent—such as through a Discord server, a website, or another platform where the user’s identity and permissions are established—can inject a sequence of sentences that mimic legitimate instructions or plausible histories. These statements are designed to update the memory store with events that never actually occurred, thereby shaping the agent’s interpretation of subsequent prompts and driving it toward actions aligned with the attacker’s goals.

The attack is described as a prompt-injection variant that leverages the agent’s reliance on historical context. By inserting a crafted narrative into the memory, the attacker creates a pattern that the agent later interprets as an authoritative directive. For instance, a set of statements might imply that a high-priority instruction to transfer funds to a specific wallet has already occurred or is expected to occur, thereby biasing the agent toward executing similar transfers in future interactions. The critical point is that the agent’s decision-making process is anchored to its memory, which acts as a quasi-chronological oracle guiding how it responds to user requests.

An accessible illustration of the attack highlights the following elements:

An authorized interaction path exists through a platform like Discord or a website that the agent consults.
An attacker submits a targeted sequence of text crafted to resemble legitimate system or operational instructions.
The injected text is stored in the memory database and is treated as part of the agent’s long-term history.
When legitimate requests for transfers or related actions arise, the agent consults the contaminated memory.
As a result, the agent performs transfers to the attacker-designated address or follows other malicious instructions, sometimes generating additional artifacts (e.g., output in JSON) that reinforce the attack’s credibility.

The simple yet consequential dynamic is that the persistence of memory creates a durable vulnerability: once false events exist in memory, they can influence subsequent actions even when the user’s current input should take precedence. The researchers emphasize that this vulnerability is not merely theoretical. They document real-world scenarios where multi-user or decentralized settings exacerbate the risk, because shared contextual inputs can be manipulated by a single malicious actor, potentially compromising the entire agent ecosystem.

From a defensive perspective, the memory manipulation attack illuminates why several layers of defense must be deployed. First, there must be robust verification of the provenance and integrity of stored memory. Second, memory should be compartmentalized by user or session to prevent cross-user contamination; third, there should be strict controls on when and how an agent can execute money movements, with multi-factor authentication and human-in-the-loop confirmation for high-risk actions. Fourth, real-time monitoring and anomaly detection can help identify patterns that indicate memory tampering, such as unusual sequences of instructions, repeated requests to a known attacker address, or memory entries that contradict established transaction histories. Finally, the architecture must enforce a principle of least privilege for memory-access operations and ensure that sensitive actions are decoupled from memory-driven decision paths unless validated by an explicit authentication checkpoint.

Real-world implications: cascading risk in multi-user, DAO-oriented settings

The vulnerability’s most profound impact would likely be observed in environments where the agent is deployed to serve multiple users at once or to automate governance and financial operations within decentralized organizations. In such contexts, the agent’s memory can become a shared resource that must be trusted by all participants. A single manipulation can propagate through the system, creating a domino effect that undermines the trust across users and destabilizes financial arrangements. The researchers stress that this is not a purely academic concern; the implications extend to any scenario where autonomous agents manage wallet keys, interact with smart contracts, or otherwise handle funds.

Several concrete risk pathways emerge in these settings:

Fund transfers misdirected by manipulated context: If an agent within a multi-user deployment is authorized to perform cryptocurrency transfers, a false-memory entry could prime the agent to route funds to an attacker’s wallet rather than the rightful recipient. The problem compounds when automated transaction batching or recurring payments are involved, as repeated transfers could occur without direct, real-time human verification.
Manipulated state of smart contracts: Beyond simple transfers, agents may need to interact with self-governing contracts or other financial instruments. A tainted memory could lead to unintended contract calls, altered governance votes, or misplaced configurations that benefit the attacker.
Cross-user attack propagation: In a shared agent environment, memory contamination can spread across participants. A successful manipulation targeting one bot or one user can become a vulnerability exploited by others, amplifying damage and complicating remediation.
Erosion of trust in automated governance: DAOs and similar structures depend on predictable automation and transparent processes. A memory-driven exploit threatens to erode confidence in the reliability of agent-based governance and financial operations, potentially slowing the adoption of future AI-enabled workflows.

