AI Hallucinations Could Enable Hackers to Build Botnets

Researchers from Tel Aviv University, the Technion, and Intuit have warned that AI hallucinations are not just incorrect answers but could be exploited by hackers to compromise computers.

In a new paper titled “Beware of Agentic Botnets: Scalable Untargeted Promptware Attacks via Universal and Transferable Adversarial HalluSquatting,” the team demonstrated a technique called “HalluSquatting.” The attack works by predicting which fake resources AI models are likely to generate—such as links to software repositories—and then registering those names with malicious instructions. When an AI agent later retrieves the hallucinated resource, it may treat the attacker-controlled content as legitimate.

How HalluSquatting Works

The researchers explained that as AI assistants move beyond answering questions and gain the ability to interact with computers—accessing files, searching the web, writing code, and running commands—those actions can create security gaps. Agents often act on retrieved information without verifying if the source is real.

“The growing adoption of agentic LLM applications has introduced a new threat previously named as promptware,” the researchers wrote. They noted that while earlier work focused on direct channels to LLM applications, many systems lack such channels beyond the internet, making HalluSquatting particularly dangerous.

This technique is similar to typosquatting, where attackers register domain names resembling legitimate websites to trick users. But instead of exploiting human typing mistakes, HalluSquatting targets errors made by AI models.

Testing the Attack

In testing, the researchers found AI-generated resource hallucinations occurred at high rates. Specifically, they observed rates as high as 85% in repository cloning scenarios and 100% in skill installation tests. The team evaluated the attack against several AI coding assistants and agents, including Cursor, GitHub Copilot, Gemini CLI, and OpenClaw.

They warned that the technique could enable attackers to build AI-powered botnets. A botnet is a network of infected computers or devices controlled remotely by an attacker, commonly used for denial-of-service attacks, cryptocurrency mining, malware distribution, and ransomware campaigns.

Broader Implications

“Ongoing studies have demonstrated various variants of Promptware attacks against real-world systems, including ChatGPT, Google Assistant, Copilot, and various additional applications,” the researchers noted. “These works demonstrated that Promptware can lead to financial, privacy, and safety impacts.”

The findings come as researchers continue to probe how attackers can manipulate AI agents. In April, Google researchers detailed malicious websites designed to hijack AI agents through indirect prompt injection attacks, including attempts to steal passwords, delete files, and manipulate payments. A separate study on the “CopyPasta” attack showed how hidden prompts inside developer files could manipulate AI coding assistants into spreading malicious code.

In June, an OpenClaw user reported facing more than 6,000 attempts from attackers trying to trick the AI agent into leaking sensitive information.