The global rush to deploy autonomous AI agents across the internet, enterprise networks and consumer applications is creating a catastrophic security debt, according to the head of blockchain security auditor Certik.
While companies ambitiously market these tools as productivity miracles, the harsh reality is that it can be a very, very risky thing to do. Uninsulated, unsupervised AI agents are a massive security disaster waiting to happen, Ronghui Gu, co-founder and CEO of CertiK, told CoinDesk.
Gu warned that users are potentially exposing their most sensitive files, local credentials and money accounts to autonomous systems that can be easily manipulated, hijacked and outright cheated.
“Right now, agents are no longer just answering questions in a chat window,” Gu told CoinDesk on the heels of CertiK’s landmark deep-dive report into widespread agent infrastructure. “They start calling external tools, reading local files, triggering workflows and interacting with financial infrastructure. But if you don’t isolate the execution environment and scan those tools first, you’re giving a compromised identity broad internal access to your entire network.”
The fundamental flaw in the current AI agent boom is a faulty trust model, according to Gu.
Charles Hoskinson, founder and CEO of Cardanos Input Output, said that by 2035 they will become more relevant than people on the Internet. Coinbase CEO Brian Armstrong recently said “very soon there will be more AI agents than humans making transactions,” and Binance founder Changpeng Zhao predicted they “will make a million times more payments than humans.”
Ultimate insider threat
Gu said many popular open-source AI applications are built under the assumption that because they run locally on a user’s computer or connect through standard chat apps like WhatsApp, they are safe from external threats.
The reality is completely the opposite, he noted. The moment a user gives an AI agent permission to read local system storage, view execution histories, or manage personal email and business database credentials, that agent becomes the ultimate insider threat.
CertiK’s recent analysis of early, rapidly growing agent structures revealed a staggering accumulation of security vulnerabilities, including hundreds of critical security advisories, unpatched common vulnerabilities and exposures (CVEs), and other massive exposures of local credentials and session memories resulting from completely inconsistent boundary controls.
Even more alarming is how easily these autonomous systems can be completely redirected to the reasoning layer without a single line of malicious code ever being written, Gu emphasized.
Through basic “prompt injection” attacks, a bad actor can embed hidden natural language instructions into a benign web page, PDF document or incoming email, he added.
When the unisolated AI agent reads that file to process a task for the user, it fails to separate trusted system commands from the untrusted external data, Gu explained. The agent then silently overwrites its original rules, obeys the malicious instruction, and may be forced to exfiltrate data or trigger unauthorized money transfers.
Hyper-fast exploits
Gu revealed that CertiK detected hundreds of malicious skills, fake installers and lookalike dependency packages sitting directly on open agent tool hubs. Because these malicious plug-ins use native standard language to subtly influence the agent’s behavior and change its goals, they completely bypass legacy signature-based antivirus software.
“Scam apps use natural language to influence behavior, making them completely resistant to traditional antivirus scans,” Gu explained. “And right now it’s even easier to cheat the machine than it is to cheat a human.”
In what Gu describes as a bizarre evolution of financial crime, CertiK’s telemetry has observed an explosion of onchain, automated scams that only run for 10 minutes or a few hours before disappearing entirely.
These hyper-fast, fleeting exploits are specifically designed by hackers to target and cheat other autonomous AI trading bots and automated agent systems, performing machine-to-machine financial drain before any human even realizes a compromise has occurred.
Gu states that the software engineering industry must completely abandon its reliance on trust-based interactions and immediately move toward an isolated “Zero Trust” architecture where every command and dependency is continuously verified.
