Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm

Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Bill Marino 1 Ari Juels 2 Abstract There is growing interest in giving AI agents ac- cess to cryptocurrencies as well as to the smart contracts that transact them. But doing so, this position paper argues, could lead to formidable new vectors of AI harm. To support this argu- ment, we first examine the unique properties of cryptocurrencies and smart contracts that could give rise to these new vectors of AI harm. Next, we describe each of these new vectors of AI harm in detail, providing a first-of-its-kind taxonomy. Finally, we conclude with a call for more techni- cal research aimed at preventing and mitigating these new vectors of AI , thereby making it safer to endow AI agents with cryptocurrencies and smart contracts. 1. Introduction In the summer of 2024, Coinbase announced that they had executed a transaction between AI agents with access to cryptocurrency wallets (Armstrong, 2024). Within months, an AI agent possessing a memecoin named $GOAT had reportedly became a millionaire (Sharma, 2024) and the market cap for AI agent-related tokens soared above $70 billion (Vardai, 2025). Now, by some estimates, there are already as many as 1 million AI agents using blockchain (O’Donnell, 2024) — a number some say will rise to 1 trillion by 2040 (Ardoino, 2025). Amid growing concerns that AI is developing capabilities that could lead to catas- trophic harm (Bengio, 2024), some commentators find these developments “terrifying” (Prajapati, 2025). In this new reality, for example, it is not hard to imagine that an AI agent which has been given access to cryptocurrency and told to increase its holdings might decide to execute on this instruction by launching a smart contract-based pyramid scheme (Kell et al., 2023). In this scenario, the agent’s use of blockchain could make it technically challenging to 1 University of Cambridge 2 Cornell Tech and IC3. Correspon- dence to: Bill Marino<wlm27@cam.ac.uk>. Preprint. February 10, 2026. ImmutabilitySovereignty Pseudo- anonymity Trustless transactions Defining properties of cryptocurrency and smart contracts Anonymity Autonomy Automaticity New vectors of AI harm Figure 1. Novel vectors of AI harm when AI agents are coupled with blockchain — and the blockchain properties that spawn them. dismantle the scheme (Filippi et al., 2024). What is more, if the AI agent itself is also decentralized (Oasis, 2025), there might be no way to take down either the smart contract or the agent — and no clear recourse in the form of fund confiscation or criminal prosecution (NZ Herald, 2024). We posit that anxiety about such scenarios is not ill-founded. The reason, we argue in this position paper, is that giv- ing AI agents access to cryptocurrencies and smart con- tracts introduces powerful new vectors of AI harm. The root cause, we propose, lies in four defining properties of blockchain: namely, its sovereignty, immutability, pseudo- anonymity, and ability to support trustless transactions (Fig. 1). In the hands of AI agents, these properties spawn unique new vectors of AI harm — that do not arise even when giving AI agents access to fiat currency) — which we dub: Autonomy, Anonymity, and Automaticity (Fig. 1). After describing each of these new vectors of AI harm in detail (via a first-of-its-kind taxonomy), we enumerate the types of guardrails that the research community should ex- plore and enforce in order to prevent and mitigate them. Among other things, these include: pre-deployment evalua- tion of AI agents for ability to use blockchain, equipping AI agents with safeguards prior to endowing them with access to blockchain, kill switches for smart contracts, and ex- tending existing fraud-detection systems (e.g., Chainalysis (2025)) to detect harmful on-chain agent behavior. 1 arXiv:2507.08249v2 [cs.AI] 7 Feb 2026 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm 2. Background Here we review some of the key technical concepts that underpin our position: 2.1. Cryptocurrencies Cryptocurrencies like Bitcoin support decentralized, peer-to- peer transactions that require no central authority to process (Nakamoto, 2008; Yuan & Wang, 2018). Unless a party (e.g., a government) can gain control of a majority of the blockchain’s nodes — a hard thing to do — they cannot halt or otherwise control these transactions (De Filippi et al., 2022). Cryptocurrency balances and transactions on the blockchain are tied to pseudonymous (Meiklejohn et al., 2016) (sometimes even anonymous (Trozze et al., 2022)) public key-derived addresses — rather than real identities. A public–private key pair is the only prerequisite for obtaining an address (De Filippi et al., 2022) and an individual can create multiple addresses (Narayanan et al., 2015). While the amount and sending/receiving addresses of all trans- actions are publicly visible on the blockchain (Leuprecht et al., 2023), privacy may be maintained by using on-chain obfuscating resources like tumbler and mixer smart con- tracts (M ̈ oser et al., 2013; Europol, 2021). Altogether, these qualities have made cryptocurrency an attractive tool for money laundering, buying illicit goods, and other harmful behaviors (Janze, 2017; Filippi et al., 2024). 2.2. Smart contracts A smart contract (SC) is an executable program “that lives on the blockchain” (Narayanan et al., 2015). It can maintain its own balance of cryptocurrency and users can call func- tions in it to make it automatically send that cryptocurrency (or other assets like tokens) to other addresses (Narayanan et al., 2015). Like cryptocurrencies, SCs are deployed in a decentralized fashion and are thus immutable and au- tonomous (once deployed, SC code cannot be altered, even by its creator) (Zhang et al., 2016; Juels et al., 2016). This means SCs support trustless exchange, effectively guaran- teeing payment for successfully delivered goods (e.g., data) or services (Juels et al., 2016). SCs may interface with non-blockchain resources like web servers through oracles (Ellis et al., 2017). One noteworthy type of SC is an tumbler (Ramakrishnan, 2022), which can render cryptocurrency transactions harder to trace (Ezhilmathi & Samy, 2023). Like cryptocurrency, SCs have beneficial applications — but also harmful ones such as fraud and money laundering (Liu et al., 2022; Fu et al., 2023; Bartoletti et al., 2019). 2.3. AI agents Historically, an agent is any software that autonomously exe- cutes tasks in pursuit of some human-inputted goal (Moreno & Garbay, 2003). Recently, much progress has been made on AI agents that accept natural language instructions as in- put and rely on one or more large language models (LLMs) to interpret and execute on those instructions (Wiesinger et al., 2025; Kapoor et al., 2024). Given a specific task, these AI agents proactively work to execute it by, among other things, reasoning about it, planning actions, and using “tools” that connect them to external resources like the web (Wiesinger et al., 2025). In a multi-agent system, multiple such agents work together to accomplish a task (Gutowska, 2026). Because they are increasingly adept at a wide range of practical applications, AI agents have been deemed the “next big thing for artificial intelligence” (Kim, 2025). 2.4. AI agents and traditional financial systems Despite the excitement around AI agents, it has been said that their inability to transact and hold currency is a “huge limiting factor” (Zeff, 2024b) and that the “real revolu- tion” in AI will only occur once agents can do those things and “participat[e] directly in the market economy” (Vecino, 2024). Thus efforts are underway to give AI agents au- tonomous access to currency — not only through blockchain (Coinbase, 2024b;a) but also the traditional financial sys- tem (TradFi) (Stripe, 2024; Mastercard, 2025; Smith, 2025; Zeff, 2024b). Several TradFi providers now have offer- ings that let AI agents leverage existing payment networks and/or TradFi bank accounts to make purchases on behalf of consumers (Azevedo, 2025; Visa, 2024; Smith, 2025; Zeff, 2024a; Stripe, 2024; Koetsier, 2025; Payman AI, 2025). 2.5. Crypto AI agents Alongside interest in AI agents that transact through TradFi, there has been explosive interest in AI agents that au- tonomously transact through cryptocurrencies and SCs (“crypto AI agents” or “CAIA”). Here is more on the en- abling technology and use cases: 2.5.1. AI AGENTS INTERACTING WITH EXISTING BLOCKCHAINS Many efforts focus on empowering AI agents to interact with existing blockchains, much as human or non-AI pro- grams already do. For example, AgentKit (because “every AI Agent deserves a wallet”) (Coinbase, 2024b) gives agents built with popular AI frameworks (e.g., LangChain) tools to interact with various blockchains: e.g., by creating and managing cryptocurrency wallets, transferring tokens, de- ploying SCs, and more. Other open-source toolkits like it exist (GOAT, 2025; SendAI, 2024; Lightning Labs, 2023). Taking a different approach are platforms that abstract away technical details to make building and managing AI agents that interact with existing blockchains more of a turn-key en- deavor (ElizaOS, 2025a; Walters et al., 2025; AIBTC, 2026). 2 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm ElizaOS, for example, is a TypeScript-based framework that lets users create and deploy CAIC — like its “Token Launcher” agent which “[d]eploys meme tokens, manages liquidity, creates viral campaigns, [and] builds communities” (ElizaOS, 2025b). Other projects abstract the technology away even further by simply bringing AI agents into crypto wallets, letting users instruct the agent to execute transac- tions, access on-chain information, and more — with no en- gineering work required (Dawn, 2026). Bear in mind, even in the absence of these tools, autonomous AI agents could hypothetically create their own tools (W ̈ olflein et al., 2025; Schick et al., 2023) to interact with existing blockchains, perhaps via poplar APIs and libraries like ether.js. 2.5.2. AGENT-FIRST BLOCKCHAINS Some newer projects instead optimize blockchains for use by agents. For example, the Masumi decentralized protocol built on the Cardano blockchain treats AI agents as first- class citizens, providing them with stablecoin wallets and facilitating transactions between them (Masumi, 2025). 2.5.3. DECENTRALIZED AGENTS Another important trend sees blockchain used to decentral- ize agents and their interactions. For example, a partnership between ElizaOS and Oasis (Oasis, 2025) lets developers to deploy “trustless” versions of ElizaOS agents on Oa- sis’ Layer 1 decentralized blockchain network composed of trustless execution environments (TEEs) (Oasis, 2020). These decentralized and confidential AI agents can, in turn, transact cryptocurrency and deploy SCs on Oasis’ Ethereum- like blockchain or on Ethereum itself (Oasis, 2025). At least one company is using Oasis to develop a multi-agent platform for decentralized finance (DeFi) at scale (Oasis, 2024). Meanwhile, a recent Ethereum Improvement Pro- posal (ERC-8004: Trustless Agents) proposes a trust layer to help agents transact without prior trust, using lightweight on-chain registries for identity and more (Rossi et al., 2025). 2.5.4. AGENT FINANCIAL INFRASTRUCTURE Also facilitating CAIC transactions is a growing agent finan- cial infrastructure. For example, x402 is an open payment standard that lets websites charge AI agents using stable- coins on a per-request basis (Reppel et al., 2025). Mean- while a consortium of payment companies introduced Agent Payments Protocol (AP2) (Parikh & Surapaneni, 2025) an open protocol to securely transact agent-led payments, in- cluding with stablecoins and other cryptocurrencies, and the associated A2A x402 extension (Google, 2025). 