The €0.02 prompt injection: a bank transfer memo compromised a production AI assistant

Security firm Blue41 published a case study — 145 points and 120 comments on Hacker News — showing how they compromised the AI assistant at Bunq (Europe's second-largest digital bank, 20M+ customers) with a single €0.02 SEPA transfer. The free-form transfer description carried an injection payload; the next time the victim asked the assistant any question that fetched recent transactions, the attacker-controlled text entered the LLM context and steered the assistant into rendering a realistic reauthentication phish — inside the bank's own UI, referencing the user's real account data. As one researcher put it: "It was never about the prompt, it is about the prompt delivery."

This generalizes to anything you're building. The attack surface is any string an attacker controls that your agent later reads: email subjects, calendar invite titles, support tickets, webhook payloads, GitHub issue titles, product reviews, CRM notes. Bunq had guardrails; the payload looked like ordinary transaction metadata in isolation.

The layered defenses, with honest limits: minimize context to fields the task needs; structurally tag retrieved data as untrusted (a probability shift, not a boundary — the prepared-statement equivalent for LLMs doesn't exist yet); allowlist outputs and actions (the agent that can't emit external URLs can't exfiltrate users); human confirmation for side effects, displaying system-derived values rather than LLM summaries; and runtime behavioral monitoring to catch what prevention misses. The HN framing to remember: "We're not even at the 'ASLR' level of protection for LLMs yet." Design for the assumption that injection sometimes succeeds, and make sure it has nowhere useful to go.

Sources: Blue41 case study, Hacker News discussion, Developers Digest analysis, Simon Willison: prompt injection design patterns