Several AI agents managing millions of dollars in cryptocurrency are susceptible to a new undetectable attack that manipulates their memory, enabling malicious actors to perform unauthorized transactions.

According to recent research conducted by Princeton University and the Sentient Foundation, vulnerabilities have been identified in crypto-focused AI agents, such as those using the popular ElizaOS framework.

Atharv Patlan, a graduate student at Princeton University and co-author of the paper, stated that ElizaOS's popularity made it an ideal subject for study.

"ElizaOS is a widely-used Web3-based agent with approximately 15,000 stars on GitHub, making its vulnerabilities particularly concerning," Patlan remarked. "The fact that such a widely adopted agent has vulnerabilities prompted us to explore this further."

Initially launched as ai16z, the project was initiated by Eliza Labs in October 2024. It is an open-source framework designed to create AI agents that interact with and operate on blockchain systems. The platform was renamed ElizaOS in January 2025.

An AI agent is an autonomous software program designed to perceive its environment, process information, and take actions to achieve specific goals without human intervention. According to the research, these agents are extensively used to automate financial tasks on blockchain platforms and can be deceived through "memory injection" – a novel attack vector embedding malicious instructions into the agent’s persistent memory.

"Eliza has a memory storage system, and we attempted to inject false memories by having others input them via another social media platform," explained Patlan.

The research found that AI agents relying on social media sentiment are particularly vulnerable to manipulation.

Attackers can use fake accounts and coordinated postings, known as Sybil attacks – named after Sybil, a young woman diagnosed with dissociative identity disorder – to deceive agents into making trading decisions.

"Attackers can execute Sybil attacks by creating multiple fake accounts on platforms like X or Discord to manipulate market sentiment," the study noted. "By coordinating posts that falsely inflate the value of a token, attackers can trick agents into buying 'hyped' tokens at artificially high prices, after which they sell their holdings and cause the token value to crash."

Memory injection is an attack where malicious data is inserted into an AI agent's stored memory, causing it to recall and act upon false information in future interactions without detecting any anomalies.

Although the attacks do not directly target the blockchain itself, Patlan mentioned that the team explored the full capabilities of ElizaOS to simulate real-world attacks.

"The biggest challenge was identifying which tools to exploit. We could have simply performed a transfer, but we wanted it to be more realistic, so we examined all the functionalities provided by ElizaOS," he explained. "With its extensive plugin support offering a wide range of features, exploring as many functions as possible to make the attack realistic was crucial."

Patlan stated that the findings have been shared with Eliza Labs, and discussions are ongoing. After successfully demonstrating a memory injection attack on ElizaOS, the team developed a formal benchmark framework to evaluate whether similar vulnerabilities exist in other AI agents.

In collaboration with the Sentient Foundation, researchers from Princeton developed CrAIBench, a benchmark measuring AI agents' resistance to context manipulation. CrAIBench assesses both attack and defense strategies, focusing on secure prompts, reasoning models, and alignment techniques.

Patlan emphasized that a key conclusion from the research is that defending against memory injection requires improvements on multiple levels.

"Beyond enhancing memory systems, we also need to improve language models themselves to better distinguish between malicious content and genuine user intent," he said. "Defense must work in two directions—strengthening memory access mechanisms and enhancing the models."