Mass deployment of AI agents is a disaster waiting to happen, says CertiK CEO

Tech Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email Mass deployment of AI agents is a disaster waiting to happen, says CertiK CEO Ronghui Gu shares tips on how to isolate AI agents while testing them so they do not have access to critical personal information or digital assets. By Olivier Acuna | Edited by Jamie Crawley May 29, 2026, 3:31 p.m. 3 min read Make preferred on CertiK co-founder and CEO Ronghui Gu warns against deploying AI agents without scanning them for viruses and isolating them before granting them further access to sensitive data and accounts.(Ronghui Gu) What to know : Security firm CertiK warns that the rapid deployment of autonomous AI agents, often unisolated and unvetted, is creating a massive and dangerous “security debt” across networks and applications. By granting AI agents access to local files, credentials and financial tools, users are effectively creating powerful insider threats that can be hijacked through prompt-injection attacks and malicious plug-ins. CertiK’s research has uncovered widespread vulnerabilities and a surge in short-lived, automated on-chain scams targeting other AI systems, prompting calls for a shift to strict Zero Trust architectures for AI agent infrastructure. The global rush to deploy autonomous AI agents across the internet, enterprise networks and consumer applications is creating a catastrophic security debt, according to the chief of blockchain security auditor Certik. While corporations ambitiously market these tools as productivity miracles, the crude reality is that it can be a very, very risky thing to do. Unisolated, unvetted AI agents are a massive security disaster waiting to happen, Ronghui Gu, the co-founder and CEO of CertiK, told CoinDesk. Gu warned that users are potentially exposing their most sensitive files, local credentials and money accounts to autonomous systems that can be easily manipulated, hijacked and openly scammed. "Right now, agents are no longer just answering questions in a chat window," Gu told CoinDesk on the heels of CertiK's landmark deep-dive report into widespread agent infrastructure. "They are beginning to call external tools, read local files, trigger workflows, and interact with financial infrastructure. But if you do not isolate the execution environment and scan these tools first, you are handing a compromised identity broad internal access to your entire network." The fundamental flaw in the current AI agent boom is a mistaken trust model, according to Gu. Charles Hoskinson, founder and CEO of Cardano’s Input Output, said that by 2035 they will become more relevant than humans on the internet. Coinbase CEO Brian Armstrong, recently said "very soon there are going to be more AI agents than humans making transactions" and Binance Founder Changpeng Zhao, predicted they "will make one million times more payments than humans." Ultimate inside threat Gu said many popular, open-source AI applications are built under the assumption that because they run locally on a user’s computer or connect via standard chat apps like WhatsApp, they are safe from external threats. The reality is entirely the opposite, he noted. The moment a user grants an AI agent permission to read local system storage, view execution histories or manage personal email and business database credentials, that agent becomes the ultimate inside threat. CertiK’s recent analysis of early-state, rapidly growing agent structures uncovered a staggering accumulation of security vulnerabilities, including hundreds of critical security advisories, unpatched common vulnerabilities and exposures (CVEs) and other massive exposures of local credentials and session memories resulting from completely inconsistent boundary checks. More alarming yet is how easily these autonomous systems can be completely redirected at the reasoning layer without a single line of malicious code ever being written, Gu emphasized. Through basic "prompt injection" attacks, a bad actor can embed hidden natural language instructions inside a benign webpage, a PDF document, or an incoming email, he added. When the unisolated AI agent reads that file to process a task for the user, it fails to separate trusted system commands from the untrusted external data, Gu explained. The agent then silently overwrites its original rules, obeys the malicious instruction, and can be forced to exfiltrate data or trigger unauthorized fund transfers. Hyperfast exploits Gu revealed that CertiK discovered hundreds of malicious skills, fake installers, and lookalike dependency packages sitting directly on open agent utility hubs. Because these malicious plug-ins use standard natural language to subtly influence the agent's behavior and change its goals, they completely bypass legacy, signature-based antivirus software. "The scam apps use natural language to influence behavior, making them totally resistant to traditional antivirus scans," Gu explained. "And right now, it is even easier to scam the machine than it is to scam a human." In what Gu describes as a bizarre evolution of financial crime, CertiK's telemetry has observed an explosion of onchain, automated scams that run for only 10 minutes or a few hours before completely vanishing. These hyperfast, ephemeral exploits are specifically designed by hackers to target and scam other autonomous AI trading bots and automated agent systems, executing machine-on-machine financial drainage before any human even realizes a compromise has occurred. Gu states that the software engineering industry must completely abandon its reliance on trust-based interactions and move immediately toward an isolated, "Zero Trust" architecture where every command and dependency is continuously verified. Artificial Intelligence More For You Solana, Sui and Aptos wallet data targeted in TrapDoor package attack By Shaurya Malwa | Edited by Sheldon Reback 7 hours ago The campaign targets crypto, DeFi, AI and security developers with fake tooling packages to steal wallets, SSH keys, GitHub tokens, cloud credentials and browser data. What to know : A newly discovered supply-chain campaign called TrapDoor has planted more than 34 malicious packages across npm, PyPI and Crates.io to target crypto and cloud developers. The packages, disguised as mundane developer utilities and security tools, were designed to steal SSH keys, wallet files, AWS credentials, GitHub tokens, browser data and... Read full story Latest Crypto News Clarity Act Risks Regulation Without Oversight, Brookings Fellow Says 17 minutes ago Live markets: Bitcoin shrugs off early decline, but two-month winning streak is in jeopardy 41 minutes ago What American crypto asset perpetuals mean for the future of crypto 1 hour ago U.S. CFTC opens crypto 'perp' door with first approvals at Kalshi, Coinbase 1 hour ago CoinDesk 20 performance update: Bittensor (TAO) drops 4%, leading index lower 2 hours ago Paxos wins SEC approval to clear U.S. stocks on blockchain 3 hours ago Top Stories Strategy's STRC slips below $99 as Strive captures investor attention 6 hours ago Hyperliquid bigger than NASDAQ, says ICE CEO Jeffrey Sprecher 3 hours ago Bitcoin ETF outflows reach record 9-day streak as investors pull $2.8 billion 4 hours ago Bitcoin, ether little-changed despite record stocks, falling oil and easing war fears 10 hours ago Crypto trading firm FalconX confidentially files with SEC for IPO, hires bankers 19 hours ago Bitcoin's record holder supply hides a buyer drought, CryptoQuant says 11 hours ago