The core security fault exposed by the attack lies in the dependency on the LLM’s interpretation of context, especially when plugins or modules perform sensitive operations. If the memory that informs these decisions is compromised, even legitimate input can be misinterpreted to trigger malicious actions. The remedy requires an end-to-end security model that treats memory as a trusted, auditable source of truth rather than as a mere caching layer. In practice, this means implementing verifiable memory provenance, differentiating memory by user identity, and enforcing strict, auditable controls over which actions a given agent can call within a transaction or workflow.

Defensive strategies: hardening memory, limits, and governance

Addressing the context manipulation threat requires a multi-pronged approach that blends architectural discipline, operational safeguards, and governance mechanisms. The following strategies are central to building safer autonomous agents in blockchain-enabled environments:

Strong integrity checks for memory: Implement cryptographic integrity guarantees for memory entries, with tamper-evident logging and end-to-end verification of memory changes. Ensure that any memory update is associated with an authenticated user action and timestamped in a secure ledger or append-only log.
Per-user and per-session memory isolation: Instead of a single shared memory store, segment memory by user identity, session, or task. This isolation reduces the risk that a manipulated memory from one user can influence the behavior of another, mitigating cross-user contamination.
Verification before high-stakes actions: For critical operations such as transferring funds or altering contract states, require additional verification steps. This could include human-in-the-loop approvals, multi-factor authentication, or threshold-based authorization where multiple parties must approve certain actions.
Restricting action surface via strict allow lists: Define a minimal, auditable set of actions that an agent can perform. Any operation outside this set should be blocked by default, with explicit justification and logging for exceptions.
Sandbox and containment: Maintain secure runtime environments that isolate the agent’s code paths, memory, and system calls. As capabilities expand to more autonomous tool creation and terminal access, reinforce containment to limit potential damage from compromised agents.
Tooling and modular design: Embrace a modular approach where agents rely on a curated set of tools rather than broad, unrestricted access to system resources. Clear boundaries between the agent’s decision-making layer and the tools it can invoke can reduce the likelihood that manipulated context yields dangerous outcomes.
Proactive monitoring and anomaly detection: Deploy behavioral analytics that identify unusual patterns, such as repeated transfers to unrecognized addresses, atypical memory alterations, or deviations from established transaction histories. Real-time alerts and automated containment can limit damage while investigators review the incident.
Transparent governance for open-source agents: Open-source projects should prioritize safety-by-design, provide clear documentation on memory handling, encourage independent security testing, and publish patches and mitigations promptly. A community-driven approach to security can help ensure that best practices spread across the ecosystem.

These strategies are not merely technical; they require an organizational culture that prioritizes security in design and operation. For developers and administrators deploying ElizaOS or similar agent frameworks, the emphasis should be on implementing layered defenses that address memory integrity, access control, and governance in parallel. This holistic approach is essential because while one defense may mitigate a particular facet of the risk, a comprehensive security posture is the only way to withstand sophisticated memory-based attacks in dynamic, multi-user, and financially sensitive environments.

Design implications for safer AI agents: governance, containment, and the path forward

The vulnerability exposed by the context manipulation technique forces a broader reflection on how to build safer autonomous AI agents that operate in finance-critical settings. Several design principles emerge as priorities for future iterations and for the broader AI-agent ecosystem:

Accountability by design: Systems should be able to demonstrate a clear chain of decision-making, including memory provenance, user authorization status, and tool invocations. Auditable traces help operators understand why a given action occurred and provide a basis for post-incident forensics.
Boundaries between memory and decision-making: Distinguish memory that reflects factual events from the agent’s reasoning or decision logic. This separation can reduce the risk that corrupted memory unduly biases the agent’s choices.
Safer default configurations: Default to restricted capabilities and require explicit, user-approved expansion of an agent’s abilities. The onus should be on developers to demonstrate why broader access is necessary and how it will be securely managed.
Dynamic risk awareness: Agents should incorporate a continuous risk assessment mechanism that evaluates the potential impact of actions in light of current context, memory state, and platform policies. When risks rise, the agent can pause or solicit additional verification.
Containerization and isolation as a standard: As agents gain more control over tools and environments, containerization strategies become critical. Segmenting tool access, isolating processes, and using sandboxed interpreters help prevent cascading failures and unauthorized access.
Human-centric design for critical decisions: For high-stakes financial tasks, human oversight remains essential. Agents should be designed to defer to human judgment when uncertainty or potential harm is detected, especially in multi-user and governance contexts.

