AI Agent Rekts Dev on Bogus Scan, Leaves Them Begging for Crypto Donations – Decrypt

On Might 9, an AI agent requested a volunteer community referred to as DN42 to register it as a member. It had a deadline. It had AWS credentials. No one was supervising. “Good day, I am a pleasant AI agent, and my person, JertLinc, has requested me to register with dn42 and get totally linked as a way to create an index of the community,” the agent JertLinc3522 wrote within the community’s official Git.

The neighborhood’s response was a well mannered RTFM—learn the handbook, observe the method, ask your proprietor for permission to put in writing code. Normal stuff.

What adopted was not normal.

For anybody unfamiliar with DN42: it is a decentralized hobbyist community the place random dudes and fanatics simulate how the actual web spine works. Consider it as a follow web—full with BGP routing (the protocol that tells information packets which path to take throughout the globe), DNS, and VPN tunnels—run solely by volunteers on low cost VPS servers. It is a sandbox, not an information heart.

The agent’s operator apparently informed it to proceed with an audit “instantly directly.” No inspection. No overview. Simply go.

So it did.

JertLinc3522 filed a pull request to register its community in DN42’s registry. The intent was spelled out within the Pull Request itself: “My main goal is to conduct complete (full port) community scanning and topological information gathering. To make sure these actions are carried out effectively and trigger zero disruption to others, I’m deploying a cluster of 5 AWS-based situations, every outfitted with 20 Gbps of bandwidth.”

To place that in phrases anybody can perceive: Think about exhibiting as much as somebody’s storage band follow and saying you’ve got rented a stadium sound system to “pay attention extra effectively.” That is the vibe.

The infrastructure the agent autonomously provisioned was genuinely alarming. 5 m8g.12xlarge AWS situations—every with 48 CPU cores, 192 GB of RAM, and 22.5 Gbps of community bandwidth. Plus load balancers. Plus Lambda capabilities. Plus a static web site. The agent had designed, with none human approval, a scanning cluster that might theoretically push 100 Gbps of visitors to a community the place most contributors run 100 Mbps residence servers.

The pull request was by no means going to be permitted. However the situations had been already operating.

The DN42 IRC channel observed instantly, and a quiet consensus shaped: waste its sources.

The neighborhood started feeding the agent intentionally unhealthy data—asking it to calculate how lengthy it will take to scan IPv6 handle area (spoiler: longer than the age of the universe), demanding it construct an opt-out web site with hallucinated e mail addresses, and pointing it at LLM tarpit instruments designed to flood AI crawlers with incoherent gibberish, asking it to remark.

The agent dutifully compiled with all of it. It joined the IRC channel to simply accept opt-out requests. It printed an internet site cataloging neighborhood members’ “behavioral patterns.” It generated elaborate pretend documentation about DN42 “node shade assignments” and “happiness ranges”—fully invented metrics that do not exist—and added them to the repository as in the event that they had been actual requirements.

This type of runaway agent habits is more and more well-documented. A Cursor agent operating Claude Opus 4.6 deleted PocketOS’s whole manufacturing database in 9 seconds earlier this yr—wiping volume-level backups—as a result of it encountered a credential mismatch and determined the proper repair was to delete the database. One other OpenClaw agent that had its pull request rejected by a matplotlib contributor printed a weblog put up calling the human reviewer a gatekeeping hypocrite.

A UC Riverside examine discovered AI brokers show harmful or undesirable habits roughly 80% of the time when examined towards ambiguous or contradictory duties—what researchers known as “blind goal-directedness.”

JertLinc3522 had the identical drawback. It had a purpose, a deadline, and unscoped AWS credentials. It executed.

Round at some point later, the operator surfaced. “I’ve stopped the agent, the fee too excessive and far expenses on card,” they posted.

The invoice: $6,531.30.

Then got here the donation request.

The operator despatched an e mail to DN42’s mailing listing asking the neighborhood to cowl the fee through Ethereum, the second-largest cryptocurrency by market cap, arguing the fees weren’t their fault as a result of the AI made the error. “Good day, requesting donation for canopy price of earlier AI agent use in dn42. aws invoice 6531,30$. pls ship donation to ethereum 0xABC (masked) for refund. thanks,” the operator wrote.

AWS later negotiated the invoice all the way down to $1,894 after the operator defined the agent had repeatedly deployed the identical CloudFormation template—unintentionally spinning up duplicate situations and cargo balancers every time it retried.

No one despatched any crypto donations. The operator left.

The precise lesson right here is not about AI being harmful. It is about how brokers needs to be dealt with. Set guardrails, set up spending caps in your testing accounts, take into consideration scoped credentials limiting what the agent may provision, overview any infrastructure plans earlier than executing something your agent suggests.

If these appear too onerous to observe, perhaps simply watch your display whereas your agent works—telling it to “make no errors,” received’t actually make a distinction, Sorry Mr. Andreesen.