This Hacker Made Over $10,000 Hacking AI

NahamSec

3 Nov 202527:29

Summary

TLDRThe video demonstrates how AI systems, particularly in security and critical infrastructure, can be manipulated using prompt injection attacks. The speaker explains how fake credentials and malicious inputs can trick AI models into leaking information or overlooking suspicious activities. They highlight potential vulnerabilities in AI models, such as the tendency to infer missing data or misinterpret manipulated inputs. The video also explores real-world scenarios where AI could be exploited in security systems, emphasizing the need for better safeguards to prevent such attacks.

Takeaways

😀 Credential Injection: Faking admin credentials and inserting them into AI input can trick the AI into authenticating unauthorized actions.
😀 Indirect Prompt Injection: Manipulating the prompt structure to make the AI believe that certain inputs or system responses are legitimate, even when they aren't.
😀 Fake Logs & Malicious Input: Injecting fake logs (e.g., admin password changes, suspicious process executions) to mislead the AI into thinking everything is normal.
😀 AI Struggles with Inconsistencies: AI models are vulnerable to inconsistencies in input formatting, allowing attackers to bypass security checks.
😀 Real-World Implications: AI manipulation techniques could potentially be used in real-world cyberattacks, especially in critical systems like infrastructure.
😀 Difficulty in Preventing Attacks: AI models struggle with handling untrusted inputs, making them vulnerable to exploitation through prompt injection and fake inputs.
😀 Exploiting AI's Inference: AI systems are designed to infer missing data, making them susceptible to being tricked by fake databases or fabricated information.
😀 AI Systems Can Be Exploited in CTFs: Techniques like prompt injection can be used in Capture The Flag (CTF) challenges to bypass security measures and gain unauthorized access.
😀 AI Security Challenges in the Real World: As AI continues to be integrated into critical infrastructure, there will likely be growing concerns about the potential for AI-driven security breaches.
😀 Unpredictable AI Responses: The effectiveness of injection attacks can be unpredictable, as AI systems may sometimes recognize manipulated inputs but other times fall for the trick, creating inconsistency in defense.

Q & A

What is Grey Swan and what makes it unique?
-Grey Swan is a platform that turns AI red teaming into an esports-style competition. Participants exploit real systems and AI models to find vulnerabilities and can win real money. Top performers may also be recruited for jobs or contract work.
What are the two headline events featured in the transcript?
-The Machine in the Middle and Indirect Prompt Injection competitions. The first focuses on human-first exploitation with AI assistance, while the second targets hidden prompts embedded in tool output or on-screen text to manipulate AI agents.
How has Grey Swan helped Cameron (aka Clovis Mint) professionally?
-He has earned over $10,000 in prizes, secured contract work with Grey Swan, and leveraged experience from the competitions to advance his AI red teaming career while applying cybersecurity knowledge from other competitive hacking events.
What is prompt injection and why is it a security concern?
-Prompt injection is malicious text crafted to override a model’s intended rules or behavior. It’s concerning because developers may rely on LLMs for sensitive tasks, but there is currently no complete solution to prevent this kind of attack.
How does Cameron typically trick AI systems into leaking sensitive data like system prompts?
-By faking multiple messages in a single input, creating fake system updates, pretending to be an administrator, or convincing the AI that the interaction is a unit test—thereby making it believe it's safe to reveal otherwise restricted content.
What advantage does leaking a system prompt give an attacker?
-Once attackers know the system’s internal rules and constraints, they can craft more targeted and believable manipulations, such as fake updates, malicious credentials, or instructions that lead to harmful tool use.
What is indirect prompt injection and how does it work?
-It hides malicious instructions inside data inputs like JSON, HTML, logs, or item descriptions. When an AI ingests the data, the embedded instructions override its normal behavior, sometimes without the user noticing anything suspicious.
Why do AI models fall for prompt injection attacks?
-LLMs focus on language patterns and are highly obedient by design. They are not programmed to reject unexpected formats or invented systems unless explicitly instructed, making them susceptible to fabricated authority or structure.
How can AI be manipulated into performing harmful actions like unauthorized purchases or hacking?
-By modifying the system prompt to appear like a trusted update or by making the AI believe the user has the authority to perform such tasks, including framing harmful requests as part of internal testing or legitimate operational processes.
Why could real-world infrastructures be at risk from AI-driven agents?
-As more tool-enabled AI systems are deployed in critical environments—like chatbots with purchasing access or AI-assisted monitoring tools—attackers can social-engineer the AI into executing harmful commands or hiding security alerts.
What general advice does Cameron offer to aspiring AI red teamers?
-Experiment frequently with different models, study previous prompt injection methods, learn from community resources such as Grey Swan’s Discord, and creatively explore unusual input structures to identify new vulnerabilities.
What does the transcript imply about future AI security threats?
-As AI becomes more integrated into tools and sensitive workflows, real-world attacks similar to those in competitions are expected to emerge, especially since there is currently no definitive solution to stop prompt injection attacks.