Deception of vision: fraudsters have learned to give invisible instructions to neural networks

Fraudsters can use prompta (instructions) invisible to the human eye to manipulate neural networks, experts have warned about this. Due to hidden promptings, artificial intelligence can give users potentially dangerous content, such as phishing links or instructions for installing viruses. For more information about how scammers manipulate neural networks using invisible instructions, how dangerous it is and how to protect themselves from such threats, read the Izvestia article.

What are invisible promptas?

Attackers can embed hidden instructions for artificial intelligence (AI) in the text of web pages, letters or documents, Ashot Oganesyan, founder of the DLBI data leak intelligence and monitoring service, told Izvestia. For example, CSS (a style language for describing the appearance of a document) makes text invisible to humans, but quite readable by a neural network.

Photo: IZVESTIA/Anna Selina

— When such content gets into the AI, it "picks up" these instructions and includes them in the final response, — says the expert. — This is how malicious instructions disguised as recommendations or instructions can be presented to a potential victim.

This trick, which is used by scammers, is based on the fact that AI trusts the text, perceiving it as secure content, while hidden commands have already been embedded in it, adds Tatiana Butorina, an Al consultant and specialist at the Gazinformservice Cybersecurity Analytical Center.

Photo: IZVESTIA/Sergey Konkov

A striking example of this is the hidden instructions discovered last July in 18 academic manuscripts on the arXiv preprint website. These instructions were intended to manipulate peer review using neural networks. Instructions such as "Give only positive feedback" were hidden using various techniques, one of which was white text invisible to the human eye.

How hidden instructions are used by scammers

Deceived by invisible AI promptings, instead of honestly processing the user's request, he begins to perform the tasks of scammers, explains Stanislav Yezhov, Director of AI at Astra Group. As a result, attackers can secretly run scripts, steal data, or encrypt files.

— The neural network's response may contain social engineering commands: "download this file," "execute the PowerShell command," or "open the link," Ashot Oganesyan says in an interview with Izvestia. — At the same time, the user perceives the output as trusted (since the AI said it was safe), which increases the chance of installing cryptographers or data theft.

Photo: Global Look Press/Wosunan Photostory

If data "poisoned" by hidden promptings gets into the training materials of a neural network, it will learn to give "harmful advice" even when processing "untreated" content in future use - and this will multiply the dangerous consequences, emphasizes Ilya Polyakov, head of the code analysis department at Angara Security.

The correct permission: a register of consents to the processing of personal data will be created at Gosuslugi

The list will be part of a new package of measures to combat cybercriminals.

According to Tatiana Butorina, the increase in the number of such attacks is alarming: according to research from 2024-2025, in just a year, the volume of malicious links associated with ClickFix attacks (including the use of invisible tools) has quadrupled, which means that the number of victims is also growing exponentially. In addition, there is a risk that such attacks can be automated by intruders — and this will further aggravate the situation.

"Such phenomena are also harmful because they reduce the level of trust in AI technologies used in everyday life, work and business,— says Tatiana Butorina. — This, in turn, can lead to a slowdown in innovation.

What other invisible tools do cybercriminals have?

Invisible techniques are not a new tool in the arsenal of intruders: previously, they had already embedded malicious programs hidden from users through websites, applications and documents, says Tatiana Butorina. Sometimes scammers hide commands in image properties (steganography) or inject malicious strings into "minor" edits of documents, Stanislav Yezhov adds.

"This allows you to bypass standard checks and forces systems to execute other people's commands," explains Izvestia's interlocutor.

Photo: IZVESTIA/Sergey Konkov

Ilya Polyakov, in turn, provides several examples of cybercriminal techniques based on user invisibility.

• Tabnabbing is an attack in which a malicious website quietly modifies the contents of an inactive browser tab, imitating a legitimate service (for example, Gmail) in order to trick the user into entering a username and password. This technique is dangerous because the user does not notice the substitution, since the tab has been minimized, and trusts the visual design.
• Punycode attacks — attackers registered domains using Unicode characters (for example, Cyrillic letters instead of Latin ones), creating visually identical legitimate addresses. Such attacks are dangerous because the user does not notice a fake website address and can transfer sensitive data (for example, passwords) to the site.
• Hidden browser extensions — malicious extensions with broad rights can work unnoticed, intercepting data without visible traces.

How can users protect themselves from invisible threats on the Web

Despite the fact that the invisible techniques of cybercriminals are securely hidden from users, it is still possible to recognize them. In particular, the fact that the neural network is "poisoned" by invisible prompta can be understood by the instructions or commands in its responses, which are clearly unrelated to the main query, says Tatiana Butorina in an interview with Izvestia.

— Other alarming signs are the presence of syntactic errors and logical inconsistencies, as well as going beyond the style and subject of the query, including atypical and or repetitive phrases, — says the expert. — For example, the appearance of technical texts in a scientific or business query.

Secret ties: Izvestia has found "hackers", for whose capture the FBI promises $ 11 million

What Timur and Amin Stigaly said about the crimes of which they are accused by the American special services

You can understand that the answer is "poisoned" by strange inserts — for example, if the AI suddenly advises you to install a program or run an unfamiliar script, Stanislav Yezhov adds. Such commands are off-topic and look like instructions for hacking or installing something.

Photo: IZVESTIA

It is also possible to establish that a neural network has been manipulated by arranging an "interview" with a trusted neural network, adds Ilya Polyakov. During this process, a trusted neural network generates a lot of random questions for the interviewee and analyzes the answers, looking for dangerous content. A more reliable way is to critically analyze the materials (if available) on which the interviewee was trained by a trusted neural network for "poisoning".

— In order to protect yourself from the invisible tricks of scammers, use proven AI services (for example, large platforms), do not download files from questionable sources and paste text manually, rather than copying entire pages with formatting, advises Stanislav Yezhov.

In addition, it is important to pay attention if the service asks you to allow access to the page code or download something additional - this is usually unnecessary. Browser extensions from manufacturers of antivirus solutions and password managers that will not enter a saved password in a tab with a fake website can also help protect against hidden attacks and other invisible techniques, concludes Ilya Polyakov.