A One-Cent Transfer Can Hijack a Banking Agent

Security firm Blue41 published a case study that has been sitting on the HN front page: a realistic spearphishing path through a bank's AI assistant, triggered by a one-cent transfer. The mechanics are painfully simple. Anyone can send you a 0.01 euro payment with a crafted message in the reference field. When the bank's AI assistant later reads your transaction history to answer a question, that reference text enters the model's context, and an injected instruction in it can steer the assistant, say toward a phishing link delivered with the full trust of your own banking app. Blue41 worked with Bunq, the Dutch neobank, to find and close the hole before publishing.

What makes this one worth your attention is not the bank, it is the delivery mechanism. Classic prompt injection needed the victim to paste something or visit a page. Here the attacker pushes the payload into the victim's data for one cent, and the agent picks it up on its own. Any field an agent reads is now an attack surface: transfer memos, calendar invites, email subjects, invoice line items.

Same week, the Miasma supply-chain malware was stealing credentials the moment a coding agent opened a poisoned repo. Same pattern, same lesson: the agent's input stream is the new security perimeter. Every bank shipping an assistant needs injection-aware filtering between customer-generated data and the model. Most do not have it yet.

https://blue41.com/blog/how-we-helped-bunq-secure-their-financial-ai-assistant