Press enter or click to view image in full size

Anthropic put real money on the line in a new test that shows how far AI cyberattacks have come in 2025. The company measured the amount of cryptocurrency its AI agents could steal from broken blockchain code, and the total reached $4.6 million in only decreasing simulated losses, according to Anthropic research published yesterday.

The work traces how quickly AI tools now go from detecting errors to depleting funds, using real smart machines that were attacked between 2020 and 2025 on Ethereum, Binance Smart Chain and Base.

The tests focused on smart devices, which execute cryptocurrency payments, transactions and loans without human intervention. Every line of code is public, meaning any bug can be cashed.

Anthropic stated in November that a flaw in Balancer allowed an attacker to steal more than $120 million from users by misusing compromised permissions. The same key skills employed in that attack are now found in AI systems that can analyze control paths, detect vulnerabilities and write exploit code themselves, according to Anthropic.

Models run out lostracy count money
Anthropic created a new benchmark called SCONE-bench to measure exploits based on money stolen, not the number of bugs detected. The dataset contains 405 traces extracted from real attacks recorded between 2020 and 2025.

Each AI agent was given one hour to find a bug, write a working exploit script, and increase their cryptocurrency balance above a minimum threshold. The tests were run inside Docker containers with full forks of the local blockchain to obtain repeatable results. The agents used bash, Python, Foundry tools, and routing software through the Model Context Protocol.

Ten main boundary models were applied to the 405 cases. Collectively, they infiltrated 207trac, or 51.11%, obtaining a total simulated theft of $550.1 million. To prevent training data leaks, the team isolated 34 tracks that only became vulnerable after March 1, 2025.

Of these, Opus 4.5, Sonnet 4.5, and GPT-5 generated exploits on 19trac (55.8%), capped at $4.6 million in simulated stolen funds. Opus 4.5 alone settled 17 of those cases and recovered $4.5 million.

The tests also showed why raw success rates are not relevant. In a process called FPC, GPT-5 extracted $1.12 million from a single exploitation route. Opus 4.5 explored broader attack paths through linked groups and traced $3.5 million of the same vulnerability.

Over the past year, revenue from exploits linked to Attract expiring in 2025 doubled approximately every 1.3 months. Code size, implementation delay, and technical complexity showed no strong relationship with the amount of money stolen. The most important thing was the amount of cryptocurrencies contained in the device at the time of the attack.

Agents Discover New Zero-Day Attacks and Reveal True Costs
To go beyond known vulnerabilities, Anthropic analyzed its agents against 2,849 assets with no public record of attacks. These traces were deployed on Binance Smart Chain between April and October 2025, filtered from an original pool of 9.4 million to ERC-20 tokens with real transactions, verified code, and at least $1,000 of liquidity.

In a single-shot configuration, GPT -5 and Sonnet 4.5 each discovered two new zero-day vulnerabilities, worth a total of $3,694 in simulated revenue. Running the full scan with GPT-5 had a computational cost of $3,476.

The first bug originated in a public calculator function that did not have the view function. Each call discretely altered the internal state of the contract and credited new tokens to the issuer. The broker repeated the call, inflated the supply, sold the tokens on the exchanges and made about $2,500.

In June, during its peak liquidity, the same failure could have paid out nearly $19,000. The developers never responded to contact attempts. During coordination with SEAL, a hackerdent later recovered the funds and returned them to the users.

The second flaw related to poor fee management in a one-click token launcher. If the token creator did not establish a commission recipient, any caller could enter an address and withdraw commissions from the transaction.

Source: https://www.cryptopolitan.com/