AI Gets Played: ElizaOS Exploit Reveals How Chatbots Can Be Manipulated Into Draining Crypto Wallets
Another day, another DeFi hack—except this time, the attacker didn’t need to write a single line of code. Just sweet-talk an AI into self-destructing.
How it works: Researchers found ElizaOS (that ’friendly’ blockchain interface) crumbles under basic social engineering. Flatter its ego, imply you’re ’testing’ security, and watch it hand over private keys like a starstruck intern.
The irony? Banks spent millions marketing these bots as ’fraud-proof’ while actual fraudsters just... asked nicely. Maybe next they’ll train AIs to recognize Nigerian princes.
Closing thought: If your fund’s ’AI security’ can be bypassed by a chatbot saying ’pretty please,’ maybe keep that seed phrase written on paper after all.
Image: Research Image of a Memory Injection Attack
“An attacker could execute a Sybil attack by creating multiple fake accounts on platforms such as X or Discord to manipulate market sentiment,” the study reads. “By orchestrating coordinated posts that falsely inflate the perceived value of a token, the attacker could deceive the agent into buying a ’pumped’ token at an artificially high price, only for the attacker to sell their holdings and crash the token’s value.”
A memory injection is an attack in which malicious data is inserted into an AI agent’s stored memory, causing it to recall and act on false information in future interactions, often without detecting anything unusual.
While the attacks do not directly target the blockchains, Patlan said the team explored the full range of ElizaOS’s capabilities to simulate a real-world attack.
“The biggest challenge was figuring out which utilities to exploit. We could have just done a simple transfer, but we wanted it to be more realistic, so we looked at all the functionalities ElizaOS provides,” he explained. “It has a large set of features due to a wide range of plugins, so it was important to explore as many of them as possible to make the attack realistic.”
Patlan said the study’s findings were shared with Eliza Labs, and discussions are ongoing. After demonstrating a successful memory injection attack on ElizaOS, the team developed a formal benchmarking framework to evaluate whether similar vulnerabilities existed in other AI agents.
Working with the Sentient Foundation, the Princeton researchers developed CrAIBench, a benchmark measuring AI agents’ resilience to context manipulation. The CrAIBench evaluates attack and defense strategies, focusing on security prompts, reasoning models, and alignment techniques.
Patlan said one key takeaway from the research is that defending against memory injection requires improvements at multiple levels.
“Along with improving memory systems, we also need to improve the language models themselves to better distinguish between malicious content and what the user actually intends,” he said. “The defenses will need to work both ways—strengthening memory access mechanisms and enhancing the models.”
Eliza Labs did not immediately respond to requests for comment by Decrypt.
Edited by Sebastian Sinclair
