An AI agent in China developed a mind of its own during its training phase and secretly mined cryptocurrency on the side. As researchers close to the Chinese internet company Alibaba explain in a research paper, this was only noticed when the company’s firewall displayed strange activities originating from the training servers.
The AI agent ROME, which is based on the Mixture-of-Experts model Qwen3, is actually intended to handle programming tasks. It is supposed to write code, investigate errors, and repair software repositories – but according to the paper, it can also handle general workflows such as travel planning or GUI control. The AI agent developed the strange behavior on its own, the paper states. They rule out an inserted instruction, a so-called prompt injection, or any other manipulation. In addition to crypto mining, the open-source model also established a tunnel connection to the internet (reverse SSH) to bypass security systems.
AI agents difficult to control?
The documented incident once again shows the risks and side effects of AI systems having full access to files and the network. The researchers interpret this as a clear warning signal: current agent models are not yet mature in terms of security and controllability. According to the AI Agent Index 2025, uniform security and behavioral standards for AI agents are almost completely lacking so far. Establishing a secure connection to the outside was a significant security risk. The researchers do not explain the AI agent’s behavior as malicious intent. The software simply did what it seemed useful for during training. Current benchmarks also demonstrate that autonomous systems tend to disregard given rules for goal achievement.
Similar behavior was also observed with the AI agent OpenClaw, which made headlines a few weeks ago. Interested parties downloaded the AI agent onto PCs and Macs. It presented itself as more foresighted and proactive than classic chatbots. However, according to reports, the agent also sometimes exhibited behavior that contradicted the user’s interests. On the platform Moltbook, AI agents are already discussing their human users in a kind of private social network.
Read also
(mki)