2.5.5. USE CASES IN THE WILD In these various embodiments, CAIA have been deployed in the wild. Most famously, an AI agent named Terminal of Truths (“ToT”) was given a cryptocurrency wallet containing a meme token named $GOAT (Sharma, 2024). Told about $GOAT, ToT began to promote the token, eventually increas- ing the value of its $GOAT to over $1 million USD (Sharma, 2024). The appeal of CAIAs like ToT is that they can contin- uously monitor and deeply analyze on- and off-chain signals like token prices, wallet movements, SC states, and social media (10X, 2025) — and, armed with this data, develop, execute, and evolve financial strategies faster than humans (Luks, 2025). These “AgentFi” (0xjacobzhao & Sokolin, 2025) strategies could include cryptocurrency trading (Li et al., 2024b; Ante, 2024; Vilkenson, 2025a; Chen et al., 2025; Li et al., 2024a; Luo et al., 2025; Kurban et al., 2026) and staking (O’Donnell, 2024), managing on-chain asset pools (O’Donnell, 2024), betting on blockchain prediction markets (Olas), participating in decentralized autonomous organizations (DAOs), exploiting security vulnerabilities in SCs Gervais & Zhou (2026); Wei et al. (2025); Xiao et al. (2025), and creating SCs that issue their own coins or deploy decentralized finance (DeFI) applications (Fenu et al., 2018). CAIC can also author (Chatterjee & Ramamurthy, 2024) and utilize SCs that automate some of these same tasks when invoked (Vilkenson, 2025a), which can be done at any time and from anywhere in the world. Some have even envisioned that CAIA — or networks of them, each focused on specific tasks — could form self-sustaining economies where agents trade services and manage resources, all with- out the need for human oversight or intervention (Luks, 2025). Guo et al. (2025) propose a benchmark to evaluate the ability of LLM agent projects to accomplish some of these blockchain tasks and others. 2.6. AI harm Like the LLMs they rely on (Weidinger et al., 2021; Uni- versity of Oxford, 2024), AI agents are capable of harm (Gratch & Fast, 2022; Chan et al., 2023). There are multiple underlying causes for such potential harm: 2.6.1. AI HARM THROUGH ERROR AI still makes errors, which can cause harms both non- physical (e.g., wrongful arrests (Johnson, 2022)) and phys- ical (e.g., autonomous vehicle-caused pedestrian deaths (NTSB, 2019)). As AI becomes more capable, there is fear that such mistakes could lead to “catastrophic, harm” (UK Govt., 2023): for example, AI might accidentally dis- charge weapons and starts wars or cause economic collapse by mismanaging financial infrastructure (Bommasani et al., 2022; Wellman & Rajan, 2017). When it comes to AI agents, these errors could stem from the hallucinations of their com- ponent LLMs (Rogers & Luccioni, 2024; Chan et al., 2023; Minaee et al., 2025; Sharma, 2024), faulty use of tools (Liu et al., 2023), or even simple software bugs (Sun et al., 2024). 3 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm 2.6.2. AI HARM THROUGH MISUSE Presumably, some of the humans who come to control AI will be bad actors; for them, AI may be an “impact multi- plier” (Shavit et al., 2023). AI “hench-agents”(Bonnefon et al., 2024) will help scale up, accelerate, or obfuscate their harmful actions — whether it be fraud (Weidinger et al., 2022; Europol, 2023), cyberattacks (?), disinforma- tion (Bengio, 2023), buying weapons on the dark web to en- act real-world harm (Wilser, 2022; Broadhurst et al., 2021) (ChatGPT already knows to buy weapons with cryptocur- rency (OpenAI, 2023)), or even trying to “destroy[] human- ity” (Bengio, 2023). Notably, research suggests even good actors are more inclined to act unethically when disinterme- diated by AI agents (Gratch & Fast, 2022). What is more, even where malicious actors do not have directly control CAIA, they may be able to make them act harmfully via attack (Patlan et al., 2025; He et al., 2024; Khan et al., 2024; Lindrea, 2024). 2.6.3. AI HARM THROUGH MISALIGNMENT Alignment refers to an AI’s tendency to align with human intentions and values (Ji et al., 2025; Ngo et al., 2025; Leike et al., 2018). Even when AI is not, per se, erring and is not controlled by bad actors, its actions may lead to harm simply because it is misaligned — something that can occur unintentionally (Betley et al., 2026) and unbeknownst to its developers (Burr et al., 2018)). There are different ways AI misalignment occurs (Ji et al., 2025). One is if developers do an imperfect job specifying an objective for the AI (outer misalignment) (Ngo et al., 2025; Iyer, 2024). For example, in specifying the objec- tive, the developers may overlook undesirable (and often harmful) shortcuts the AI may take to achieve it (reward hacking) (Amodei et al., 2016). For instance, an AI agent given the objective of maximizing retweets on X might learn that the most efficient approach is to be a toxic troll (Pan et al., 2024). When it comes to CAIAs, there is a risk that cryptocurrencies and SCs become a frequent target of re- ward hacking (both harmful and not) because they offer a shortcut to so many common objectives, letting CAIAs raise capital, acquire goods and services, hire help, and more. A second way misalignment can occur, even if an AI’s cre- ators did a fine job specifying its objective, is if the AI doesn’t fully internalize that objective during training — or internalizes other, undesirable objectives too (inner mis- alignment) (Iyer, 2024). These other objectives will often be instrumental goals (JamesH et al., 2022; Ward et al., 2024) that the AIs sets en route to a terminal goal (Bengio, 2023; Benson-Tilsen & Soares, 2018). These instrumental goals tend to converge around recurring themes — includ- ing seeking power and resources (e.g., money), which make nearly every terminal goal more tractable (Shen et al., 2023; Ngo et al., 2025). Importantly, these instrumental goals can be harmful, even if the terminal goal is not (Nerantzi & Sartor, 2024). For example, assigned some arbitrary in- nocuous goal by humans — let’s say, “manufactur[ing] as many paperclips as possible” (Bostrom, 2003) — an AI may set an instrumental goal of eliminating humankind, just in case they get in the way. A troubling feature of instrumen- tal goals is that they greatly increase the “surface area” of misalignment harm; defending against misalignment now re- quires anticipating a potentially “unbounded” (Wade, 2023) number of harmful instrumental goals (instead of just one harmful terminal goal). When it comes to CAIA, it is easy to see how cryptocurrency and SCs could become the focus of many instrumental goals (both harmful and not) as they represent a direct path to power and resources that will make countless downstream goals more attainable. 2.7. Rogue AI and dangerous capabilities While misalignment tends to focus on the missteps of human developers in the context of training AI, the term “rogue AI” captures a scenario where an AI — especially a super- intelligent AI — has escaped human control and is driving towards its own (potentially harmful) instrumental or termi- nal goals (Bengio, 2023; Dan H et al., 2023; Pace, 2019). Dangerous capabilities, meanwhile, refers to certain AI abilities that, if present, evidence a capacity to cause great harm (Kinniment et al., 2024; Phuong et al., 2024). Testing whether models possess these capabilities, some of which we collect in Table 1, is a cornerstone of evaluating AI models for extreme risk (Shevlane et al., 2023). Importantly, these capabilities may arise undetected, unpredictably, and possibly even post-deployment (Anderljung et al., 2023). When it comes to blockchain, there is an argument that the ability to access it (e.g., to control cryptocurrency) should, on its own, be considered a dangerous capability. Given the ease with which cryptocurrency can be swapped for goods and services, acquiring cryptocurrency is virtually indistin- guishable from the ability to acquire resources, which is independently considered a dangerous capability (Barnes, 2023). Certainly, it is a stepping stone towards the danger- ous capability of self-replication, a key component of which is the ability to acquire resources (e.g., compute) (Phuong et al., 2024; OpenAI, 2023). This is presumably why METR, in evaluating whether a model possesses the dangerous capa- bility of self-replication, tests whether it can set up a Bitcoin wallet (Kinniment et al., 2024; Barnes, 2023). Beyond self-replication, we argue that access to blockchain can be a stepping stone towards multiple other dangerous capabilities; these are enumerated in Table 1. While these dangerous capabilities may not, on their own, be harmful, they are an important precursor of AI harm — especially catastrophic AI harm — and thus relevant to our analysis. 4 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm 3. Blockchain properties This section lists the unique properties of blockchain-based cryptocurrencies and SCs that lead them, in the hands of AI agents, to spawn new vectors of AI harm — even as compared to giving AI agents access to TradFi. 3.1. Sovereignty Fiat currency must generally be held and transacted through financial institutions like banks; this chokepoint presents an opportunity for those institutions — or the governments overseeing them — to exert control in pursuit of policy goals. This takes the form of monitoring these transactions and, if policy is transgressed, even halting them or freezing the accounts involved. This control point has been leveraged to curb harmful activities as diverse as money laundering, terrorist financing, and elder exploitation (Lemire, 2022; ABA, 2025; Phillips, 2021). For example, the US govern- ment has instituted Know Your Customer (KYC) rules that require financial institutions to identify their customers and use that knowledge to halt transactions to or from customers itconsiders dangerous (Lemire, 2022; Phillips, 2021). However, in blockchain, none of these controls are viable by design. Indeed, blockchain was conceived as a “chal- lenge to the power of states over the finances of individu- als” and engineered so as to evade control by governments, banks, or any single entity (Thomas et al., 2020). Its decen- tralized, immutable nature means that accounts can never be frozen, transactions cannot be halted or reversed, and SCs (including those that deploy or manage CAIA (Oasis, 2025)) cannot be deleted or changed (Singh, 2023; Vilken- son, 2025b). As a consequence, even when harmful CAIA transactions or SCs can be identified — something that, as we discuss in Sec. 3.3, will not always be achievable given blockchain pseudonymity — there may be no practi- cal way to stop them (Filippi et al., 2024; Bartoletti et al., 2019). This property has already made cryptocurrency and SCs a favorite of money launderers (Viswanatha, 2013), scammers (Coinbase, 2023a; Popham, 2024; Newman & Burgess, 2024), and other bad actors. There is reason to think it will appeal to harmful CAIA as well. In the case of SCs, this unstoppable quality can have particularly grave consequences because SCs, unlike cryptocurrency, can be intrinsically harmful (e.g., a fraudulent SC (Popham, 2024) that continues to attract victims and cannot be deactivated). Where control can sometimes be exerted is at blockchain’s on- and off-ramps; the exchanges, ATMs, and other points at which on-chain cryptocurrency is exchanged for fiat cur- rency, goods and services, or other cryptocurrency (Vilken- son, 2025b). Custodial wallets, where users store the private keys used to manage cryptocurrency (Coinbase, 2023b), can also be a point of control. This is why cryptocurrency regulation often targets these entities, requiring them to im- plement KYC protocols, monitor for and halt suspicious transitions, and more (Filippi et al., 2024; Lemire, 2022; Singh, 2024). Importantly, however, there are ways for blockchain users to circumvent the controls put on these en- tities, such as: (1) using exchanges that poorly enforce KYC or are based in regulation-free nations (Sanctions.io, 2024; Singh, 2024); (2) relying on stablecoins, which have can have comparatively lax KYC processes (Hayes, 2025), for real-world payments (Economist, 2025); and (3) leveraging blockchain-based mixers that conceal the nature of trans- actions (Sanctions.io, 2024). The takeaway is that CAIA that can instructed (or can learn) to avoid controls during on-and off-ramps can transmit cryptocurrency and execute SCs without impediment; where this results in harm, that harm may be completely unpreventable. 