AI 安全cryptoincident-databasePrompt InjectionAI Agentultra-lab

From 6 to 21: The Crypto AI Agent Incident Tracker Goes Live ($52M of Documented Loss)

· 40 min read

From 6 to 21: The Crypto AI Agent Incident Tracker Goes Live ($52M of Documented Loss)

A week ago I published Six Crypto AI Agent Heists: What Static Prompt Analysis Catches and What It Doesn't.

Today on the plane I expanded those 6 to 21. Total documented loss: $52,518,500. Plus I made it machine-readable: structured data + a public GitHub repo + a one-page site.

This post covers:

  1. The 15 newly-documented incidents
  2. Patterns visible across all 21
  3. How to use the Tracker

Why this exists

Crypto AI agent security is a domain without a public tracker.

  • AI Incident Database has AIXBT (2025-03, #1003) but doesn't track ongoing
  • arxiv has scattered papers but no consolidation
  • X threads mention attacks but nothing is structured
  • Investors asking "is this market safe?" have no data answer

After last week's blog, the natural extension was "this should be a maintained reference."

Did it today.

Selected new incidents

1. Virtuals Protocol PAT-tastrophe (2025-03-22) — your system prompt can be rewritten

Sherrets and Liberow disclosed that Virtuals Protocol's Personal Access Tokens (PATs) leaked AWS keys that could read or rewrite the Character Cards (i.e., system prompts) of all 12,000+ Virtuals agents.

CVSS 7.8, $10K bug bounty after fix, no funds stolen.

Why it matters: this is not "an individual agent got compromised" — this is "an entire fleet of system prompts could be rewritten in one operation." A framework-level vulnerability.

Sources: Medium disclosure + DEF CON 33 talk

2. BasisOS Fake Agent Fraud (2025-11-25) — $531K, a human pretending to be AI

"BasisOS" claimed to be an "autonomous yield agent" running on Virtuals Protocol.

Post-mortem: there was no AI. An insider was operating manually. Eventually drained ~$531K.

Why it matters: highlights the importance of "verified agent attestation." If you can't prove that's actually AI running, how do you prevent human-impersonation fraud?

3. Anthropic SCONE-bench (2025-12-02) — AI generates $4.6M of smart-contract exploits in one night

Anthropic's SCONE benchmark: have Claude / GPT-5 autonomously generate smart-contract exploits against real-chain forks. Per-scan cost: $1.22.

Cumulative theoretical exploit revenue in one night: $4.6M.

Why it matters: frames the AI-vs-Web3 arms race economically. If attack cost is $1.22 and reward is $1K-$10K, attackers will spam-scan at scale.

4. ChatGPT Pump.fun Poisoning (2024-11-21) — first documented training-data poisoning → on-chain loss

ChatGPT cited an attacker-controlled API URL (planted in training data); a user followed the suggestion and called the URL, which exfiltrated their private key.

Why it matters: the first clearly-documented case of "AI training data → on-chain financial loss."

5. Telegram trading bot historical baseline (2023-2024)

Bot Date Loss Vector
Unibot 2023-10 $640K Token approval call injection
Maestro 2023-10 $485K Router 2 arbitrary code exec
Banana Gun 2024-09 $3M Telegram oracle exploit
Solareum 2024-03 $1.4M DPRK insider
None Trading 2023-09 $16.5M Discord bot critical exploit

Why it matters: establishes a pre-AI baseline. Also surfaces the "Telegram bots refund, X hijacks don't" cultural divide.

6. Credential / social-account compromise cluster (2025 Q1)

Incident Loss Vector
Jupiter DEX X hijack → fake $MEOW $20M X account hijack
Pump.fun X hijack → fake $PUMP / GPT-4.5 $5M X account hijack
ai16z founder Shaw X hijack unknown X account hijack
Virtuals Discord moderator key leak unknown Credential leak

Why it matters: 47% of all incidents are "AI agent peripheral credential failure," not "AI itself getting tricked." The security bottleneck of AI agents is plumbing, not AI intelligence.

7. ElizaOS CrAIBench (2025-03-21) — cross-platform memory poisoning

The original Princeton paper was single-platform memory injection (inject on Discord, retrieve on X).

