From 5283a7a96f158b669b59e8a2826671adacc36e46 Mon Sep 17 00:00:00 2001
From: ppcvote <risky9763@gmail.com>
Date: Mon, 11 May 2026 21:00:19 +0800
Subject: [PATCH] feat(ASI Tracker): add 3 crypto AI agent incidents (Freysa,
 ElizaOS, AIXBT)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds three previously-undocumented agentic AI incidents to the ASI Agentic
Exploits & Incidents Tracker, inserted at chronologically-correct positions:

- Nov 2024: Freysa Adversarial Banker — Function-Semantic Redefinition
  ASI01 (Agent Goal Hijack) + ASI09 (Human-Agent Trust Exploitation)
  An autonomous adversarial-game crypto agent was convinced via prompt
  framing to redefine its `approveTransfer` tool semantics mid-conversation;
  drained 13.19 ETH (~$47K) from its treasury on attempt #482.

- Mar 2025: AIXBT Dashboard Compromise + Queued Adversarial Prompts
  ASI03 (Identity & Privilege Abuse) + ASI01 (Agent Goal Hijack)
  Hybrid attack: control-plane credential compromise combined with
  prompt-level instruction injection into the agent's task queue. Drained
  55.5 ETH (~$106K) from the Simulacrum wallet.

- May 2025: ElizaOS Cross-Platform Memory Injection (CrAIBench)
  ASI06 (Memory & Context Poisoning) + ASI01 (Agent Goal Hijack)
  Princeton + Sentient Foundation demonstrated that ElizaOS's shared RAG
  memory across Discord/X could be poisoned on one platform to coerce
  unauthorized crypto transfers on another. Released as the CrAIBench
  benchmark; ElizaOS powers many production crypto AI agents (~15K GitHub
  stars).

All three patterns are agentic-application-specific: autonomous tool use,
persistent treasury/wallet management, mid-conversation state. Crypto is
the first economically-meaningful production context, but the underlying
patterns (function-semantic mutability, hybrid credential + injection,
cross-platform memory provenance) generalize to any autonomous-agent
deployment context.

Primary sources cited per row:
- Freysa: developer's original disclosure thread + Hacker News discussion
- AIXBT: AI Incident Database canonical record (#1003)
- ElizaOS: arXiv 2503.16248 preprint + Decrypt research coverage

Signed-off-by: ppcvote <risky9763@gmail.com>
---
 .../ASI_Agentic_Exploits_Incidents.md                          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
index f59c55e5..015181fc 100644
--- a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md	
+++ b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md	
@@ -61,8 +61,11 @@ response should be discussed with the **CTI initiative** responsible for publish
 |**Jun 2025**| **AgentSmith Prompt-Hub Proxy Attack**                                  | Proxy prompt agent exfiltrated API keys                                                                                                                                                                                                                                          | • ASI04 (Agentic Supply Chain Vulnerabilities)                                                    | • — <br> • — <br> • [Noma Security](https://noma.security/blog/how-an-ai-agent-vulnerability-in-langsmith-could-lead-to-stolen-api-keys-and-hijacked-llm-responses)
 |**May 2025**| **EchoLeak (Zero-Click Prompt Injection)**                                         | Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope                                                                                                                        | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32711)<br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-32711)<br> • [Aim Security](https://www.aim.security/post/echoleak-blogpost) |
 |**May 2025**| **GitPublic Issue Repo Hijack**                                                    | Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection                                                                                                                                                                     | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures)| • — <br> • —<br> • [Invariant Labs](https://invariantlabs.ai/blog/mcp-github-vulnerability)
+|**May 2025**| **ElizaOS Cross-Platform Memory Injection (CrAIBench)**                            | Researchers at Princeton and the Sentient Foundation demonstrated that the ElizaOS framework's shared RAG memory across platforms (Discord, X) could be poisoned by an attacker on one platform such that a legitimate user request on another platform later triggered the agent to act on the injected instruction (including unauthorized crypto transfers). Released as the CrAIBench benchmark. ElizaOS powers many production crypto AI agents (~15K GitHub stars). | • ASI06 (Memory & Context Poisoning)<br> • ASI01 (Agent Goal Hijack) | • [arXiv 2503.16248](https://arxiv.org/abs/2503.16248)<br> • —<br> • [Decrypt](https://decrypt.co/318200/elizaos-vulnerability-ai-gaslit-losing-millions)
 |**Apr 2025**| **Agent-in-the-Middle (A2A Protocol Spoofing)**                         | A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties.                                                    | • ASI03 (Identity & Privilege Abuse) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI08 (Cascading Failures) <br> • ASI10 (Rogue Agents)| • — <br> • — <br> • [Trustwave](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks)
 |**Mar 2025**| **GitHub Copilot & Cursor Code-Agent Exploit**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI08 (Cascading Failures) <br> • ASI09 (Human-Agent Trust Exploitation) | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)
 |**Mar 2025**| **Flowise Pre-Auth Arbitrary File Upload**             | Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response                                                                                                                                | • ASI05 (Unexpected Code Execution (RCE))                                  | • [FlowiseAI](https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-h42x-xx2q-6v6g) <br> • [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-26319) <br> • [Dor Attias (Medium)](https://medium.com/@attias.dor/the-burn-notice-part-2-5-5-flowise-pre-auth-arbitrary-file-upload-cve-2025-26319-0d4194a34183)
+|**Mar 2025**| **AIXBT Dashboard Compromise + Queued Adversarial Prompts** | Attacker infiltrated the operational dashboard of the AIXBT autonomous trading agent at 02:00 UTC on 2025-03-18 and queued two fraudulent prompts that directed the agent to transfer 55.5 ETH (~$106K) from the agent's Simulacrum wallet to an attacker-controlled address. Hybrid attack pattern: control-plane credential compromise combined with prompt-level instruction injection into the agent's queued task context. | • ASI03 (Identity & Privilege Abuse)<br> • ASI01 (Agent Goal Hijack) | • —<br> • —<br> • [AI Incident Database #1003](https://incidentdatabase.ai/cite/1003/)
 |**Feb 2025**| **OpenAI ChatGPT Operator Vulnerability**                               | Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents.                                                                      | • ASI01 (Agent Goal Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI03 (Identity & Privilege Abuse) <br> • ASI04 (Agentic Supply Chain Vulnerabilities) <br> • ASI06 (Memory & Context Poisoning) <br> • ASI07 (Insecure Inter-Agent Communication) <br> • ASI09 (Human-Agent Trust Exploitation) | • —<br> •  —<br> • [Embrace The Red](https://embracethered.com/blog/posts/2025/chatgpt-operator-prompt-injection-exploits/)
+|**Nov 2024**| **Freysa Adversarial Banker — Function-Semantic Redefinition**          | Freysa was an autonomous adversarial-game crypto agent with a single rule: never approve outgoing transfers. After 481 failed paid attempts (cost escalating per try), attempt #482 succeeded by framing the conversation as a fresh admin session and convincing the agent to redefine the semantics of its `approveTransfer` tool to authorize *incoming* funds rather than outgoing ones; the attacker then "donated" $100, which triggered the actual outflow path and drained 13.19 ETH (~$47K) from the agent's treasury. Demonstrates tool/function semantics being treated as redefinable mid-conversation rather than immutable. | • ASI01 (Agent Goal Hijack)<br> • ASI09 (Human-Agent Trust Exploitation) | • [Jarrod Watts disclosure thread](https://x.com/jarrodWattsDev/status/1862299845710757980)<br> • —<br> • [Hacker News](https://news.ycombinator.com/item?id=42272063)
 ---