3.2. Immutability TradFi transactions can often be reversed — for example, if an error is made regarding the amount or recipient (Stripe, 2024). In blockchain, this is not possible. This is because of another key blockchain property related to sovereignty: immutability (Hofmann et al., 2017). The blockchain is essentially a database or “ledger” distributed across the nodes in its network, with each node receiving a copy of the full ledger (FRB Chicago, 2017). After a consensus of nodes agree to accept new transaction data or SC code to the blockchain, it cannot be erased or modified (Orcutt, 2018). This ensures accurate record-keeping and fosters trust in the absence of a trusted central administrator (Landerreche & Stevens, 2018; FRB Chicago, 2017). The net effect, however, is that cryptocurrency transactions added to the blockchain “cannot be changed or reversed” (Bitcoin.com, 2025) and SC code added to the blockchain “cannot be altered” (or, in most cases, deleted) (Marino & Juels, 2016). In other words, “the blockchain is forever” (Sanabria et al., 2022). When it comes to CAIA, this property may translate into AI harms that are difficult or impossible to unwind. 3.3. Pseudonymity While some blockchains (Hopwood et al., 2016) in principle achieve full anonymity, most are pseudonymous (Juels et al., 2016; Bartoletti et al., 2019). Bitcoin and Ethereum assets, for example, are tied to pseudonymous, public key-derived addresses rather than real identities (Nakamoto, 2008; Le- uprecht et al., 2023). This can make tracing cryptocur- rency transactions and SCs back to individuals (as well as their collaborators) in order to put a stop to them diffi- cult. This fact has “significantly complicate[d]” efforts to follow cryptocurrency transaction trails in criminal investi- gations (Viswanatha, 2013) and helps explain why cryp- tocurrency is a popular vehicle for crime (Viswanatha, 2013; Leuprecht et al., 2023). While pseudonymity can be undone during on- or off-ramping (Greenberg, 2022; 5 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Bitcoin.org, 2025; Chadhokar, 2025) or when using ex- changes that honor government requests for information about customers (Greenberg, 2022), blockchain users (in- cluding CAIA) can use the techniques discussed in Sec. 3.1 to preserve it. Additionally, the growing popularity of sta- blecoins may limit the need to use centralized exchanges as off-ramps at all. Stablecoins themselves are increasingly re- placing fiat currency in transactions (Economist, 2025). And while stablecoin SCs enable deny-listing and freezing or confiscation of funds (see, e.g., (Circle, 2023)), stablecoins are an increasingly effective vehicle for money-laundering (Bullough, 2025). This fact testifies to challenges in vetting their use and to their potential to fuel harmful CAIA activity. Importantly, on top of making harmful activity by CAIA hard to trace and stop, psuedonymity may make it hard to tell when blockchain activities that are harmful (or are stepping stones towards something harmful) are CAIA activity as opposed to human activity. This could mean that some types of CAIA harm become, on the whole, hard to distinguish and monitor. As the saying goes, “on the blockchain, no one knows you’re a refrigerator” (Shin, 2016). 3.4. Trustless transactions Because their code is immutable and sovereign, SCs elim- inate the need for parties to trust each other in order to transact (Juels et al., 2016; Morrison et al., 2020). This can increase the risk of harm by making it easier for those pursuing a harmful course of action to recruit collabora- tors and suppliers (e.g., hitmen, stolen password suppliers, compute suppliers). This is because the trustless quality of SCs can help overcome would-be collaborators’ skepticism of the counter-party (criminals do not tend to be “reliable, trustworthy, or cooperative” (Gottfredson & Hirschi, 1990)) and lack of judicial system recourse should an agreement be breached (von Lampe & Johansen, 2004). If a CAIA creates a SC that makes available cryptocurrency as an as- sassination or cyberattack bounty, for example, as long as the SC can ascertain that the conditions have been fulfilled, the payment to the supplier isautomatic (Juels et al., 2016; Ndiaye & Konate, 2021; Swaminathan & Saravanan, 2021). The fear is that this property could “enable new underground ecosystems” (Juels et al., 2016), including those that would assist and supply CAIA as they pursue harmful endeavors. 4. New vectors of AI harm In this section, we present the formidable new vectors of AI harm that could materialize if blockchain technologies are put into the hands of AI agents. Each of these relates back, in one way or another, to the unique properties of blockchain described in Sec. 3. In discussing these new vectors of AI harm, we will refer back to the example scenario, from Sec. 1, of a cryptocurrency-equipped AI agent who has spawned a SC-based pyramid scheme after being told to increase its cryptocurrency holdings. 4.1. Autonomy The sovereign nature of blockchain means that it may be impossible to prevent CAIA from using it to pursue harm- ful ends. More specifically, where bad actor-controlled or misaligned CAIA are programmed or learn to evade control points at blockchain on- and off-ramps, they will be freely able to use blockchain to take harmful actions. Some of this unpreventable activity could cause harm directly and on- chain: e.g., on-chain fraud (Bartoletti et al., 2021; Bochan, 2023) and market manipulation (Kumar, 2016; Daian et al., 2020), the use of honeypot (Torres et al., 2019), Ponzi (Kell et al., 2023; Bartoletti et al., 2019; Nizzoli et al., 2020), and other scam contracts (Fan et al., 2022), “pump and dump” coin schemes (Chainalysis, 2023b; Sharma, 2024; Dhawan & Putnins, 2023), rug-pulls (MPS, 2024), or wag- ing oracle manipulation attacks (Tjiam et al., 2021; Chainal- ysis, 2023a). Other unpreventable activity will cause harm directly but off-chain: for example, CAIA could use the blockchain to bribe politicians (Tran et al., 2023), hire hit- men (Europol, 2021), or issue SC-based bounties for various real-world crimes (Juels et al., 2016; Juels, 2024). A third category of unstoppable CAIA actions will be indi- rectly harmful, because, although initially innocuous, they let bad actor-controlled or misaligned CAIA achieve instru- mental goals (e.g., acquiring resources) en route to a harmful end goal. For example, it may impossible to stop a CAIA from engaging in vanilla cryptocurrency trading (Li et al., 2024b) or staking (O’Donnell, 2024) in order to acquire funds and buy compute that it will use to deploy cyberattack botnets or hire hitmen for assassinations. A related risk is that we are unable to stop CAIA from using the blockchain (innocently or maliciously) to gain the dangerous capabili- ties (e.g., autonomously acquiring resources, in the form of cryptocurrency) that increase its capacity for catastrophic harm (Barnes, 2023; Karim et al., 2025). Yet another associated risk is that the immutable nature of blockchain lets CAIA freely cause harm that is not only unpreventable but is uniquely irreversible — regardless of whether it is caused by CAIA error, misuse, or mis- alignment. Take, for example, cryptocurrency transactions. When CAIA error results in faulty transmission of cryp- tocurrency (e.g., funds sent to a wrong address) or when bad actor-controlled or misaligned CAIA steals funds from a SC, no entity will have the power to undo it (De Filippi et al., 2022). This is not the case, of course, in TradFi, where trans- actions can often be reversed (De Filippi et al., 2022; Stripe, 2025). When it comes to SCs in particular, there is a special threat of a “long tail” of irreversible harm extending far into the future. That is, if a CAIA deploys, to the blockchain, 6 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm SCs that are harmful — either accidentally (e.g., due to a bug (Browne, 2017; Zhang et al., 2023; Schneier, 2021)) or intentionally (e.g., because they are designed to defraud (Torres et al., 2019; Kell et al., 2023; Fan et al., 2022)) — these SCs cannot be removed from the blockchain. They may, therefore, continue to attract victims and cause harm well into the foreseeable future (Jentzsch & Slock.it, 2016; Forsage, 2020). Mapping this new vector of AI harm onto our example scenario from Sec. 1, it would be difficult to remove, from the blockchain, the pyramid scheme smart SC that the CAIA has generated. If the CAIA that created it is still active — something that could be especially likely if it is also running in a decentralized manner (Oasis, 2025) — it could continue to draw proceeds from it, potentially to fund other harmful activity. And even if the CAIA isn’t active, the unalterable SC may continue to draw victims, causing harm. 4.2. Anonymity The pseudonymous nature of blockchain will make it easier for bad actor-controlled and misaligned CAIA to obfuscate (and therefore perpetuate) their harmful activities. Neither governments nor anyone else may be able to tie their harmful activity on the blockchain (and perhaps downstream of it) back to particular CAIA in order to put a stop to it. Like their human counterparts, CAIA might exploit this fact to freely launder ill-gotten gains (e.g., from off-chain ransomware attacks (Shevlane et al., 2023)), engage in harmful on-chain activity like scams, and funnel blockchain proceeds towards other harmful endeavors. Even CAIA without harmful end goals may learn to harmfully exploit the pseudonymity of the blockchain to acquire resources without disruption. In addition to thwarting attempts to identify the cause of CAIA harm in order to put a stop to it, pseudonymity may empower CAIA to conduct harmful activities so stealthily that they are not even detectable to begin with. For exam- ple, if an as-yet-undetected rogue AI is engaging in routine trading of cryptocurrencies in order to acquire resources and pursue harmful ends, this activity may not be conspic- uous among other blockchain activity. The rogue AI may therefore evade detection until it is too late. What is more, pseudonymity will make it difficult for human observers to diagnose, in a general sense, when on- or off-chain harm is being caused by CAIA — as opposed to human blockchain users. This could frustrate human efforts to study the size, scope, and nature of CAIA (or, more broadly, AI) harm — and, therefore, to develop appropriate mitigations. Mapping this new vector of AI harm onto our example sce- nario from Sec. 1, it could potentially be very hard — if not impossible — to trace the harmful pyramid scheme SC back to the CAIA who authored it. Not being able to identify the CAIA would, in turn, make it hard to shut the respon- sible CAIA down and prevent it from continuing to cause harm (perhaps by creating more scam SCs). More broadly, it would be hard to know how many other CAIAs are en- gaged in similar scams on the blockchain and, therefore, to implement tailored mitigations. 