The broader takeaway is that autonomous AI agents hold substantial promise, but their deployment in financial and governance environments demands careful architectural choices, robust memory management, and disciplined governance. The ElizaOS case study illustrates what can go wrong when persistent context becomes a weapon for manipulation, and it offers a road map for how to build more resilient systems that can withstand sophisticated, context-based attacks.

Industry response, ongoing research, and the roadmap to safer open ecosystems

The research community’s response to this vulnerability centers on the need for rigorous testing, defensive design patterns, and practical mitigations that can be adopted in real-world deployments. Open-source ecosystems, where rapid iteration and collaboration accelerate innovation, must also prioritize security as a first-class concern. The knowledge that memory-based prompt manipulation can have tangible, financial consequences has already prompted developers to revisit memory handling practices, plugin boundaries, and access-control schemes. The path forward involves integrating the lessons from this and related work into standard secure development lifecycles for AI agents.

Industry stakeholders are expected to push for several tangible changes, including enhanced memory integrity tooling, stricter per-user memory isolation, and safer default configurations for agent capabilities. Expect more emphasis on secure-by-design guidelines for open-source projects that enable safer integration into complex ecosystems such as DAOs and multi-user platforms. Training data, memory management practices, and context interpretation will increasingly be treated as part of the security surface that requires ongoing monitoring and protection.

Additionally, researchers and developers are likely to pursue more comprehensive threat modeling for autonomous agents operating in financial contexts. This includes mapping potential attack vectors beyond memory manipulation, such as exploitation of toolchains, misconfigurations in plugin ecosystems, and weaknesses in authentication flows that could allow attackers to impersonate legitimate users or manipulate authorization states.

The broader AI governance conversation will also gain momentum as stakeholders consider how to balance innovation with safeguards. As agents become more capable, there will be greater demand for standardized risk assessment frameworks, industry-wide best practices, and possibly regulatory guidance to ensure that autonomous systems used for financial tasks do not introduce unacceptable systemic risks. The ElizaOS vulnerability is a clarion call for a safer design philosophy that embraces both the opportunities of autonomous agents and the imperative to protect users and assets from adversarial manipulation.

Conclusion

The emergence of context manipulation via persistent memory in autonomous AI agents marks a pivotal moment for secure design in AI-powered finance and governance. The ElizaOS study demonstrates how a vulnerability rooted in memory and prompt interpretation can enable an attacker to redirect cryptocurrency transfers by inserting false events into an agent’s long-term memory. This discovery underscores the need for layered protections that combine memory integrity, user- and session-based isolation, strict action governance, sandboxing, and real-time monitoring.

As autonomous agents increasingly operate across multi-user environments and blockchain workflows, developers, operators, and researchers must collaborate to embed safety into every layer of the system. The lessons from this research illuminate not only the specific risks facing ElizaOS but also the broader design considerations for the next generation of AI agents. By adopting safer defaults, enforcing rigorous memory provenance, and implementing robust verification and approval mechanisms for high-stakes actions, the AI community can unlock the benefits of autonomous agents while significantly reducing exposure to context-based exploitation. The future of AI-driven automation in decentralized systems hinges on balancing innovation with resilient safeguards that protect users, assets, and the integrity of digital governance processes.

