How hackers turned AI into their new henchman

Your AI reads the small print, and that's a problem. This week in episode 433 of "Smashing Security" we dig into LegalPwn - malicious instructions tucked into code comments and disclaimers that sweet-talks AI into rubber-stamping dangerous payloads (or even pretending they’re a harmless calculator).

Meanwhile, new research from Anthropic reveals that hackers have already used AI agents to break into networks, steal passwords, sift through stolen data, and even write custom ransom notes. In other words, one hacker with an AI helper can work like an entire team of cybercriminals.

Plus: a joyous geek detour into keyboard history, and the most diabolically annoying, fully functional AI-generated CAPTCHA that you will love to inflict on your friends.

EPISODE LINKS:

• LegalPwn: Abusing Legal Disclaimers to Trigger Prompt Injections - Pangea Labs.
• LegalPwn: Tricking LLMs by burying badness in lawyerly fine print - The Register.
• LegalPwn Attack Tricks GenAI Tools Into Misclassifying Malware as Safe Code - HackRead.
• One long sentence is all it takes to make LLMs misbehave - The Register.
• Londoners give up eldest children in public Wi-Fi security horror show - The Guardian.
• Targeted social engineering is en vogue as ransom payment sizes increase - Coveware.
• State of Malware 2025 - ThreatDown.
• Cybercrime in the Age of AI - ThreatDown.
• Threat Intelligence Report: August 2025 - Anthropic.
• The Day Return Became Enter - Marcin Wichary.
• Ethan Mollick’s terrible AI-generated CAPTCHAs - Twitter.
• The very worst AI-generated CAPTCHA? - Claude.ai.
• Smashing Security merchandise (t-shirts, mugs, stickers and stuff)

SPONSORED BY:

• Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!

SUPPORT THE SHOW:

Tell your friends and colleagues about “Smashing Security”, and leave us a review on Apple Podcasts or Podchaser.

Become a supporter via Patreon or Apple Podcasts for ad-free episodes on our early-release feed!

FOLLOW THE SHOW:

Follow us on Bluesky or Mastodon, or on the Smashing Security subreddit, and visit our website for more episodes.

THANKS:

Theme tune: "Vinyl Memories" by Mikael Manvelyan.

Assorted sound effects: AudioBlocks.

ENJOYED THE SHOW?

Make sure to check out our sister podcast, "The AI Fix".