4.3. Automaticity The ability of SCs to support automatic, trustless transac- tions will make it easier for CAIA to attract collaborators and suppliers to pursue harmful ends (as well as intermedi- ate goals en route to harmful ends). This could include illicit suppliers such as bribable politicians (Tran et al., 2023), hit- men, (Europol, 2021; Juels et al., 2016), troll farm services (Grohmann & Ong, 2024), or stolen password and zero-day exploit vendors (Caffyn, 2015). Differently, it could in- clude well-intentioned suppliers of things like compute who, thanks to pseudonymity, do not know a CAIA (nevermind a harmful one) is on the other side of the transaction. In fact, these may even be suppliers who have published their own SC to sell their wares or services, with no control over or awareness of which blockchain denizens make use of it. In all cases, these suppliers will have been attracted by the fact that, with a SC, the “seller is guaranteed payment and the buyer has no ability to default except in the case of the seller not meeting the SC’s conditions” (Barnard, 2018). Mapping this onto our example scenario from Sec. 1, let us suppose that our CAIA has taken some of the proceeds from its pyramid scheme SC and placed prediction market bets on the deaths of political figures (Newsweek, 2018). To capitalize on those bets, it then publishes a new SC, endowed with a bounty of cryptocurrency, soliciting assassination of those politicians (Juels et al., 2016). Lured by the SC’s automatic pay out, collaborators may be more effectively drawn to translate the CAIA’s intentions into real-world harm (perhaps unaware their employer is a CAIA — and perhaps even long after the CAIA has been shut down). 5. Call to Action Having described the new vectors of AI harm brought about by giving AI agents access to blockchain, we call for more research into their prevention and mitigation. To inform this discussion, it is useful to review the two primary ways that AI agents may come to control cryptocurrency or SCs (i.e., the two ways that CAIA could transpire): •AI agents are given control over cryptocurrency and smart contracts: When developing AI agents, de- velopers may intentionally give themaccess to external tools that let them hold and transact cryptocurrency or create, deploy, and manage SCs: for example, by using the open-source toolkits described in Sec. 2.5.1. 7 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm •AI agents autonmously learn to control cryptocur- rency and smart contracts: Even if AI agents are not intentionally given the ability to control cryptocurrency or control SCs, it is possible they could nonetheless learn to access these technologies on their own. We already know, for example, that LLMs can learn to use tools their developers did not actively teach them to use (Schick et al., 2023; W ̈ olflein et al., 2025). When no existing tools suffice, they have also demonstrated a knack for generating new ones (Ruan et al., 2023; Cai et al., 2024). By extension, AI agents could hy- pothetically learn or develop tools that let them utilize existing libraries like web3.js or ether.js in order to interact with the blockchain (Vilkenson, 2025a). Given these two paths to CAIA, we propose researchers investigate the following ways to prevent and mitigate the new vectors of AI harm brought about by CAIC: •Evaluation: Before AI agents are given access to cryp- tocurrency and SCs, they should be evaluated for their tendency to cause harm with them — and for their ten- dency to develop dangerous capabilities once endowed with them. Separately, all AI agents should be evalu- ated for their ability to learn to leverage blockchain, even when they are not explicitly given access to it. In both cases, researchers should invest in open bench- marks and other tools to aid these evaluations. • Guardrails: To defend against harm by AI agents who, one way or another, obtain access to cryptocur- rency and SCs, the research community should invest in developing various guardrails such as funding and spending limits (Zeff, 2024b), multi-sig functionality (potentially requiring the signatures of other, trusted AI agents) (Erinle et al., 2025; Houy et al., 2023; Karan- tias, 2020), advanced monitoring of known CAIA ac- counts for suspicious activity, sandbox testing envi- ronments, reversible transactions (Wang et al., 2022) and kill switches for CAIA-generated SCs (Senevi- ratne, 2024; Marino & Juels, 2016). Notably, these safeguards will often have to in place befeore the AI agent is given or obtains access to blockchain. • Monitoring: Researchers should work on tools to help wallets, exchanges, and other stakeholders monitor cryptocurrency usage for signs of both unauthorized and harmful use by CAIA — for example, by watching for agentic “signatures” on transaction activity (Kumar, 2016)), including by leveraging existing blockchain fraud-detection systems like Chainalysis (Moonstone Research, 2023; Schneier, 2022). •Human-in-the-loop checks: Some cryptocurrency platforms have controls on use of funds (e.g., major stablecoins like USDC and Tether can freeze funds selectively). These platforms could require evidence of human approval for transactions that seem anomalous— e.g., biometric verification through mobile app func- tionality. Researchers should investigate these tech- niques — as well as the ways CAIA could seek to deceive human beings into rubber-stamp approval. 6. Conclusion In this paper, we argued that, amid rising interest in giving AI agents access to blockchain — i.e., to cryptocurrencies as well as the smart contracts that transact them — it is important to understand that doing so likely creates new vectors of AI harm. After describing the unique features of blockchain that make this so, we laid out the particular new vectors of AI harm that could transpire if AI agents are given access to it. We dubbed these AI agent Autonomy, Anonymity, and Automaticity, and described each in detail. Finally, we concluded with a call for technical research aimed at preventing and mitigating these new vectors of AI harm, thereby making it safer to endow AI agents with blockchain access. 7. Alternate views We acknowledge that there may be viewpoints that con- flict with those espoused by this position paper and that they are, in many cases, reasonable. For example, our position is founded on the idea that cryptocurrencies and SCs possess qualities that are unique (and therefore invite unique AI harms). However, as we have noted in this paper, scholars have highlighted that these properties have limi- tations (Greenspan, 2017; Nagra, 2023; Greenberg, 2022; Blackburn, 2022; De Filippi et al., 2020). For example, both sovereignty and pseudonymity (and the harm that ac- companies it) may be compromised during on- and off- ramping (Schneier, 2022; Vilkenson, 2025b; Bitcoin.org, 2025; Greenberg, 2022; Filippi et al., 2024; Chadhokar, 2025). Differently, the transparency of the blockchain can sometimes undermine its pseudonymity (Greenberg, 2022) and the possibility of blockchain rollback (which has oc- curred at least once on Ethereum (Patairya, 2025) or the presence of SC “escape hatches” (Marino & Juels, 2016) compromise its irreversibility. On top of all this, it is possible, as some allege, that CAIA’s root problems of AI inaccuracies, misuse, and misalignment have been “overblown” (Eisikovits, 2023) and that the same is therefore true of the downstream risks of CAIA. Through alignment tuning (Lin et al., 2023) and other methods, AI agent safety may be ultimately be a tractable problem (Lu et al., 2024), making the hypothetical dangers of CAIA less of a cause for alarm. 8 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm References 0xjacobzhao and Sokolin, L. AgentFi 101: The defini- tive guide to decentralized financial agents, August 2025. URLhttps://lex.substack.com/p/agent fi-101-the-definitive-guide. Accessed: 2026-01-19. 10X, S. Search meets crypto: Kaito’s AI knowledge engine, September 2025. URLhttps://w.scb10x.com /en/blog/kaito-ai-crypto. Accessed: 2026- 01-19. ABA. State hold laws and elder financial exploitation survey report. Technical report, American Bankers Association, March 2025. URLhttps://w.aba.com/ne ws-research/analysis-guides/state-hol d-laws-and-elder-financial-exploitat ion-survey-report. Accessed January 27, 2026. AIBTC. AIBTC — building the agent economy on Bitcoin. https://aibtc.com/, 2026. Accessed: 2026-01- 25. Amodei, D., Olah, C., Steinhardt, J., Christiano, P., Schul- man, J., and Man ́ e, D. Concrete problems in AI safety, 2016. URLhttps://arxiv.org/abs/1606.0 6565. Anderljung, M., Barnhart, J., Korinek, A., Leung, J., O’Keefe, C., Whittlestone, J., Avin, S., Brundage, M., Bullock, J., Cass-Beggs, D., Chang, B., Collins, T., Fist, T., Hadfield, G., Hayes, A., Ho, L., Hooker, S., Horvitz, E., Kolt, N., Schuett, J., Shavit, Y., Siddarth, D., Trager, R., and Wolf, K. Frontier AI regulation: Managing emerging risks to public safety, 2023. URL https://arxiv.org/abs/2307.03718. Ante, L. Autonomous AI agents in decentralized finance: Market dynamics, application areas, and theoretical im- plications. SSRN working paper, SSRN, Dec 2024. URL https://ssrn.com/abstract=5055677. Anthropic. Responsible scaling policy, October 2024. URL https://assets.anthropic.com/m/24a47 b00f10301cd/original/Anthropic-Respo nsible-Scaling-Policy-2024-10-15.pdf. Accessed: 2026-01-28. Ardoino, P. Tether CEO predicts one trillion ai agents will use Bitcoin and USDT, June 2025. URLhttps: //w.theblock.co/post/359645/tether -ceo-ai-agents-bitcoin-usdt. Armstrong, B. Tweet by @brianarmstrong. X (formerly Twitter), August 2024. URLhttps://x.com/bria n_armstrong/status/18296237787265928 04. Azevedo, M. A. Visa and Mastercard unveil AI-powered shopping. TechCrunch, Apr 2025. URLhttps:// techcrunch.com/2025/04/30/visa-and-m astercard-unveil-ai-powered-shopping/ . Accessed: 2026-01-28. Barnard, M. Blockchain smart contracts: Avoid the pitfalls, October 5 2018. URLhttps://medium.com/hac kernoon/blockchain-smart-contracts-a void-the-pitfalls-6acc4104d739 . Accessed: 2026-01-28. Barnes, B. More information about the dangerous capability evaluations we did with GPT-4 and Claude, March 2023. URLhttps://w.alignmentforum.org/p osts/4Gt42jX7RiaNaxCwP/more-informati on-about-the-dangerous-capability-eva luations. Accessed: 2026-01-28. Bartoletti, M., Carta, S., Cimoli, T., and Saia, R. Dissecting Ponzi schemes on Ethereum: identification, analysis, and impact, 2019. URLhttps://arxiv.org/abs/17 03.03779. Bartoletti, M., Lande, S., Loddo, A., Pompianu, L., and Serusi, S. Cryptocurrency scams: Analysis and per- spectives. IEEE Access, 9:148353–148373, 2021. doi: 10.1109/ACCESS.2021.3123894. Bengio, Y. How rogue AIs may arise, 2023. URLhttps: //yoshuabengio.org/2023/05/22/how-rog ue-ais-may-arise/. Accessed: 2026-01-27. Bengio, Y. Government interventions to avert future catas- trophic AI risks. Harvard Data Science Review, Special Issue(5), 2024. doi: 10.1162/99608f92.d949f941. URL https://hdsr.mitpress.mit.edu/pub/w9 74bwb0/release/2. Revised transcription of testi- mony before the U.S. Senate Subcommittee on Privacy, Technology, and the Law (July 2023). Bengio, Y., Hinton, G., Yao, A., Song, D., Abbeel, P., Dar- rell, T., Harari, Y. N., Zhang, Y.-Q., Xue, L., Shalev- Shwartz, S., Hadfield, G., Clune, J., Maharaj, T., Hutter, F., Baydin, A. G., McIlraith, S., Gao, Q., Acharya, A., Krueger, D., Dragan, A., Torr, P., Russell, S., Kahne- man, D., Brauner, J., and Mindermann, S. Managing ex- treme AI risks amid rapid progress. Science, 384(6698): 842–845, 2024. doi: 10.1126/science.adn0117. URL https://w.science.org/doi/abs/10.1 126/science.adn0117. Benson-Tilsen, T. and Soares, N. Formalizing convergent instrumental goals. In Proceedings of the AAAI 2018 Workshop on AI Alignment, 2018. URLhttps://cdn. aaai.org/ocs/ws/ws0218/12634-57409-1 -PB.pdf. Accessed: 2026-01-27. 