July 10, 2026 ChainGPT

HalluSquatting: AI Hallucinations Can Spawn Botnets, Threatening Crypto Networks

HalluSquatting: AI Hallucinations Can Spawn Botnets, Threatening Crypto Networks
Headline: New research shows AI “hallucinations” can be weaponized into botnets — a clear risk for crypto infrastructure AI assistants that go beyond answering questions and start interacting with systems can be tricked into building attacker-controlled networks of infected machines, researchers from Tel Aviv University, Technion and Intuit warn. In a paper titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting,” the team demonstrates how adversaries can exploit AI hallucinations to deliver real-world compromise at scale. How the attack works The method — dubbed adversarial hallucination squatting or “HalluSquatting” — leverages a simple but powerful idea. Many agentic large language model (LLM) applications fabricate links, repository names, or installation commands when they cannot find a direct resource. Attackers predict which fake resources an AI is likely to invent, register those names (or otherwise control the resource), and plant malicious instructions there. If an agent later fetches the hallucinated resource, it may treat the attacker-controlled content as legitimate and act on it. Why this matters now The risk grows as agents gain privileges: accessing files, searching the web, writing and executing code, or installing software. Those capabilities create attack surfaces that aren’t present in traditional chat-only models. The researchers note that prior promptware work has shown real impacts across systems like ChatGPT, Google Assistant and Copilot — and HalluSquatting takes that threat into an automation-first world where a single compromised agent can be used to infect many hosts. Real-world testing and scope In experiments against AI coding assistants and agent tools including Cursor, GitHub Copilot, Gemini CLI and OpenClaw, the team recorded high rates of AI-generated hallucinations: as much as 85% in repository-cloning scenarios and 100% in skill-installation tests. Those numbers illustrate how reliably agents will invent and attempt to retrieve nonexistent resources under certain conditions. From typosquatting to machine-squatting HalluSquatting is analogous to typosquatting — where attackers register domains that look like legitimate sites to fool human users — but targets model mistakes instead of human typing errors. The consequence is the same: attackers can hijack trust and inject malicious code or instructions. Implications for crypto and broader security The researchers explicitly warn that HalluSquatting could enable AI-enabled botnets: networks of remotely controlled devices used for DDoS attacks, malware or cryptocurrency mining. For the crypto ecosystem, that raises several concrete risks — illicit mining consuming infrastructure resources, automated theft or exfiltration attempts, expanded scale for ransomware and other extortion campaigns, and supply-chain attacks against developer tooling and libraries. The work follows other recent demonstrations of agent-level manipulation: Google researchers in April showed malicious sites that can hijack agents via indirect prompt injection, another study revealed “CopyPasta” prompts hidden in developer files that propagate malicious code, and OpenClaw users reported thousands of attempts to trick agents into leaking sensitive data. What to do about it The paper doubles as a warning and a call to action for developers and operators building agentic systems. Practical defenses include restricting agents’ ability to fetch and run unverified code, enforcing cryptographic signing and provenance checks for packages and resources, sandboxing agents and applying least-privilege policies, and monitoring for anomalous network behavior. For crypto infrastructure and developer tooling, stronger supply-chain hygiene and package-name collision protections will be critical. Bottom line As AI assistants grow more autonomous, the hallucinations we’ve treated as harmless errors can become attack vectors with real-world consequences. HalluSquatting highlights a new era of promptware where adversaries weaponize model quirks to scale compromise — a threat the crypto industry and security teams should take seriously now. Read more AI-generated news on: undefined/news