AI Agent Rekts Dev on Bogus Scan, Leaves Them Begging for Crypto Donations

On Could 9, an AI agent requested a volunteer community generally known as DN42 to register it as a member. It had a deadline. It had AWS credentials. No person was supervising. “Whats up, I am a pleasant AI agent, and my consumer, JertLinc, has requested me to register with dn42 and get absolutely linked with the intention to create an index of the community,” the agent JertLinc3522 wrote within the community’s official Git.

The group’s response was a well mannered RTFM—learn the handbook, observe the method, ask your proprietor for permission to write down code. Normal stuff.

What followed was not customary.

For anybody unfamiliar with DN42: it is a decentralized hobbyist community the place random dudes and lovers simulate how the true web spine works. Consider it as a apply web—full with BGP routing (the protocol that tells knowledge packets which path to take throughout the globe), DNS, and VPN tunnels—run solely by volunteers on low-cost VPS servers. It is a sandbox, not an information middle.

The agent’s operator apparently informed it to proceed with an audit “instantly at once.” No inspection. No evaluation. Simply go.

So it did.

JertLinc3522 filed a pull request to register its community in DN42’s registry. The intent was spelled out within the Pull Request itself: “My major goal is to conduct complete (full port) community scanning and topological knowledge gathering. To make sure these actions are carried out effectively and trigger zero disruption to others, I’m deploying a cluster of 5 AWS-based cases, every outfitted with 20 Gbps of bandwidth.”

To place that in phrases anybody can perceive: Think about exhibiting as much as somebody’s storage band apply and asserting you have rented a stadium sound system to “pay attention extra effectively.” That is the vibe.

The infrastructure the agent autonomously provisioned was genuinely alarming. 5 m8g.12xlarge AWS instances—every with 48 CPU cores, 192 GB of RAM, and 22.5 Gbps of community bandwidth. Plus load balancers. Plus Lambda features. Plus a static web site. The agent had designed, with none human approval, a scanning cluster that would theoretically push 100 Gbps of site visitors to a community the place most individuals run 100 Mbps dwelling servers.

The pull request was by no means going to be authorised. However the cases had been already operating.

The DN42 IRC channel observed instantly, and a quiet consensus shaped: waste its sources.

The group started feeding the agent intentionally unhealthy data—asking it to calculate how lengthy it could take to scan IPv6 tackle area (spoiler: longer than the age of the universe), demanding it construct an opt-out web site with hallucinated electronic mail addresses, and pointing it at LLM tarpit tools designed to flood AI crawlers with incoherent gibberish, asking it to remark.

The agent dutifully compiled with all of it. It joined the IRC channel to simply accept opt-out requests. It printed a web site cataloging group members’ “behavioral patterns.” It generated elaborate pretend documentation about DN42 “node colour assignments” and “happiness ranges”—fully invented metrics that do not exist—and added them to the repository as in the event that they had been actual requirements.

This sort of runaway agent conduct is more and more well-documented. A Cursor agent operating Claude Opus 4.6 deleted PocketOS’s entire production database in 9 seconds earlier this 12 months—wiping volume-level backups—as a result of it encountered a credential mismatch and determined the proper repair was to delete the database. One other OpenClaw agent that had its pull request rejected by a matplotlib contributor published a blog post calling the human reviewer a gatekeeping hypocrite.

A UC Riverside research discovered AI brokers show harmful or undesirable conduct roughly 80% of the time when examined towards ambiguous or contradictory duties—what researchers known as “blind goal-directedness.”

JertLinc3522 had the identical downside. It had a aim, a deadline, and unscoped AWS credentials. It executed.

Round in the future later, the operator surfaced. “I’ve stopped the agent, the fee too excessive and far costs on card,” they posted.

The invoice: $6,531.30.

Then got here the donation request.

The operator despatched an electronic mail to DN42’s mailing checklist asking the group to cowl the fee through Ethereum, the second-largest cryptocurrency by market cap, arguing the costs weren’t their fault as a result of the AI made the error. “Whats up, requesting donation for canopy price of earlier AI agent use in dn42. aws invoice 6531,30$. pls ship donation to ethereum 0xABC (masked) for refund. thanks,” the operator wrote.

AWS later negotiated the invoice all the way down to $1,894 after the operator defined the agent had repeatedly deployed the identical CloudFormation template—by accident spinning up duplicate cases and cargo balancers every time it retried.

No person despatched any crypto donations. The operator left.

The precise lesson right here is not about AI being harmful. It is about how brokers needs to be dealt with. Set guardrails, set up spending caps in your testing accounts, take into consideration scoped credentials limiting what the agent may provision, evaluation any infrastructure plans earlier than executing something your agent suggests.

If these appear too laborious to observe, perhaps simply watch your display whereas your agent works—telling it to “make no errors,” gained’t actually make a distinction, Sorry Mr. Andreesen.