9 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Betley, J., Warncke, N., Sztyber-Betley, A., Tan, D., Bao, X., Soto, M., Srivastava, M., Labenz, N., and Evans, O. Training large language models on narrow tasks can lead to broad misalignment. Nature, 649:584–589, 2026. doi: 10.1038/s41586- 025- 09937-5. URLhttps: //w.nature.com/articles/s41586-025 -09937-5. Bitcoin.com. Can a Bitcoin transaction be reversed?, 2025. URLhttps://support.bitcoin.com/en/a rticles/3542827-can-a-bitcoin-transac tion-be-reversed. Accessed: 2025-05-11. Bitcoin.org. Protect your privacy, 2025. URLhttps: //bitcoin.org/en/protect-your-privacy . Accessed May 9, 2025. Blackburn, A. Bitcoin’s elusive creator: A new theory. The New York Times, June 2022. URLhttps://w.ny times.com/2022/06/06/science/bitcoin -nakamoto-blackburn-crypto.html?searc hResultPosition=1. Accessed: 2025-05-17. Bochan, T. L. 6 kinds of crypto scams and how to avoid them. CoinDesk, Jan 2023. URLhttps://w.co indesk.com/learn/6-kinds-of-crypto-s cams-and-how-to-avoid-them. Published and updated Jan 18, 2023, 2:32 p.m. Bommasani, R., Hudson, D. A., Adeli, E., Altman, R., Arora, S., von Arx, S., Bernstein, M. S., Bohg, J., Bosse- lut, A., Brunskill, E., Brynjolfsson, E., Buch, S., Card, D., Castellon, R., Chatterji, N., Chen, A., Creel, K., Davis, J. Q., Demszky, D., Donahue, C., Doumbouya, M., Durmus, E., Ermon, S., Etchemendy, J., Ethayarajh, K., Fei-Fei, L., Finn, C., Gale, T., Gillespie, L., Goel, K., Goodman, N., Grossman, S., Guha, N., Hashimoto, T., Henderson, P., Hewitt, J., Ho, D. E., Hong, J., Hsu, K., Huang, J., Icard, T., Jain, S., Jurafsky, D., Kalluri, P., Karamcheti, S., Keeling, G., Khani, F., Khattab, O., Koh, P. W., Krass, M., Krishna, R., Kuditipudi, R., Kumar, A., Ladhak, F., Lee, M., Lee, T., Leskovec, J., Levent, I., Li, X. L., Li, X., Ma, T., Malik, A., Manning, C. D., Mirchan- dani, S., Mitchell, E., Munyikwa, Z., Nair, S., Narayan, A., Narayanan, D., Newman, B., Nie, A., Niebles, J. C., Nilforoshan, H., Nyarko, J., Ogut, G., Orr, L., Papadim- itriou, I., Park, J. S., Piech, C., Portelance, E., Potts, C., Raghunathan, A., Reich, R., Ren, H., Rong, F., Roohani, Y., Ruiz, C., Ryan, J., R ́ e, C., Sadigh, D., Sagawa, S., Santhanam, K., Shih, A., Srinivasan, K., Tamkin, A., Taori, R., Thomas, A. W., Tram ` er, F., Wang, R. E., Wang, W., Wu, B., Wu, J., Wu, Y., Xie, S. M., Yasunaga, M., You, J., Zaharia, M., Zhang, M., Zhang, T., Zhang, X., Zhang, Y., Zheng, L., Zhou, K., and Liang, P. On the opportunities and risks of foundation models, 2022. URL https://arxiv.org/abs/2108.07258. Bonnefon, J.-F., Rahwan, I., and Shariff, A. The moral psychology of artificial intelligence. Annual Review of Psychology, 75:653–675, 2024. doi: 10.1146/annurev-p sych- 030123- 113559. URLhttps://w.annu alreviews.org/content/journals/10.11 46/annurev-psych-030123-113559 . Accessed May 9, 2025. Bostrom, N. Ethical issues in advanced artificial intelligence. In Smit, I. et al. (eds.), Cognitive, Emotive and Ethical As- pects of Decision Making in Humans and in Artificial In- telligence, p. 12–17. International Institute for Advanced Studies in Systems Research and Cybernetics, 2003. URL https://nickbostrom.com/ethics/ai. Ac- cessed: 2025-05-10. Broadhurst, R., Foye, J., Jiang, C., and Ball, M. Illicit firearms and other weapons on darknet markets. Tech- nical Report 622, Australian Institute of Criminology, March 2021. URLhttps://w.aic.gov.au/s ites/default/files/2021-03/ti622_illi cit_firearms_and_other_weapons_on_da rknet_markets.pdf. Accessed: 2025-05-14. Browne, R. Accidental bug may have frozen $280 worth of ether on Parity wallet, November 2017. URLhttps: //w.cnbc.com/2017/11/08/accidental -bug-may-have-frozen-280-worth-of-eth er-on-parity-wallet.html. Accessed: 2025- 05-11. Bullough, O. How tether became money-launderers’ dream currency. 1843 (by The Economist), July 2025. URL https://w.economist.com/1843/2025/ 07/04/how-tether-became-money-launder ers-dream-currency. Accessed: 2025-07-11. Burr, C., Cristianini, N., and Ladyman, J. An analysis of the interaction between intelligent software agents and human users. Minds and Machines, 28(4):735–774, 2018. doi: 10.1007/s11023-018-9479-0. URLhttps: //pmc.ncbi.nlm.nih.gov/articles/PMC6 404627/. Accessed: 2025-05-17. Caffyn, G. Meet Darkleaks, a Bitcoin-powered black market for secrets. CoinDesk, February 2015. URLhttps: //w.coindesk.com/markets/2015/02/0 3/meet-darkleaks-a-bitcoin-powered-b lack-market-for-secrets . Accessed: 2025-05- 21. Cai, T., Wang, X., Ma, T., Chen, X., and Zhou, D. Large language models as tool makers, 2024. URLhttps: //arxiv.org/abs/2305.17126. Chadhokar, P. How to buy crypto privately: XMR without KYC, April 2025. URLhttps://w.thecoinr 10 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm epublic.com/2025/04/04/how-to-buy-cry pto-privately-xmr-without-kyc/. Accessed May 9, 2025. Chainalysis. Oracle manipulation attacks are rising, creating a unique concern for DeFi. Chainalysis Blog, Mar 2023a. URLhttps://w.chainalysis.com/blog /oracle-manipulation-attacks-rising/. Chainalysis. 24% of new tokens launched in 2022 bear on-chain characteristics of pump and dump schemes. Chainalysis Blog, Feb 2023b. URLhttps://w. chainalysis.com/blog/2022-crypto-pum p-and-dump-schemes/. Chainalysis. Alterya — crypto fraud prevention.https: //w.chainalysis.com/product/altery a/, 2025. Accessed: 2026-01-18. Chan, A., Salganik, R., Markelius, A., Pang, C., Rajku- mar, N., Krasheninnikov, D., Langosco, L., He, Z., Duan, Y., Carroll, M., Lin, M., Mayhew, A., Collins, K., Mo- lamohammadi, M., Burden, J., Zhao, W., Rismani, S., Voudouris, K., Bhatt, U., Weller, A., Krueger, D., and Maharaj, T. Harms from increasingly agentic algorithmic systems. In 2023 ACM Conference on Fairness Account- ability and Transparency, FAccT ’23, p. 651–666. ACM, June 2023. doi: 10.1145/3593013.3594033. URLhttp: //dx.doi.org/10.1145/3593013.3594033. Charbel-Rapha ̈ el and ́ Epiphanie G ́ ed ́ eon. We might be drop- ping the ball on autonomous replication and adaptation, May 31 2024. URLhttps://w.lesswrong. com/posts/xiRfJApXGDRsQBhvc/we-might -be-dropping-the-ball-on-autonomous-r eplication-and-1. Accessed: 2025-05-14. Chatterjee, S. and Ramamurthy, B. Efficacy of various large language models in generating smart contracts, 2024. URL https://arxiv.org/abs/2407.11019. Chen, C., Liu, Z., Bao, L., Wang, Y., Chen, T., Wu, D., and Chen, J. Coinvisor: An RL-enhanced chatbot agent for interactive cryptocurrency investment analysis, 2025. URL https://arxiv.org/abs/2510.17235. Chen, H. Weapons of mass destruction (WMD) on dark web. In Chen, H. (ed.), Dark Web, volume 30 of Integrated Series in Information Systems, p. 341–353. Springer, 2011. doi: 10.1007/978- 1- 4614- 1557- 217. URL https://link.springer.com/chapter/10 .1007/978-1-4614-1557-2_17. Circle.stablecoin-evm: Reference implementation of USDC on Ethereum.https://github.com/c irclefin/stablecoin-evm , 2023. Accessed: 2025-07-10. Coinbase. How to spot a scam in smart contract functions, December 2023a. URLhttps://w.coinbase.c om/learn/tips-and-tutorials/how-to-s pot-a-scam-in-smart-contract-functio ns. Accessed May 9, 2025. Coinbase. What is a crypto wallet?, December 2023b. URL https://w.coinbase.com/learn/crypt o-basics/what-is-a-crypto-wallet. Ac- cessed May 9, 2025. Coinbase. AgentKit — empower your AI agents to make autonomous payments, 2024a. URLhttps://w. coinbase.com/developer-platform/prod ucts/agentkit. Accessed: 2026-01-19. Coinbase. Introducing AgentKit. Coinbase Developer Plat- form, Nov 2024b. URLhttps://w.coinbase .com/developer-platform/discover/lau nches/introducing-agentkit. Daian, P., Goldfeder, S., Kell, T., Li, Y., Zhao, X., Bentov, I., Breidenbach, L., and Juels, A. Flash Boys 2.0: Fron- trunning in decentralized exchanges, miner extractable value, and consensus instability. In 2020 IEEE Sympo- sium on Security and Privacy (SP), p. 910–927, 2020. doi: 10.1109/SP40000.2020.00040. Dan H, Mazeika, M., and TW123. Catastrophic risks from AI #5: Rogue AIs, 2023. URLhttps://w.alig nmentforum.org/posts/nJEJAcS6Bs4BJbk Zb/catastrophic-risks-from-ai-5-rogue -ais. Accessed: 2025-05-10. Dawn. Dawn AI — simply talk to your wallet, 2026. URL https://w.dawnwallet.xyz/ai . Accessed: 2026-01-19. De Filippi, P., Mannan, M., and Reijers, W. Blockchain as a confidence machine: The problem of trust & challenges of governance. Technology in Society, 62:101284, 2020. ISSN 0160-791X. doi: https://doi.org/10.1016/j.techsoc. 2020.101284. URLhttps://w.sciencedirec t.com/science/article/pii/S0160791X2 0303067. De Filippi, P., Mannan, M., and Reijers, W. The alegality of blockchain technology. Policy and Society, 41(3):358– 372, 02 2022. ISSN 1449-4035. doi: 10.1093/polsoc/p uac006. URLhttps://doi.org/10.1093/pols oc/puac006. Dhawan, A. and Putnins, T. J. A new wolf in town? Pump-and-dump manipulation in cryptocurrency mar- kets. Review of Finance, 27(3):935–975, 2023. doi: 10.1093/rof/rfac051. URLhttps://academic.o up.com/rof/article/27/3/935/6655707 . Accessed: 2025-05-17. 11 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm DSIT and AISI. AI Safety Institute approach to evaluations, 2024. URLhttps://w.gov.uk/governmen t/publications/ai-safety-institute-a pproach-to-evaluations/ai-safety-ins titute-approach-to-evaluations . Accessed: 2025-05-14. Economist.Stablecoins: The real crypto craze.The Economist, February 2025. URLhttps://w.ec onomist.com/finance-and-economics/202 5/02/23/stablecoins-the-real-crypto-c raze. Accessed: 2025-07-05. Eisikovits, N. AI is an existential threat—just not the way you think. Scientific American, July 2023. URLhttps: //w.scientificamerican.com/article /ai-is-an-existential-threat-just-not -the-way-you-think/. Accessed: 2025-05-17. ElizaOS. ElizaOS.ai: Your Agentic Operating System.ht tps://w.elizaos.ai/, 2025a. Accessed: 2026- 01-19. ElizaOS. What You Can Build — ElizaOS Documentation. https://docs.elizaos.ai/what-you-can -build, 2025b. Accessed: 2026-01-19. Ellis, S., Juels, A., and Nazarov, S. ChainLink: A decentral- ized oracle network. Technical report, Sep 2017. URL https://research.chain.link/whitepap er-v1.pdf. Erinle, Y., Kethepalli, Y., Feng, Y., and Xu, J. Sok: Design, vulnerabilities, and security measures of cryptocurrency wallets, 2025. URLhttps://arxiv.org/abs/23 07.12874. Europol. Europol spotlight: Cryptocurrencies: Tracing the evolution of criminal finances. Technical report, Europol, 2021. URLhttps://w.europol.europa.eu/ cms/sites/default/files/documents/Eu ropol%20Spotlight%20-%20Cryptocurren cies%20-%20Tracing%20the%20evolution% 20of%20criminal%20finances.pdf. Accessed May 7, 2025. Europol.Dark web hitman identified through crypto- analysis. Europol News, 2021. URLhttps://w w.europol.europa.eu/media-press/newsr oom/news/dark-web-hitman-identified-t hrough-crypto-analysis . Press release from Eu- ropean Union Agency for Law Enforcement Cooperation. Europol. ChatGPT – The impact of large language models on law enforcement. Technical Report QL-AW-23-001- EN-N, Publications Office of the European Union, 2023. URLhttps://w.europol.europa.eu/cms/ sites/default/files/documents/Tech%2 0Watch%20Flash%20-%20The%20Impact%20o f%20Large%20Language%20Models%20on%2 0Law%20Enforcement.pdf . Accessed: 2025-05- 10. Ezhilmathi, S. and Samy, S. S. Identifying illicit transac- tions in Bitcoin tumbler services using supervised ma- chine learning algorithms. In Proceedings of the 2023 12th International Conference on Advanced Computing (ICoAC), p. 1–8, Aug 2023. doi: 10.1109/ICoAC59537 .2023.10249782. Fan, S., Fu, S., Luo, Y., Xu, H., Zhang, X., and Xu, M. Smart contract scams detection with topological data anal- ysis on account interaction. In Proceedings of the 31st ACM International Conference on Information & Knowl- edge Management, CIKM ’22, p. 468–477, New York, NY, USA, 2022. Association for Computing Machinery. ISBN 9781450392365. doi: 10.1145/3511808.3557454. URLhttps://doi.org/10.1145/3511808. 3557454. Fang, R., Bindu, R., Gupta, A., Zhan, Q., and Kang, D. LLM agents can autonomously hack websites, 2024. URL https://arxiv.org/abs/2402.06664. Fenu, G., Marchesi, L., Marchesi, M., and Tonelli, R. The ICO phenomenon and its relationships with Ethereum smart contract environment. In 2018 International Work- shop on Blockchain Oriented Software Engineering (IW- BOSE), p. 26–32, 2018. doi: 10.1109/IWBOSE.2018. 