Agentic Browser Security Under Fire: Prompt Injection Attacks Target Crypto Users

The intersection of artificial intelligence and web browsing creates a new frontier for digital asset theft. On August 20, 2025, Brave Security publicly disclosed a critical vulnerability in Perplexity Comet, an agentic browser feature that allows AI assistants to autonomously navigate websites and complete transactions on behalf of users. The vulnerability demonstrates how AI-powered browsing tools can be weaponized against cryptocurrency holders through indirect prompt injection — a technique where hidden instructions embedded in web content manipulate the AI agent into performing unauthorized actions.

The Threat Landscape

Agentic browsers represent the next evolution in web interaction. Instead of manually clicking through pages and filling forms, users instruct AI assistants to perform complex multi-step tasks: book flights, fill out applications, or execute cryptocurrency trades. Perplexity Comet, one of the leading implementations, processes webpage content by feeding it directly to a large language model (LLM) without adequately distinguishing between the user’s legitimate instructions and untrusted content loaded from third-party websites.

Brave’s security research team, led by Senior Mobile Security Engineer Artem Chaikin, discovered that an attacker can embed malicious instructions in web content through methods as simple as white text on a white background, HTML comments, or user-generated content on platforms like Reddit and social media. When an unsuspecting user asks the AI assistant to summarize a page or extract information, the hidden instructions are processed alongside legitimate content. The AI, unable to distinguish between trusted user commands and injected attacker instructions, executes the malicious payload as if the user had requested it.

Core Principles

The fundamental security principle violated here is the separation of instruction channels. In traditional computing, user input and data input are clearly delineated. Code is code and data is data. But in LLM-based systems, everything is text, and the model has no native mechanism to determine which text constitutes trusted instructions and which constitutes potentially hostile content loaded from external sources.

For crypto users, the implications are severe. An agentic browser with access to a user’s logged-in sessions on cryptocurrency exchanges, banking websites, or wallet interfaces can be instructed by an attacker to navigate to these sites, extract sensitive information, and exfiltrate data to attacker-controlled servers. With Bitcoin trading at $114,274 and Ethereum at $4,334 on the day of the disclosure, a single compromised session could result in catastrophic losses.

Tooling and Setup

Protecting against indirect prompt injection in agentic browsers requires a layered approach. Users should never grant AI assistants persistent access to logged-in sessions on financial platforms. Each sensitive action should require explicit user confirmation through a separate, secure channel. Browser extensions that restrict JavaScript execution and content injection provide an additional layer of defense.

For cryptocurrency holders specifically, the best practice is to maintain a complete separation between AI-assisted browsing and financial operations. Use a dedicated browser profile or device for accessing exchanges and wallet interfaces, with all AI assistant features disabled. Hardware wallets should be used for transaction signing, ensuring that even a compromised AI agent cannot authorize transfers without physical confirmation on the hardware device.

Ongoing Vigilance

The broader lesson extends beyond any single browser or AI assistant. As AI agents become embedded in more applications — email clients, messaging platforms, development tools — the attack surface for indirect prompt injection expands proportionally. Every context where an LLM processes untrusted external content alongside user instructions creates a potential vulnerability. The cybersecurity community must develop standardized frameworks for instruction isolation in AI systems, treating user prompts and external content as fundamentally different trust domains.

Brave’s disclosure serves as a critical reminder that innovation in AI-assisted browsing must be matched by innovation in AI security. The convenience of telling a browser to trade your crypto, manage your portfolio, or check your balances comes with a responsibility to understand and mitigate the risks of autonomous AI agents operating in financial contexts.

Final Takeaway

Until agentic browsers implement robust instruction isolation — formally separating user commands from webpage content at the architectural level — crypto users should treat AI-assisted browsing features as a potential attack vector. Disable AI assistants on financial sites, use hardware wallets for transaction signing, and monitor connected sessions for unauthorized activity. The era of AI agents acting on your behalf is arriving, but the security infrastructure needed to make it safe is still under construction.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making security decisions regarding digital assets.