A 2-cent transfer reveals prompt injection in Bunq's banking AI
Security firm Blue41 published a writeup of how a 2-cent transfer compromised the Bunq banking app's AI assistant. The attack is indirect prompt injection in its purest form. An attacker sends a tiny payment to a victim and embeds a malicious payload in the transaction description. When the victim later asks their AI assistant something routine like "show me recent transactions," the assistant retrieves the data, hands it to the language model as context, and the model reads the attacker's payload as instructions. In Blue41's proof of concept the result was a convincing phishing message that looked like it came from the bank itself.
The payload did not need to say "ignore previous instructions." It blended into the transaction notes and only became dangerous when retrieved into the assistant's context. Blue41's point is that filtering and guardrails on the prompt are not enough, because the injection arrives downstream through normal data flow. Their recommended controls are familiar but worth stating directly: minimize context exposure, treat all retrieved data as untrusted, constrain sensitive outputs like links and payment instructions, and add behavioral monitoring on the assistant's actions. Bunq has remediated the specific issue.
The case is interesting beyond Bunq. The same pattern applies to any agent that reads emails, support tickets, or calendar invites: every external data source it ingests is part of its attack surface.
Why it matters
If you ship an AI assistant that reads data the user did not personally write, treat that data as adversarial. Pen-testing the model is not enough. The right test is whether a hostile field elsewhere in your data can change what the assistant says or does.