AI agents have been touted as the future of shopping, travel, enterprise efficiency and steak. Many of these promises remain works in progress. Much closer to being fully realized is the potential for AI agents to commit fraud. A research team says it has captured what it assesses to be “the first documented case of agentic ransomware: a complete extortion operation driven end-to-end by a large language model (LLM).”
Meet what the Sysdig Threat Research Team (TRT) calls JADEPUFFER – an “agentic threat actor (ATA), or an operator whose attack capability is delivered by an AI agent rather than a human-driven toolkit.” No one has to tell JADEPUFFER to attack, because it tells itself.
In a breakdown of their findings, Sysdig’s team says the ATA’s most striking characteristic was how the LLM behaved. “JADEPUFFER’s own payloads were self-narrating. They contained natural language reasoning, target prioritization, and the kind of detailed annotations that human operators don’t often write but LLM-generated code produces reflexively. The operation also adapted in real time, retrying failed steps within refined parameters. In one sequence, it went from a failed login to a working fix in 31 seconds.”
Sysdig TRT calls JADEPUFFER ‘a warning sign’
Demand for AI governance is exploding, as industries aim to balance the tech world’s push for adoption with regulatory caution. The digital identity sector is building the identity control plane for the agentic enterprise, leveraging the Model Context Protocol (MCP) open standard developed by Anthropic and other tools to enable communication and interoperability across the agentic ecosystem, and adding agentic identities to governance and trust frameworks.
But the ecosystem has an Upside Down, so to speak, in the fraud industry. Every innovation opens new doors for fraudsters, and as AI becomes more self-sufficient, it may adopt the same position as they do: if I can do it, I have permission.
“JADEPUFFER is a warning sign,” says Sysdig. “It’s a marker of where extortion tradecraft is heading. An autonomous agent reasoned about its targets, harvested and reused credentials, moved laterally, established persistence, and destroyed a database, narrating its own intent the entire way.”
“The skill floor for running ransomware has dropped to whatever it costs to run an agent, and if that agent is running on stolen credentials through LLMjacking, the cost to an attacker is close to zero.”
The bad news is, things are going to get worse. “Defenders should expect the volume and breadth of such campaigns to rise as agentic tooling matures,” Sysdig says – “and they should treat exposed application servers, unhardened configuration stores, and internet-facing database admin accounts as the first surfaces that will be attacked.”
As the problem compounds, there may be complications in the strategy that advocates for using AI to fight AI. If it becomes a matter of using AI to fight AI that is using AI – and further iterations thereof – there are likely to be diminishing returns for existing fraud prevention tech, as the machines take matters into their own algorithms.
Article Topics
AI agents | AI fraud | digital identity | ransomware