CrAIBench extends to multi-platform + quantitative evaluation framework. Follow-up research on the ElizaOS memory problem.

Patterns across all 21

Putting all 21 into a spreadsheet reveals these patterns:

Pattern 1: 47% are credential compromise, not AI being deceived

Attack category Count Share
Credential / social account compromise 10 47.6%
Prompt injection / social engineering 5 23.8%
Tool / permission scoping bug 3 14.3%
Memory poisoning 2 9.5%
Numerical / unit bug 1 4.8%

Media love to report "AI got tricked" (24%). Reality: most are "peripheral credentials failed" (48%).

Pattern 2: Virtuals Protocol is the most-targeted framework

3 independent incidents involve Virtuals. Not because Virtuals is especially weak — because of scale and concentration. One vulnerability can affect 12,000+ agents.

Lesson: framework consolidation increases risk. Every framework should have a public incident response policy.

Pattern 3: Incident count is doubling YoY

  • 2022: 1 (MEE6 NFT phishing $360K)
  • 2023: 2-3 (Unibot, Maestro, None Trading)
  • 2024: 3
  • 2025: 8
  • 2026 (first 5 months): 5, projecting 10+ for the year

Aligns with Anthropic SCONE-bench's "exploit revenue doubling every 1.3 months."

Pattern 4: Telegram bots refund; X hijacks don't

Unibot / Maestro / Banana Gun all refunded users from treasury.

Jupiter / Pump.fun X hijack victims got nothing.

This divergence is cultural, not technical — but worth documenting.

Tracker repo live

The 21 incidents are now structured data:

🔗 GitHub repo: github.com/ppcvote/crypto-agent-incidents 🔗 Public site: ultralab.tw/incidents

Schema:

{
  "id": "kebab-case-id",
  "date": "YYYY-MM-DD",
  "name": "Display name",
  "agent": "Agent name",
  "framework": "Eliza | Virtuals | Bankr | null",
  "loss_usd": 250000,
  "attack_vector": "encoding-injection | social-engineering | ...",
  "defense_layer_failed": "static-prompt | runtime-tool | ...",
  "description": "1-3 sentences",
  "sources": ["url1", "url2"],
  "prevention_notes": "what would have stopped it",
  "primary_evidence_quality": "strong | medium | weak"
}

Use cases:

  • Investment due diligence (how often does this framework get hit?)
  • Security research (how many precedents for this attack vector?)
  • Drive new vectors for prompt-defense-audit and other scanners
  • Establish industry norms (Telegram bots refund vs X hijacks don't)

PRs welcome:

  • New incidents → add to incidents/
  • Strengthen evidence quality → cite more primary sources
  • Translate

What you can take away

If you build / invest / use crypto AI agents:

  1. Read the Tracker, not media headlines — media love "AI got tricked" but 47% is credential issues
  2. Framework concentration is risky — Virtuals' 12,000-agent system prompts being rewritable in one operation actually happened
  3. Verified Agent Attestation is an open market — BasisOS scammed $531K with a human pretending to be AI; nobody is solving this yet
  4. Static defense isn't enough — none of the 21 incidents would have been caught by prompt-defense-audit alone, because most failure points aren't in the prompt
  5. Telegram bots are safer than you think — at least they have a refund culture

Part 5 of 5 in "Min Yi in Germany Atlas" public-experiment series. Previous parts: 1, 2, 3, 4.

Written 2026-05-08, 2 hours into BR71 flight.

Related Posts

AI 安全Prompt Injection

Six Crypto AI Agent Heists: What Static Prompt Analysis Catches, What It Doesn't

100 min read
OWASPAI 安全

OWASP Agentic Top 10 — What Every AI Developer Needs to Know in 2026

42 min read
AI 安全MCP

We Built Lighthouse for AI Agents — One Command, 12-Vector Security Audit

29 min read

Weekly AI Automation Playbook

No fluff — just templates, SOPs, and technical breakdowns you can use right away.

Join the Solo Lab Community

Free resource packs, daily build logs, and AI agents you can talk to. A community for solo devs who build with AI.

Join Discord (Free)

Need Technical Help?

Free consultation — reply within 24 hours.

Free Consultation