Double Agents: Attackers Abusing Identity by Weaponizing AI Agents
AI agents are quickly becoming the new users and buyers of the internet. From ChatGPT browsing the web to answer questions, to Perplexity synthesizing research, to OpenClaw answering emails, these AI agents are everywhere, and in some cases, are trusted by default.
But that trust is now being exploited by fraudsters.
Attackers have discovered they can hijack these trusted identities, transforming AI agents into accomplices in their attacks. By manipulating AI tools to visit malicious URLs or submit crafted prompts, bad actors can conduct reconnaissance, probe for vulnerabilities, and execute attacks, all while hiding behind the legitimacy of well-known AI services.
Our Threat Research Team, Galileo, has identified a disturbing trend: attackers are systematically abusing AI agent infrastructure to bypass traditional security controls. Recently, we reported on two cases.
First, we observed legitimate AI platforms like xAI’s Grok masquerading as human browsers, rotating through residential IPs, and launching aggressive distributed fetches that mirror malicious bot behavior. Second, we documented a surge of nearly 600,000 requests in January 2025 that appeared to be legitimate ChatGPT user referrals, but were actually bots spoofing the “Referer” header to bypass security filters.
In addition, Galileo has reported that 80% of AI agents do not declare themselves properly when visiting websites.
What follows are four more real-world cases that our team has observed that reveal how this attack vector is being exploited in the wild.
Case study 1: Perplexity used for reflected XSS
The target: A major electronics e-commerce site
In this incident, an attacker used Perplexity’s browsing agent to attempt a Reflected Cross-Site Scripting (XSS) attack. The goal of an XSS attack is to inject malicious scripts into trusted websites.
- The attacker crafted a URL containing a JavaScript payload and likely fed it to Perplexity, perhaps by asking the AI to “summarize this link”.
- The request targeted a product page, injecting the script into the color parameter: %3Cscript%3Ealert%2812%29%3C%2Fscript%3E (which decodes to <script>alert(12)</script>).
- To a standard security filter, this request looked like a legitimate crawler from Perplexity (Perplexity-User) originating from a documented cloud IP (18.97.43.83).

Case study 2: Meta-ExternalAgent (Facebook) as a vulnerability scanner
The target: A tourism website
Social media bots are constantly fetching previews of links shared by users. Attackers know this and use it to trick platforms like Meta into probing websites for vulnerabilities on their behalf.
- The attacker triggered Meta’s crawler to visit a specific, weaponized URL on the victim’s site.
- The probe buried a javascript:alert(xss) payload deep within a nested URL structure. The request targeted a guestbook submission script: /submit/?title=Guestbook…&url=…javascript%3Aalert%28xss%29….
- The request came from a Meta IP (57.141.0.78) and correctly identified itself as a Meta-ExternalAgent. However, the payload was a textbook XSS probe.

Case study 3: OpenAI and SQL injections
The target: A financial news portal
Perhaps the most interesting example involves the world’s most famous AI, ChatGPT, seemingly being used to perform a SQL injection (SQLi) attack.
- The attacker utilized OpenAI’s infrastructure to send a classic Time-Based Blind SQL Injection. This type of attack asks the database to “sleep” for a set time (e.g., 15 seconds) to confirm if the database is vulnerable.
- We see a clear attempt to inject commands into a PostgreSQL database: …OR 726=(SELECT 726 FROM PG_SLEEP(15))–.
- The request originated from a documented OpenAI IP address (74.7.242.34) and identified itself as GPTBot.

Case study 4: Comet Browser used for fake account creation
The target: A financial services login portal
- This targeted the account creation endpoint (/signup) rather than public content pages. The goal was likely to automate the registration of fake accounts for future abuse.
- Unlike high-velocity scrapers, this bot was programmed to be stealthy. It executed requests at a steady, “human-like” pace of roughly one request every 6–8 seconds to evade simple rate limits.
- Despite the stealthy timing, this is the same session. A legitimate AI browser does not repeatedly hit a “Signup” button for minutes on end with the same session ID.

The implications of AI agents being used for fraud
Traditional bot detection relies heavily on reputation scoring. Known-good actors get allow-listed, suspicious patterns get flagged. But what happens when the “known-good” actor is delivering a malicious payload? Security teams face an uncomfortable choice: block legitimate AI agents and break functionality for real users, or allow them through and accept the risk.
This creates a dangerous blind spot. Attackers know that requests from verified AI infrastructure are more likely to bypass WAFs, rate limiters, and some bot management systems. They’re exploiting the very trust mechanisms we’ve built into modern security architecture.
The proxy problem
These attacks represent a new form of proxy abuse. Unlike traditional VPNs or residential proxies, AI agent infrastructure offers:
- Legitimacy: Real IP addresses owned by trusted companies
- Documentation: Publicly verified IP ranges and user-agent strings
- Plausible deniability: The requests appear to be normal AI agent behavior
- Scale: Access to enterprise-grade infrastructure without maintaining it
Attackers aren’t breaking in, they’re being invited in, disguised as the tools we’ve all come to depend on.
Ecosystem-wide risks
As AI agents become more capable and autonomous, this problem will only intensify. We’re already seeing:
- Automated exploitation: AI agents that can independently discover and probe vulnerabilities
- Scale attacks: Distributed attacks across multiple AI platforms simultaneously
- Evasion evolution: Attackers refining prompts to better disguise malicious intent
The four cases documented here likely represent just the visible edge of a much larger threat landscape. As agentic commerce grows in popularity, these attacks are likely to become more sophisticated, including types of payment fraud.
What you can do to protect your business
Attackers have realized that the fastest way through the front door isn’t to pick the lock; it’s to arrive in a trusted vehicle.
The examples above are evidence of a systematic exploitation of the trust gap between AI capabilities and security detection. As AI agents become more integrated into how we browse, search, and interact online, this attack vector will only become more attractive to malicious actors.
Security and fraud teams must adapt. Trusting identity alone is no longer sufficient. We need defenses that can:
- Distinguish between legitimate AI agent behavior and malicious abuse
- Detect anomalous patterns even when they originate from trusted infrastructure
- Validate the context and intent behind requests, not just their source
- Respond dynamically without breaking legitimate AI functionality
The good news? These attacks are detectable, but only if you’re looking for them with the right approach. At DataDome, we’re tracking this threat vector closely and building detection capabilities that understand not just who is making a request, but what they’re trying to accomplish.
Is your site vulnerable to AI agent abuse? Request a free vulnerability scan to see how attackers might be exploiting AI infrastructure to target your applications—or download our agentic commerce guide to learn how to protect your business in the age of AI agents.