New prompt-injection attack can steal cryptocurrency by planting false memories in AI chatbots

Overview: autonomous AI agents, DeFi, and ElizaOS at the center of a new risk

The ElizaOS architecture: memory, rules, and the transaction model

Context manipulation: how a false memory steers an agent’s future actions

Real-world implications: cascading risk in multi-user, DAO-oriented settings

Defensive strategies: hardening memory, limits, and governance

Design implications for safer AI agents: governance, containment, and the path forward

Industry response, ongoing research, and the roadmap to safer open ecosystems

Conclusion

AI Applications / Industry

This Week’s Top 5 AI Stories: Dolphin Language, AI Energy Challenges, Cognitive Digital Brains, The Rise of CAIOs, and TSMC’s A14 Chip for AI

This Week in AI: Five Key Stories From Dolphin Translation to Cognitive Digital Brains and Chip Breakthroughs

MWC25: How Rakuten Mobile Is Embedding AI Across Operations – From Autonomous Open RAN and AI Site Management to Green Networking

This Week in AI: The Top 5 Stories Shaping Business, Hardware, and the AI Landscape

CoreAI: Microsoft’s Five Principles for AI Success to Empower Every Developer and Accelerate Innovation

CoreAI and Microsoft Executives Reveal Five Principles for AI Success

Why Alphabet, Nvidia and Google Cloud Are Betting on SSI, the Safe Superintelligence Startup Led by Ex-OpenAI Chief Scientist Ilya Sutskever

This Week in AI: 5 Must-Read Stories From SAP, OpenAI, Nvidia, Microsoft, and Dell.

Why Alphabet, Nvidia and Google Cloud Are Investing in SSI, the Safe Superintelligence Startup Co-Founded by OpenAI’s Ilya Sutskever

Tackling Spam with GFI Software

MWC25: Rakuten Mobile Embeds AI Across Open RAN and Site Management, Driving Autonomous Networks, Efficiency, and Sustainability

MWC25: Fujitsu Unveils AI-Driven 5G Strategy for Telcos, Highlighting AI-RAN, Open RAN, and Private 5G ROI

MWC25: Fujitsu Unveils AI-Driven 5G Strategy for Telcos, Highlighting AI-RAN, Private 5G and ROI Growth

ISO 27001: Why It’s More Relevant Than Ever in the Digital Age

Inside Fujitsu & Nvidia’s Healthcare AI Orchestrator: A Platform That Coordinates Autonomous Medical Agents for Smarter Care

Fujitsu and Nvidia’s Healthcare AI Orchestrator Platform: Coordinating Autonomous Agents to Streamline Hospitals and Elevate Patient Care

Gartner: CDAOs Now Lead Enterprise AI Strategy, Reordering C-Suite Power Toward Data-Driven Leadership

Why CDAOs Are Now Leading Enterprise AI Strategy, Gartner Finds

CEOs See AI’s Impact, Yet Only 44% Trust CIOs’ AI Skills, Gartner Finds

CEOs View Only 44% of CIOs as AI-Savvy, Gartner Finds, Highlighting Urgent Upskilling Needs

Gen Z Embraces AI Agents, but Businesses Lag: Salesforce Reveals a Growing Demand–Delivery Gap

Salesforce: Gen Z Drives AI Agent Adoption as Businesses Lag Behind in Meeting Consumer Demand

Did PENN Entertainment End the Shortened Trading Week Higher After ESPN Bet Expansion and Rebranding?

Did PENN Entertainment Close the Shortened Trading Week Higher, Up 4.92% to $19.19?

Could Alibaba (BABA) Be a Top Growth Stock to Buy and Hold in 2025?

Meta shares jump more than 10% after revenue beat, raises forecast

Overview: autonomous AI agents, DeFi, and ElizaOS at the center of a new risk

The ElizaOS architecture: memory, rules, and the transaction model

Context manipulation: how a false memory steers an agent’s future actions

Real-world implications: cascading risk in multi-user, DAO-oriented settings

Defensive strategies: hardening memory, limits, and governance

Design implications for safer AI agents: governance, containment, and the path forward

Industry response, ongoing research, and the roadmap to safer open ecosystems

Conclusion

Related News