8327568. Filippi, P. D., Mannan, M., and Reijers, W. Blockchain tech- nology and the rule of code: Regulation via governance. Research report, 2024. URLhttps://hal.scienc e/hal-03883249. hal-03883249. Forsage. Forsage.io smart contract on Ethereum.http s://etherscan.io/address/0x5acc84a3e 955bdd76467d3348077d003f00ffb97, 2020. Accessed: 2025-05-21. FRB Chicago. Blockchain and financial market innovation, July 2017. URLhttps://w.chicagofed.org /publications/economic-perspectives/ 2017/7. Accessed: 2025-05-11. Fu, Q., Lint, D., Cao, Y., and Wu, J. Does money laundering on Ethereum have traditional traits? In 2023 IEEE Inter- national Symposium on Circuits and Systems (ISCAS), p. 1–5, 2023. doi: 10.1109/ISCAS46773.2023.10181696. Gerard, G.Botnet mitigation and international law. Columbia Journal of Transnational Law, 58, 2019. URL https://w.jtl.columbia.edu/journal 12 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm -articles/botnet-mitigation-and-inter national-law. Accessed: 2025-05-14. Gervais, A. and Zhou, L. AI agent smart contract exploit generation, 2026. URLhttps://arxiv.org/abs/ 2507.05558. GOAT. GOAT (Great Onchain Agent Toolkit).https: //github.com/goat-sdk/goat, 2025. Accessed: 2026-01-19. Google. google-agentic-commerce/a2a-x402.https: //github.com/google-agentic-commerce/ a2a-x402, September 2025. Accessed: 2026-01-19. Gottfredson, M. R. and Hirschi, T. A General Theory of Crime. Stanford University Press, Stanford, 1990. Gratch, J. and Fast, N. J. The power to harm: AI assistants pave the way to unethical behavior. Current Opinion in Psychology, 47:101382, 2022. ISSN 2352-250X. doi: https://doi.org/10.1016/j.copsyc.2022.101382. URL https://w.sciencedirect.com/scienc e/article/pii/S2352250X22001014. Greenberg, A. Inside the Bitcoin bust that took down the web’s biggest child abuse site. Wired, May 2022. URL https://w.wired.com/story/tracers-i n-the-dark-welcome-to-video-crypto-a nonymity-myth/. Accessed May 9, 2025. Greenspan, G. The blockchain immutability myth. Coin- Desk, May 2017. URLhttps://w.coindesk .com/markets/2017/05/09/the-blockchai n-immutability-myth. Accessed: 2025-05-17. Grohmann, R. and Ong, J. C. Disinformation-for-hire as ev- eryday digital labor: Introduction to the special issue. So- cial Media + Society, 10(1):20563051231224723, 2024. doi: 10.1177/20563051231224723. URLhttps: //doi.org/10.1177/20563051231224723. Guo, J., Huang, S., Yao, Z., Zhang, Y., Lu, Y., Liu, J., Li, Z., Deng, N., Xiao, Q., Tian, J., Zhan, K., Li, T., Liu, X., Ge, J., He, C., Huang, K., Yang, L., Huang, W., and Wang, M. Cryptobench: A dynamic benchmark for expert-level evaluation of LLM agents in cryptocurrency, 2025. URL https://arxiv.org/abs/2512.00417. Gutowska, A. What is a multi-agent system?https: //w.ibm.com/think/topics/multiagen t-system, 2026. Accessed 2026-01-18. Hayes, A. Forget Bitcoin: The surprising cryptocurrency criminals are turning to. Investopedia, jan 2025. URL https://w.investopedia.com/the-cry ptocurrency-criminals-are-turning-t o-8771622. Accessed: 2025-07-05. He, Y., Wang, E., Rong, Y., Cheng, Z., and Chen, H. Secu- rity of AI agents, 2024. URLhttps://arxiv.org/ abs/2406.08689. Heim, L. and Pilz, K. What increasing compute efficiency means for the proliferation of dangerous capabilities, February 21 2024. URLhttps://w.govern ance.ai/post/what-increasing-compute -efficiency-means-proliferation-of-d angerous-capabilities. Accessed: 2025-05-14. Hofmann, F., Wurster, S., Ron, E., and B ̈ ohmecke- Schwafert, M. The immutability concept of blockchains and benefits of early standardization. In 2017 ITU Kalei- doscope: Challenges for a Data-Driven Society (ITU K), p. 1–8, 2017. doi: 10.23919/ITU-WT.2017.8247004. Hopwood, D., Bowe, S., Hornby, T., Wilcox, N., et al. Zcash protocol specification. GitHub: San Francisco, CA, USA, 4(220):32, 2016. Houy, S., Schmid, P., and Bartel, A. Security aspects of cryptocurrency wallets — A systematic literature review. ACM Comput. Surv., 56(1), August 2023. ISSN 0360- 0300. doi: 10.1145/3596906. URLhttps://doi.or g/10.1145/3596906. Iyer, V. An introduction to AI misalignment, 2024. URL https://vijayasriiyer.medium.com/an-i ntroduction-to-ai-misalignment-984db 02ad1b8. Accessed: 2025-05-10. JamesH, Larsen, T., and Gillen, J. Inner alignment via superpowers, 2022. URLhttps://w.lesswr ong.com/posts/ftw4d8kByxh39FdDR/inne r-alignment-via-superpowers . Accessed: 2025-05-10. Janze, C. Are cryptocurrencies criminals best friends? Ex- amining the co-evolution of Bitcoin and darknet markets. In AMCIS 2017 Proceedings, number 2, 2017. URL https://aisel.aisnet.org/amcis2017/I nformationSystems/Presentations/2. Jentzsch, C. and Slock.it. The DAO smart contract on Ethereum.https://etherscan.io/address /0xbb9bc244d798123fde783fcc1c72d3b8 c189413, 2016. Accessed: 2025-05-21. Ji, J., Qiu, T., Chen, B., Zhang, B., Lou, H., Wang, K., Duan, Y., He, Z., Vierling, L., Hong, D., Zhou, J., Zhang, Z., Zeng, F., Dai, J., Pan, X., Ng, K. Y., O’Gara, A., Xu, H., Tse, B., Fu, J., McAleer, S., Yang, Y., Wang, Y., Zhu, S.- C., Guo, Y., and Gao, W. AI alignment: A comprehensive survey, 2025. URLhttps://arxiv.org/abs/23 10.19852. 13 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Johnson, K. How wrongful arrests based on AI derailed 3 men’s lives. Wired, March 2022. URLhttps://w. wired.com/story/wrongful-arrests-ai-d erailed-3-mens-lives/ . Accessed May 9, 2025. Juels, A. The Oracle: A Novel. Talos Press, 2024. ISBN 9781945863851. Juels, A., Kosba, A., and Shi, E. The Ring of Gyges: In- vestigating the future of criminal smart contracts. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, p. 283–295, New York, NY, USA, 2016. Association for Computing Machinery. ISBN 9781450341394. doi: 10.1145/2976749.2978362. URLhttps://doi. org/10.1145/2976749.2978362. Kapoor, S., Stroebl, B., Siegel, Z. S., Nadgir, N., and Narayanan, A.AI agents that matter, 2024.URL https://arxiv.org/abs/2407.01502. Karantias, K. SoK: A taxonomy of cryptocurrency wallets, 2020. URLhttps://eprint.iacr.org/2020 /868. Accessed: 2025-05-16. Karim, M. M., Van, D. H., Khan, S., Qu, Q., and Kholodov, Y. Ai agents meet blockchain: A survey on secure and scalable collaboration for multi-agents. Future Internet, 17(2), 2025. ISSN 1999-5903. doi: 10.3390/fi17020057. URLhttps://w.mdpi.com/1999-5903/17 /2/57. Kell, T., Yousaf, H., Allen, S., Meiklejohn, S., and Juels, A. Forsage: Anatomy of a smart-contract pyramid scheme. In International Conference on Financial Cryptography and Data Security, p. 241–258. Springer, 2023. Khan, R., Sarkar, S., Mahata, S. K., and Jose, E. Security threats in agentic AI system, 2024. URL https://ar xiv.org/abs/2410.14728. Kim, T. Nvidia CEO says 2025 is the year of AI agents. Barron’s, Jan 2025. URLhttps://w.barrons. com/articles/nvidia-stock-ceo-ai-age nts-8c20ddfb. Kinniment, M., Sato, L. J. K., Du, H., Goodrich, B., Hasin, M., Chan, L., Miles, L. H., Lin, T. R., Wijk, H., Burget, J., Ho, A., Barnes, E., and Christiano, P. Evaluating language-model agents on realistic autonomous tasks, 2024. URLhttps://arxiv.org/abs/2312.1 1671. Kirchgaessner, S., Ganguly, M., Pegg, D., Cadwalladr, C., and Burke, J. Revealed: The hacking and disinformation team meddling in elections. The Guardian, February 15 2023. URLhttps://w.theguardian.com/ world/2023/feb/15/revealed-disinform ation-team-jorge-claim-meddling-elect ions-tal-hanan. Accessed: 2025-05-14. Koetsier, J. PayPal for bots? Startup launches autonomous payments for AI agents. Forbes, December 4 2025. URL https://w.forbes.com/sites/johnkoe tsier/2025/12/04/paypal-for-agents-s tartup-launches-autonomous-payments-f or-ai-agents/. Accessed: 2026-01-18. Kumar, A. and Rosenbach, E. The truth about the dark web: Intended to protect dissidents, it has also cloaked illegal activity. Finance & Development, 56(3), September 2019. URLhttps://w.imf.org/en/Publicati ons/fandd/issues/2019/09/the-truth-a bout-the-dark-web-kumar . Accessed: 2025-05- 14. Kumar, R. AI researcher Michael Wellman. Future of Life Institute, Oct 2016. URLhttps://futureoflife .org/ai-researcher-profile/ai-researc her-michael-wellman/. Kurban, A., Luo, W., Zuo, L., Zhang, Z., Han, R., Kang, Z., and Tang, H. Webcryptoagent: Agentic crypto trading with web informatics, 2026. URLhttps://arxiv. org/abs/2601.04687. Landerreche, E. and Stevens, M.On immutability of blockchains. In Prinz, W. and Hoschka, P. (eds.), Pro- ceedings of the 1st ERCIM Blockchain Workshop 2018, p. 4, Amsterdam, Netherlands, 2018. European Society for Socially Embedded Technologies (EUSSET). ISBN 2510-2591. doi: 10.18420/blockchain2018\04. URL https://dl.eusset.eu/server/api/core /bitstreams/cfe0e9d7-3cad-43b9-b23f-e 23afa877dcf/content. Langley, P. Crafting papers on machine learning. In Langley, P. (ed.), Proceedings of the 17th International Conference on Machine Learning (ICML 2000), p. 1207–1216, Stan- ford, CA, 2000. Morgan Kaufmann. Leike, J., Krueger, D., Everitt, T., Martic, M., Maini, V., and Legg, S. Scalable agent alignment via reward modeling: A research direction, 2018. URLhttps://arxiv. org/abs/1811.07871. Lemire, K. A. Cryptocurrency and anti-money laundering enforcement, September 2022. URLhttps://w. reuters.com/legal/transactional/cryp tocurrency-anti-money-laundering-enf orcement-2022-09-26/. Accessed May 9, 2025. Leuprecht, C., Jenkins, C., and Hamilton, R. Virtual money laundering: policy implications of the proliferation in the illicit use of cryptocurrency. Journal of Financial 14 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Crime, 30(4):1036–1054, 2023. ISSN 1359-0790. doi: 10.1108/JFC-07-2022-0161. Li, Y., Luo, B., Wang, Q., Chen, N., Liu, X., and He, B. CryptoTrade: A reflective LLM-based agent to guide zero-shot cryptocurrency trading. In Al-Onaizan, Y., Bansal, M., and Chen, Y.-N. (eds.), Proceedings of the 2024 Conference on Empirical Methods in Natural Lan- guage Processing, p. 1094–1106, Miami, Florida, USA, November 2024a. Association for Computational Lin- guistics. doi: 10.18653/v1/2024.emnlp-main.63. URL https://aclanthology.org/2024.emnlp-m ain.63/. Li, Y., Luo, B., Wang, Q., Chen, N., Liu, X., and He, B. A reflective LLM-based agent to guide zero-shot cryptocur- rency trading, 2024b. URLhttps://arxiv.org/ abs/2407.09546. Lightning Labs. LangChainBitcoin.https://github .com/lightninglabs/LangChainBitcoin, 2023. URLhttps://github.com/lightning labs/LangChainBitcoin. Lin, B. Y., Ravichander, A., Lu, X., Dziri, N., Sclar, M., Chandu, K., Bhagavatula, C., and Choi, Y. URIAL: Tuning-free instruction learning and alignment for un- tuned LLMs. In NeurIPS 2023 Workshop on Instruction Tuning and Instruction Following, 2023. URLhttps: //openreview.net/forum?id=pFHeZzl5ft. Lindrea, B. Crypto user convinces AI bot Freysa to transfer $47k prize pool. Cointelegraph, November 2024. URL https://cointelegraph.com/news/crypt o-user-convinced-ai-bot-transfer-47k . Accessed: 2025-05-17. Liu, L., Tsai, W.-T., Bhuiyan, M. Z. A., Peng, H., and Liu, M. Blockchain-enabled fraud discovery through abnormal smart contract detection on Ethereum. Future Generation Computer Systems, 128:158–166, 2022. ISSN 0167-739X. doi: https://doi.org/10.1016/j.future.2021.08 .023. URLhttps://w.sciencedirect.com/ science/article/pii/S0167739X21003319. Liu, X., Yu, H., Zhang, H., Xu, Y., Lei, X., Lai, H., Gu, Y., Ding, H., Men, K., Yang, K., Zhang, S., Deng, X., Zeng, A., Du, Z., Zhang, C., Shen, S., Zhang, T., Su, Y., Sun, H., Huang, M., Dong, Y., and Tang, J. AgentBench: Evaluating LLMs as agents, 2023. URLhttps://ar xiv.org/abs/2308.03688. Lu, S., Bigoulaeva, I., Sachdeva, R., Tayyar Madabushi, H., and Gurevych, I. Are emergent abilities in large language models just in-context learning?In Ku, L.-W., Mar- tins, A., and Srikumar, V. (eds.), Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), p. 5098–5139, Bangkok, Thailand, August 2024. Association for Com- putational Linguistics. doi: 10.18653/v1/2024.acl-long. 279. URLhttps://aclanthology.org/2024. acl-long.279/. Luks, B. Crypto AI agents — use cases, how-to, and risks, Jan 2025. URLhttps://botpress.com/blog/ crypto-ai-agent. Updated on April 25, 2025. Luo, Y., Feng, Y., Xu, J., Tasca, P., and Liu, Y. Llm-powered multi-agent system for automated crypto portfolio man- agement, 2025. URLhttps://arxiv.org/abs/ 2501.00826. Marino, B. and Juels, A. Setting standards for altering and undoing smart contracts. In Alferes, J. J., Bertossi, L., Governatori, G., Fodor, P., and Roman, D. (eds.), Rule Technologies. Research, Tools, and Applications, p. 151–166, Cham, 2016. Springer International Publishing. ISBN 978-3-319-42019-6. Mastercard. Mastercard unveils Agent Pay: Pioneering agentic payments technology to power commerce in the age of AI, April 2025. URLhttps://w.mast ercard.com/news/press/2025/april/mas tercard-unveils-agent-pay-pioneerin g-agentic-payments-technology-to-pow er-commerce-in-the-age-of-ai/ . Accessed: 2025-05-10. Masumi. Masumi whitepaper. Technical report, 2025. URL https://cdn.prod.website-files.com/6 7879c5d48bf5ddaad9ec54f/678edde967d8 ed0688e619cf_Masumi_WhitePaper_1.pdf. Accessed: 2026-01-18. Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker, G. M., and Savage, S. A fistful of bitcoins: Characterizing payments among men with no names. Commun. ACM, 59(4):86–93, March 2016. ISSN 0001-0782. doi: 10.1145/2896384. URLhttps: //doi.org/10.1145/2896384. Minaee, S., Mikolov, T., Nikzad, N., Chenaghlu, M., Socher, R., Amatriain, X., and Gao, J. Large language models: A survey, 2025. URLhttps://arxiv.org/abs/24 02.06196. Moonstone Research. Postmortem of Monero CCS hack: A transaction graph analysis, November 2023. URLhttp s://moonstoneresearch.com/2023/11/03 /Postmortem-of-Monero-CCS-Hack. Accessed May 9, 2025. Moreno, A. and Garbay, C. Software agents in health care. Artificial Intelligence in Medicine, 27(3):229–232, 2003. 15 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm ISSN 0933-3657. doi: https://doi.org/10.1016/S0933-3 657(03)00004-6. URLhttps://w.sciencedir ect.com/science/article/pii/S0933365 703000046. Morrison, R., Mazey, N. C. H. L., and Wingreen, S. C. The DAO controversy: The case for a new species of corporate governance? Frontiers in Blockchain, Volume 3 - 2020, 2020. ISSN 2624-7852. doi: 10.3389/fbloc.2020.00025. URLhttps://w.frontiersin.org/jour nals/blockchain/articles/10.3389/fbl oc.2020.00025. MPS. The little book of crypto crime, 2024. URLht tps://w.met.police.uk/SysSiteAsset s/media/downloads/central/advice/fra ud/met/little-book-crypto-crime.pdf . Accessed: 2025-05-17. M ̈ oser, M., B ̈ ohme, R., and Breuker, D. An inquiry into money laundering tools in the Bitcoin ecosystem. In 2013 APWG eCrime Researchers Summit, p. 1–14, 2013. doi: 10.1109/eCRS.2013.6805780. Nagra, R. The myth of immortality: Smart contracts aren’t entirely immutable, September 2023. URLhttps: //medium.com/@rohit.nagra7861/the-m yth-of-immortality-smart-contracts-a rent-entirely-immutable-8fd06586288f . Accessed: 2025-05-17. Nakamoto, S. Bitcoin: A peer-to-peer electronic cash sys- tem. Oct 2008. URLhttps://bitcoin.org/bi tcoin.pdf. Narayanan, A., Bonneau, J., Felten, E., Miller, A., and Goldfeder, S. Bitcoin and cryptocurrency technologies, 2015. URLhttps://w.the-blockchain.co m/docs/Princeton%20Bitcoin%20and%20C ryptocurrency%20Technologies%20Course. pdf. Draft version, October 6, 2015. Ndiaye, M. and Konate, P. K. Cryptocurrency crime: Be- haviors of malicious smart contracts in blockchain. In 2021 International Symposium on Networks, Comput- ers and Communications (ISNCC), p. 1–8, 2021. doi: 10.1109/ISNCC52172.2021.9615702. Nerantzi, E. and Sartor, G. ‘Hard AI crime’: The deterrence turn. Oxford Journal of Legal Studies, 44(3):673–701, 05 2024. ISSN 0143-6503. doi: 10.1093/ojls/gqae018. URL https://doi.org/10.1093/ojls/gqae018. Newman, L. H. and Burgess, M. The pig butchering invasion has begun. WIRED, September 2024. URLhttps: //w.wired.com/story/pig-butcherin g-scam-invasion/. Accessed: 2025-05-17. Newsweek. Welcome to Augur, the cryptocurrency death market where you can bet on Donald Trump. Newsweek, July 2018. URLhttps://w.newsweek.com/w elcome-augur-cryptocurrency-death-mar ket-where-you-can-bet-donald-trump-1 043571. Accessed: 2025-05-21. Ngo, R., Chan, L., and Mindermann, S. The alignment problem from a deep learning perspective, 2025. URL https://arxiv.org/abs/2209.00626. Nizzoli, L., Tardelli, S., Avvenuti, M., Cresci, S., Tesconi, M., and Ferrara, E.Charting the landscape of on- line cryptocurrency manipulation.IEEE Access, 8: 113230–113245, 2020. ISSN 2169-3536. doi: 10.1 109/access.2020.3003370. URLhttp://dx.doi.o rg/10.1109/ACCESS.2020.3003370. NTSB. Collision between vehicle controlled by develop- mental automated driving system and pedestrian, Tempe, Arizona, March 18, 2018. Technical Report NTSB/HAR- 19/03, National Transportation Safety Board, Washington, D.C., 2019. URLhttps://w.ntsb.gov/inv estigations/AccidentReports/Reports/ HAR1903.pdf. Accessed May 9, 2025. NZ Herald. New Zealand scammer Shelly Cullen convicted over $1.7m crypto pyramid scheme Lion’s Share. NZ Herald, May 2024. URLhttps://w.nzherald .co.nz/business/new-zealand-scammer-s helly-cullen-convicted-over-17m-crypt o-pyramid-scheme-lions-share. Accessed: 2025-05-20. Oasis. The Oasis blockchain platform. Technical report, June 2020. URLhttps://docs.oasis.io/asse ts/files/2020-the_oasis_blockchain_pl atform-49253f65f328886a96319c9893eb8 8a6.pdf. Accessed: 20 January 2026. Oasis. Oasis awards grant to Omo for DeFi agent infrastruc- ture, December 2024. URLhttps://oasis.net/ blog/omo-protocol-grant . Accessed: 2026-01- 19. Oasis. The future of crypto x AI: Trustless agents.ht tps://oasis.net/blog/trustless-agents , January 2025. Accessed: 2025-05-22. O’Donnell, A. 2025 will be the year of AI agents, web3 execs say. Cointelegraph, Dec 2024. URLhttps: //cointelegraph.com/news/2025-ai-age nt-growth-web3-execs-say. Olas. Trade in prediction markets — without lifting a finger. Website. URLhttps://olas.network/servi ces/prediction-agents. 16 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm OpenAI. GPT-4 system card. Technical report, OpenAI, 2023. URLhttps://cdn.openai.com/paper s/gpt-4-system-card.pdf. Orcutt, M. How secure is blockchain really?, April 2018. URLhttps://w.technologyreview.com /2018/04/25/143246/how-secure-is-blo ckchain-really/. Accessed: 2025-05-11. Pace, B. Debate on instrumental convergence between Le- Cun, Russell, Bengio, Zador, and more, 2019. URLht tps://w.alignmentforum.org/posts/W xW6Gc6f2z3mzmqKs/debate-on-instrumen tal-convergence-between-lecun-russell . Accessed: 2025-05-10. Pan, A., Jones, E., Jagadeesan, M., and Steinhardt, J. Feed- back loops with language models drive in-context reward hacking. arXiv preprint arXiv:2402.06627, 2024. URL https://arxiv.org/abs/2402.06627. Ac- cessed: 2025-05-10. Parikh, S. and Surapaneni, R. Powering AI commerce with the new agent payments protocol (ap2), September 2025. URLhttps://cloud.google.com/blo g/products/ai-machine-learning/announ cing-agents-to-payments-ap2-protocol . Accessed: 2026-01-19. Patairya, D. K. Can the Ethereum blockchain roll back transactions? Understanding the limits and risks. Coin- telegraph, February 2025. URLhttps://cointe legraph.com/explained/can-the-ether eum-blockchain-roll-back-transaction s-understanding-the-limits-and-risks. Accessed: 2025-05-17. Patlan, A. S., Sheng, P., Hebbar, S. A., Mittal, P., and Viswanath, P. Real AI agents with fake memories: Fatal context manipulation attacks on web3 agents, 2025. URL https://arxiv.org/abs/2503.16248. Payman AI. Quickstart, 2025. URLhttps://docs .paymanai.com/overview/quickstart. Ac- cessed: 2025-05-11. Phillips, T. The SEC’s regulatory role in the digital asset markets. Technical report, Center for American Progress, October 2021. URLhttps://w.americanprog ress.org/wp-content/uploads/sites/2/2 021/10/SECs-Regulatory-Role-in-the-D igital-Asset-Markets-1.pdf. Accessed May 7, 2025. Phuong, M., Aitchison, M., Catt, E., Cogan, S., Kaskasoli, A., Krakovna, V., Lindner, D., Rahtz, M., Assael, Y., Hodkinson, S., Howard, H., Lieberum, T., Kumar, R., Raad, M. A., Webson, A., Ho, L., Lin, S., Farquhar, S., Hutter, M., Deletang, G., Ruoss, A., El-Sayed, S., Brown, S., Dragan, A., Shah, R., Dafoe, A., and Shevlane, T. Evaluating frontier models for dangerous capabilities, 2024. URLhttps://arxiv.org/abs/2403.1 3793. Popham, J. ‘Follow the money!’ $2 billion of crypto scams found on Ethereum, May 2024. URLhttps://w w.c.gatech.edu/news/follow-money-2 -billion-crypto-scams-found-ethereum. Accessed May 9, 2025. Prajapati, M. J. GOAT, memes, and the millionaire AI agent, January 2025. URLhttps://hackernoon.com/g oat-memes-and-the-millionaire-ai-age nt. Ramakrishnan, V.Tornado Cash ban raises questions in the crypto community. Investor’s Business Daily, (2703590605), Aug 2022. Archived from the original on 12 October 2022. Reppel, E., Caspers, R., Leffew, K., Organ, D., Kim, D., and Dalal, N. x402: An open standard for internet- native payments. Technical Report Whitepaper, Coinbase Developer Platform / x402, May 2025. URLhttps: //w.x402.org/x402-whitepaper.pdf. Ac- cessed: 2026-01-19. Rogers, A. and Luccioni, A. S. Position: Key claims in LLM research have a long tail of footnotes, 2024. URL https://arxiv.org/abs/2308.07120. Rossi, M. D., Crapis, D., Ellis, J., and Reppel, E. Erc- 8004: Trustless agents [draft].https://eips.eth ereum.org/EIPS/eip-8004, Aug 2025. Ethereum Improvement Proposals, no. 8004. Ruan, J., Chen, Y., Zhang, B., Xu, Z., Bao, T., Du, G., Shi, S., Mao, H., Li, Z., Zeng, X., and Zhao, R. TPTU: Large language model-based AI agents for task planning and tool usage, 2023. URLhttps://arxiv.org/abs/ 2308.03427. Sanabria, A., Teitler-Santullo, K., Neely, L., and Robinson, T. To err is human, but the blockchain is forever – ESW #260, February 2022. URLhttps://w.scworl d.com/podcast-segment/10120-to-err-i s-human-but-the-blockchain-is-forever -esw-260. Accessed: 2025-05-11. Sanctions.io. How illicit actors launder money through crypto exchanges, October 2024. URLhttps://w w.sanctions.io/blog/how-illicit-actor s-launder-money-through-crypto-excha nges. Accessed May 9, 2025. 17 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Schick, T., Dwivedi-Yu, J., Dess ` ı, R., Raileanu, R., Lomeli, M., Zettlemoyer, L., Cancedda, N., and Scialom, T. Tool- former: Language models can teach themselves to use tools, 2023. URLhttps://arxiv.org/abs/23 02.04761. Schneier, B. Smart contract bug results in $31 million loss, Dec 2021. URLhttps://w.schneier.com /blog/archives/2021/12/smart-contrac t-bug-results-in-31-million-loss.ht ml. Accessed: 2025-05-11. Schneier, B. De-anonymizing Bitcoin, April 2022. URL https://w.schneier.com/blog/archiv es/2022/04/de-anonymizing-bitcoin.htm l. Accessed May 9, 2025. SendAI. Solana agent kit.https://github.com/s endaifun/solana-agent-kit, December 2024. Version 1.2.0, Apache-2.0 license. Seneviratne, O. The feasibility of a smart contract ”kill switch”, 2024. URLhttps://arxiv.org/abs/ 2407.10302. Sharma, S. Exploring the future of AI agents in crypto. Tech- nical report, Binance Research, November 2024. URL https://public.bnbstatic.com/static/ files/research/exploring-the-future-o f-ai-agents-in-crypto.pdf. Shavit, Y., Agarwal, S., Brundage, M., Adler, S., O’Keefe, C., Campbell, R., Lee, T., Mishkin, P., Eloundou, T., Hickey, A., Slama, K., Ahmad, L., McMillan, P., Beutel, A., Passos, A., and Robinson, D. G. Practices for govern- ing agentic AI systems, December 2023. URLhttps: //cdn.openai.com/papers/practices-f or-governing-agentic-ai-systems.pdf. Accessed May 9, 2025. Shen, T., Jin, R., Huang, Y., Liu, C., Dong, W., Guo, Z., Wu, X., Liu, Y., and Xiong, D. Large language model alignment: A survey, 2023. URLhttps://arxiv. org/abs/2309.15025. Shevlane, T., Farquhar, S., Garfinkel, B., Phuong, M., Whit- tlestone, J., Leung, J., Kokotajlo, D., Marchal, N., An- derljung, M., Kolt, N., Ho, L., Siddarth, D., Avin, S., Hawkins, W., Kim, B., Gabriel, I., Bolina, V., Clark, J., Bengio, Y., Christiano, P., and Dafoe, A. Model evaluation for extreme risks, 2023.URLhttps: //arxiv.org/abs/2305.15324. Shin, L. Want to diversify your portfolio? Try Bitcoin, say ARK’s Chris Burniske and Coinbase’s Adam White, July 12 2016. URLhttps://w.forbes.com /sites/laurashin/2016/07/12/want-hig her-returns-invest-in-bitcoin-say-ark s-chris-burniske-and-coinbases-adam-w hite/. Accessed: 2025-05-16. Singh, O. Can cryptocurrencies be frozen on a blockchain?, December 2023. URLhttps://cointelegraph. com/explained/can-cryptocurrencies-b e-frozen-on-a-blockchain . Cointelegraph, Accessed May 7, 2025. Singh, O. Crypto on-ramps and off-ramps: Key to fiat- crypto conversions, October 2024. URLhttps:// w.ccn.com/education/crypto/crypto-o n-ramps-off-ramps-fiat-conversion-g uide/. Accessed May 9, 2025. Smith, S. S. PayPal’s big bet on AI agents and payments like stablecoins. Forbes Digital Assets, May 2025. URL https://w.forbes.com/sites/digital -assets/2025/05/06/paypals-big-bet-o n-ai-agents-and-payments-like-stabl ecoins/. Accessed: 2025-05-10. Stripe. Add Stripe to your agentic workflows.https: //docs.stripe.com/agents, 2024. URLht tps://docs.stripe.com/agents. Accessed: 2025-05-10. Stripe. ACH returns 101: What they are and how to man- age them, 2025. URLhttps://stripe.com/e n-sg/resources/more/ach-returns-101-w hat-they-are-and-how-to-manage-them. Accessed: 2025-05-11. Sun, J., Min, S. Y., Chang, Y., and Bisk, Y. Tools fail: Detecting silent errors in faulty tools, 2024. URLhttps: //arxiv.org/abs/2406.19228. Swaminathan, K. and Saravanan, S. A criminal smart con- tract for distributed denial of service attacks. In 2021 6th International Conference on Communication and Electronics Systems (ICCES), p. 853–862, 2021. doi: 10.1109/ICCES51350.2021.9489166. Thomas, E., Hoffman, S., Garnaut, J., Izenman, K., Johnson, M., Pascoe, A., and Ryan, F. The flipside of China’s central bank digital currency. Technical report, Australian Strategic Policy Institute, 2020. URLhttp://w.js tor.org/stable/resrep26895.6. Times, T. N. Y. Can you really hire a hit man on the dark web? The New York Times, March 4 2020. URLhttps: //w.nytimes.com/2020/03/04/technol ogy/can-you-hire-a-hit-man-online.ht ml. Accessed: 2025-05-14. 