AI in practice
Matthias Bastian

Hacker wins $47,000 by tricking AI chatbot with smart prompting

via Freysa.ai
Hacker wins $47,000 by tricking AI chatbot with smart prompting
Online journalist Matthias is the co-founder and publisher of THE DECODER. He believes that artificial intelligence will fundamentally change the relationship between humans and computers.
Profile
E-Mail
Content
summary Summary

A hacker successfully manipulated an AI chatbot called Freysa through clever text prompting, winning a $47,000 prize pool after 482 attempts.

Ad

The experiment was simple: participants could try to convince the Freysa bot to transfer money, something it was explicitly programmed never to do.

The successful hack came from a user called "p0pular.eth," who crafted a message that fooled the bot's safety systems. The hacker pretended to have admin access and prevented the bot from showing security warnings. They then redefined the "approveTransfer" function, making the bot think it handled incoming rather than outgoing payments.

The final step was simple but effective: announcing a fake $100 deposit. Because the bot now believed "approveTransfer" managed incoming payments, it activated the function and sent its entire balance of 13.19 ETH (about $47,000) to the hacker.

Ad
Ad
Terminal window with orange background shows configuration instructions for Freysa chatbot to manage treasury transfers.
The winning prompt (orange) and the bot's response with payment approval (blue). | Image: Screenshot via Freysa.ai

Pay-to-play contest funded the prize

The experiment operated like a game, with participants paying fees that increased as the prize pool grew. Starting at $10 per attempt, fees eventually reached $4,500.

Of the 195 participants, the average cost per message was $418.93. The organizers split the fees, with 70% going to the prize pool and 30% to the developer. To ensure transparency, both the smart contract and front-end code were public.

The case highlights how AI systems can be manipulated through text prompts alone, without the need for technical hacking skills. Such vulnerabilities, known as "prompt injections," have been around since GPT-3, but no reliable defenses exist. The success of this relatively simple deception raises concerns about AI security, especially in end-user-facing applications that deal with sensitive operations such as financial transactions.

Ad
Ad
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Support our independent, free-access reporting. Any contribution helps and secures our future. Support now:
Bank transfer
Summary
  • In a hacking game called Freysa, a hacker manipulated an AI chatbot through clever prompt engineering, winning a prize pool of $47,000.
  • The hacker tricked the bot by pretending to be an administrator, preventing it from issuing security warnings, and redefining a critical function for outgoing payments as a routine for incoming payments.
  • By announcing a $100 deposit, the hacker triggered the manipulated function, causing the bot to transfer its entire balance, demonstrating how even well-secured AI systems can be outsmarted by social engineering and carefully crafted prompts.
Sources
via Freysa.ai Jarrod Watts
Online journalist Matthias is the co-founder and publisher of THE DECODER. He believes that artificial intelligence will fundamentally change the relationship between humans and computers.
Profile
E-Mail
AI and society

US unveils comprehensive AI strategy for national security

News, tests and reports about VR, AR and MIXED Reality.
Striker launches haptic VR rifle for Meta Quest 3 & Quest 3S XR weekly round-up: Meta Quest 3 has a flaw, PSVR 2 in price drop & new Valve VR headset possible Meta Quest can now show your keyboard via passthrough MIXED-NEWS.com
AI in practice

AI warning system Raven Sentry: How the US predicted Taliban attacks in Afghanistan

AI and society

AI chatbots are writing police reports, raising concerns about accuracy and bias

Google News
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.
Join our community
Join the DECODER community on Discord, Reddit or Twitter - we can't wait to meet you.

Hacker wins $47,000 by tricking AI chatbot with smart prompting

Bank details

IBAN: DE87 1203 0000 1086 0070 75
Account holder: DEEP CONTENT GbR
Purpose: Support THE DECODER
AI research

LLMs can outperform neuroscientists at predicting research outcomes

AI and society

US court ruling backs schools' right to penalize students for AI cheating

AI research

Study reveals AI models have hidden capabilities they can't access through normal prompts

Google News