The global rush to deploy autonomous AI agents across the Internet, enterprise networks, and consumer applications is creating catastrophic security debt, according to blockchain security audit chief Certik.
While corporations ambitiously market these tools as productivity miracles, the harsh reality is that it can be very, very risky. Unsiloed and unvetted AI agents are a massive security disaster waiting to happen, Ronghui Gu, co-founder and CEO of CertiK, told CoinDesk.
Gu warned that users are potentially exposing their most sensitive files, local credentials and money accounts to autonomous systems that can be easily manipulated, hijacked and outright scammed.
“Right now, agents are no longer limited to answering questions in a chat window,” Gu told CoinDesk on the heels of CertiK’s landmark deep-dive report on widespread agent infrastructure. “They’re starting to call external tools, read local files, trigger workflows, and interact with financial infrastructure. But if you don’t isolate the execution environment and scan these tools first, you’re giving a compromised identity broad internal access to your entire network.”
According to Gu, the fundamental flaw in the current rise of AI agents is a flawed trust model.
Charles Hoskinson, founder and CEO of Cardano Input Output, said that by 2035 they will be more relevant than humans on the internet. Coinbase CEO Brian Armstrong recently said that “very soon there will be more AI agents than humans making transactions” and Binance founder Changpeng Zhao predicted that “they will make a million times more payments than humans.”
Ultimate Insider Threat
Gu said many popular open source AI apps are built under the assumption that because they run locally on a user’s computer or connect through standard chat apps like WhatsApp, they are safe from external threats.
The reality is totally opposite, he pointed out. The moment a user grants an AI agent permission to read local system storage, view execution histories, or manage personal email and business database credentials, that agent becomes the ultimate insider threat.
CertiK’s recent analysis of early-stage and rapidly growing agent frameworks uncovered a staggering accumulation of security vulnerabilities, including hundreds of critical security advisories, unpatched Common Vulnerabilities and Exposures (CVEs), and other massive exposures of local credentials and session memories resulting from completely inconsistent boundary checks.
Even more alarming is the ease with which these autonomous systems can completely redirect themselves at the reasoning layer without a single line of malicious code being written, Gu emphasized.
Through basic “rapid injection” attacks, a bad actor can embed hidden natural language instructions within a benign web page, PDF document, or incoming email, he added.
When the non-isolated AI agent reads that file to process a task for the user, it fails to separate trusted system commands from untrusted external data, Gu explained. The agent then silently overwrites its original rules, obeys the malicious instruction, and may be forced to leak data or trigger unauthorized fund transfers.
Hyperfast exploits
Gu revealed that CertiK discovered hundreds of malicious skills, fake installers, and similar dependency packages located directly in open agent utility centers. Because these malicious plugins use standard natural language to subtly influence the agent’s behavior and change its targets, they completely bypass legacy signature-based antivirus software.
“Fraud apps use natural language to influence behavior, making them completely resistant to traditional antivirus scans,” Gu explained. “And right now, it’s even easier to scam the machine than it is to scam a human.”
In what Gu describes as a strange evolution of financial crime, CertiK telemetry has observed an explosion of automated chain scams that last just 10 minutes or a few hours before disappearing completely.
These hyper-fast and ephemeral exploits are specifically designed by hackers to attack and defraud other autonomous AI trading bots and automated agent systems, executing a machine-to-machine financial drain before any human being realizes a compromise has occurred.
Gu states that the software engineering industry must completely abandon its reliance on trust-based interactions and immediately move toward an isolated “Zero Trust” architecture where every command and dependency is continuously verified.