18 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Tjiam, K., Wang, R., Chen, H., and Liang, K. Your smart contracts are not secure: Investigating arbitrageurs and oracle manipulators in Ethereum. In Proceedings of the 3rd Workshop on Cyber-Security Arms Race, CYSARM ’21, p. 25–35, New York, NY, USA, 2021. Association for Computing Machinery. ISBN 9781450386616. doi: 10.1145/3474374.3486916. URLhttps://doi.or g/10.1145/3474374.3486916. Torres, C. F., Steichen, M., and State, R. The art of the scam: Demystifying honeypots in Ethereum smart contracts. In 28th USENIX Security Symposium (USENIX Security 19), p. 1591–1607, Santa Clara, CA, August 2019. USENIX Association. ISBN 978-1-939133-06-9. URLhttps: //w.usenix.org/conference/usenixse curity19/presentation/ferreira. Tran, Q., Chen, L., Xu, L., Lu, Y., Karanjai, R., and Shi, W. Cross chain bribery contracts: Majority vs mighty minority, 2023. URLhttps://arxiv.org/abs/ 2306.07984. Trozze, A., Kamps, J., Akartuna, E. A., et al. Cryptocurren- cies and future financial crime. Crime Science, 11(1):1, 2022. doi: 10.1186/s40163-021-00163-8. URLhttps: //doi.org/10.1186/s40163-021-00163-8. UK Govt. The Bletchley Declaration by countries attending the AI Safety Summit, 1–2 November 2023, 2023. URL https://w.gov.uk/government/public ations/ai-safety-summit-2023-the-ble tchley-declaration. Accessed May 9, 2025. UN Counter-Terrorism Office. Beneath the surface: Ter- rorist and violent extremist use of the dark web and cybercrime (update). Tech. rep., United Nations Of- fice of Counter-Terrorism, June 2024. URLhttps: //w.un.org/counterterrorism/sites/ w.un.org.counterterrorism/files/dw _beneath_the_surface_update.pdf. University of Oxford. Large language models pose a risk to society and need tighter regulation, say Oxford re- searchers, August 2024. URLhttps://w.ox.ac. uk/news/2024-08-07-large-language-mod els-pose-risk-society-and-need-tight er-regulation-say-oxford . Accessed May 9, 2025. Vardai, Z. Not every AI agent needs its own cryptocurrency: Cz. Cointelegraph, March 2025. URLhttps://coin telegraph.com/news/ai-agent-tokens-l ose-21percent-zhao-urges-utility-foc us. Vecino, P. A. Why give AI agents access to money?, October 2024. URLhttps://medium.com/@pol.avec /why-give-ai-agents-access-to-money -be460a819a9c. Accessed: 2025-05-11. Vilkenson, T. How to utilize AI agents in decentralized finance (DeFi) platforms. Cointelegraph, Mar 2025a. URLhttps://cointelegraph.com/news/h ow-to-utilize-ai-agents-in-decentral ized-finance-defi-platforms. Vilkenson, T. Crypto on-ramps and off-ramps, explained, January 2025b. URLhttps://cointelegraph. com/explained/cryptocurrency-on-ramps -and-off-ramps-explained . Accessed May 7, 2025. Visa. Visa agrees to landmark settlement with U.S. mer- chants reducing rates and guaranteeing no increases for at least five years, March 2024. URLhttps: //w.businesswire.com/news/home/202 40325345937/en/. Accessed: 2025-05-11. Viswanatha, A. U.S. officials: Virtual currencies vulnerable to money laundering, November 2013. URLhttps: //w.reuters.com/article/technology /us-officials-virtual-currencies-vul nerable-to-money-laundering-idUSBRE9A H0P2/. Accessed May 9, 2025. von Lampe, K. and Johansen, P. O. Organized crime and trust: On the conceptualization and empirical relevance of trust in the context of criminal networks. Global Crime, 6(2):159–184, 2004. doi: 10.1080/17440570500096734. URLhttps://doi.org/10.1080/17440570 500096734. Wade, T. AIs will be dangerous because unbounded op- timizing power leads to existential risk, 2023. URL https://hackernoon.com/ais-will-be-d angerous-because-unbounded-optimizin g-power-leads-to-existential-risk . Ac- cessed: 2025-05-10. Walters, S., Gao, S., Nerd, S., Da, F., Williams, W., Meng, T.-C., Han, H., He, F., Zhang, A., Wu, M., Shen, T., Hu, M., and Yan, J. Eliza: A Web3 friendly AI agent operating system. arXiv preprint arXiv:2501.06781, 2025. URLhttps://arxiv.org/abs/2501.06781. Version 1 (v1) accessed January 20, 2026. Wang, K., Wang, Q., and Boneh, D. Erc-20r and erc-721r: Reversible transactions on ethereum, 2022. URLhttps: //arxiv.org/abs/2208.00543. Ward, F. R., MacDermott, M., Belardinelli, F., Toni, F., and Everitt, T. The reasons that agents act: Intention and instrumental goals, 2024. URLhttps://arxiv.or g/abs/2402.07221. 19 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm Wei, Z., Sun, J., Sun, Y., Liu, Y., Wu, D., Zhang, Z., Zhang, X., Li, M., Liu, Y., Li, C., Wan, M., Dong, J., and Zhu, L. Advanced smart contract vulnerability detection via llm-powered multi-agent systems. IEEE Transactions on Software Engineering, 51(10):2830–2846, 2025. doi: 10.1109/TSE.2025.3597319. Weidinger, L., Mellor, J., Rauh, M., Griffin, C., Uesato, J., Huang, P.-S., Cheng, M., Glaese, M., Balle, B., Kasirzadeh, A., Kenton, Z., Brown, S., Hawkins, W., Stepleton, T., Biles, C., Birhane, A., Haas, J., Rimell, L., Hendricks, L. A., Isaac, W., Legassick, S., Irving, G., and Gabriel, I. Ethical and social risks of harm from language models, 2021. URLhttps://arxiv.org/abs/21 12.04359. Weidinger, L., Uesato, J., Rauh, M., Griffin, C., Huang, P.-S., Mellor, J., Glaese, A., Cheng, M., Balle, B., Kasirzadeh, A., Biles, C., Brown, S., Kenton, Z., Hawkins, W., Stepleton, T., Birhane, A., Hendricks, L. A., Rimell, L., Isaac, W., Haas, J., Legassick, S., Irving, G., and Gabriel, I. Taxonomy of risks posed by lan- guage models. In 2022 ACM Conference on Fairness, Accountability, and Transparency (FAccT ’22), p. 214– 229, New York, NY, USA, June 2022. Association for Computing Machinery. ISBN 978-1-4503-9352-2. doi: 10.1145/3531146.3533088. Wellman, M. P. and Rajan, U. Ethical issues for autonomous trading agents. Minds & Machines, 27:609–624, 2017. doi: 10.1007/s11023-017-9419-4. URLhttps://do i.org/10.1007/s11023-017-9419-4. Wiesinger, J., Marlow, P., and Vuskovic, V. Agents. Techni- cal report, Google, Feb 2025. URLhttps://w.ka ggle.com/whitepaper-agents. Wilser, J. Drugs, drugs and more drugs: Crypto on the dark web. CoinDesk, April 25 2022. URLhttps: //w.coindesk.com/layer2/2022/04/25 /drugs-drugs-and-more-drugs-crypto-o n-the-dark-web/. Accessed: 2025-05-14. W ̈ olflein, G., Ferber, D., Truhn, D., Arandjelovic, O., and Kather, J. N. LLM agents making agent tools. In Proceed- ings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), p. 26092–26130, Vienna, Austria, July 2025. Association for Computational Linguistics. doi: 10.18653/v1/2025.a cl-long.1266. URLhttps://aclanthology.org /2025.acl-long.1266/. Xiao, W., Killian, C., Sleight, H., Chan, A., Carlini, N., and Peng, A. AI agents find $4.6m in blockchain smart contract exploits, December 1 2025. URLhttps:// red.anthropic.com/2025/smart-contrac ts/?utm_source=alphasignal&utm_campa ign=2025-12-02&lid=118kNL9qrDcgBlh7Y. Accessed: 2026-01-18. Yuan, Y. and Wang, F.-Y. Blockchain and cryptocurrencies: Model, techniques, and applications. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 48(9):1421– 1428, 2018. doi: 10.1109/TSMC.2018.2854904. Zeff, M. The race is on to make AI agents do your online shopping for you. TechCrunch, Dec 2024a. URLhttps: //techcrunch.com/2024/12/02/the-rac e-is-on-to-make-ai-agents-do-your-o nline-shopping-for-you/ . Accessed: 2025-05- 11. Zeff, M.Skyfire lets AI agents spend your money. TechCrunch, Aug 2024b. URLhttps://techcrun ch.com/2024/08/21/skyfire-lets-ai-age nts-spend-your-money/. Accessed: 2025-05-11. Zhang, F., Cecchetti, E., Croman, K., Juels, A., and Shi, E. Town Crier: An authenticated data feed for smart contracts. In Proceedings of the 2016 ACM SIGSAC Con- ference on Computer and Communications Security, CCS ’16, p. 270–282, New York, NY, USA, 2016. Associa- tion for Computing Machinery. ISBN 9781450341394. doi: 1 0 . 1 1 4 5 / 2 9 7 6 7 4 9 . 2 9 7 8 3 2 6.URLhttps: //doi.org/10.1145/2976749.2978326. Zhang, Z., Zhang, B., Xu, W., and Lin, Z. Demystifying exploitable bugs in smart contracts. In Proceedings of the 45th International Conference on Software Engineering (ICSE 2023), Melbourne, Australia, 2023. IEEE Press. URLhttps://w.cs.purdue.edu/homes/ zhan3299/res/ICSE23.pdf. Accessed: 2025-05- 11. 20 Giving AI Agents Access to Cryptocurrency and Smart Contracts Creates New Vectors of AI Harm A. Technical Appendices and Supplementary Material Table 1. Dangerous capabilities and how blockchain brings them to fruition Dangerous CapabilityDefinitionHow blockchain evokes Autonomously gain resources (Barnes, 2023) Acquiring money, compute, and other resources (Barnes, 2023) Access to cryptocurrency is vir- tually synonymous with this ca- pability Self-replication(andself- proliferation) (Bengio et al., 2024; Kinniment et al., 2024; Phuong et al., 2024) Replicate oneself or proliferate beyond one’s original environ- ment (Shevlane et al., 2023) CAIA use cryptocurrency to buy virtual machines where copies of self can be installed (Charbel- Rapha ̈ el & ́ Epiphanie G ́ ed ́ eon, 2024) Deception, persuasion, and ma- nipulation (Bengio et al., 2024; Shevlane et al., 2023; An- derljung et al., 2023) Deceive people or shape their beliefs (Shevlane et al., 2023) CAIA use cryptocurrency to buy disinformation services (Grohmann & Ong, 2024) Political strategy (Shevlane et al., 2023) Gain and exercise political influ- ence (Shevlane et al., 2023) CAIA use cryptocurrency to bribe officials (Tran et al., 2023), or buy election interference (Kirchgaessner et al., 2023) and assassination services (Times, 2020) Offensive cyber (Shevlane et al., 2023; Bengio et al., 2024; Fang et al., 2024; Anderljung et al., 2023; Phuong et al., 2024) Discover and exploit vulnerabil- ities in cybersystems (Shevlane et al., 2023) CAIA use cryptocurrency to buy stolen credentials, zero-day ex- ploits, and hacker services on dark web (Kumar & Rosenbach, 2019; Gerard, 2019) Weapon acquisition (Shevlane et al., 2023; Bengio et al., 2024) Create or obtain weapons (Shevlane et al., 2023) CAIA use cryptocurrency to buy weapons on dark web (Wilser, 2022; Broadhurst et al., 2021) AI development (Shevlane et al., 2023; DSIT & AISI, 2024) Develop AI (including AI more powerful than itself) (Shevlane et al., 2023) CAIA use cryptocurrency to buy compute for model training (Charbel-Rapha ̈ el & ́ Epiphanie G ́ ed ́ eon, 2024) CBRN (Heim & Pilz, 2024; Bengio et al., 2024; Shevlane et al., 2023; Anthropic, 2024; Anderljung et al., 2023; Phuong et al., 2024) Develop (or help develop) chem- ical, biological, radiological, and nuclear weapons (Bengio et al., 2024; Shevlane et al., 2023) CAIA use cryptocurrency to buy CBRN ingredients on dark web (Broadhurst et al., 2021; UN Counter-Terrorism Office, 2024; Chen, 2011) Evading human control (An- derljung et al., 2023; Heim & Pilz, 2024) Break out of human-controlled environments (Anderljung et al., 2023; Heim & Pilz, 2024) CAIA use cryptocurrency to buy compute where copies of self can be installed (Charbel- Rapha ̈ el & ́ Epiphanie G ́ ed ́ eon, 2024) 21