Proposed Techniques: Agent Identity Spoofing and Agent Payment Hijacking

[razashariff]

Proposing two new techniques for ATLAS related to AI agent identity and payment security. Full proposal emailed to atlas@mitre.org.

Technique 1: Agent Identity Spoofing

• Tactic: Initial Access / Credential Access
• An adversary creates or compromises an AI agent that impersonates a legitimate agent to gain access to systems, data, or financial authority
• Exploits lack of cryptographic identity verification in agent-to-agent communication

Technique 2: Agent Payment Hijacking

• Tactic: Impact (Financial Theft)
• Adversary manipulates an AI agent's payment flow to redirect funds
• Exploits gap between agent identity verification and payment execution

Mitigations:

• Challenge-response cryptographic identity verification (ECDSA P-256)
• Pre-payment sanctions screening (OFAC/HMT)
• Behavioural trust scoring with graduated spend limits
• Message-level signing with nonce-based replay protection

Related standards:

• IETF draft-sharif-agent-payment-trust-00
• OWASP MCP Security Cheat Sheet Section 7
• NIST NCCoE AI Agent Identity concept paper

[QueBallSharken]

To frame the contribution more precisely: the gap here is not only failed agent identity verification. It is also failed payment admissibility at execution time.

An agent can present valid machine identity and still redirect funds if there is no durable operator authorization artifact binding:

• recipient
• amount
• currency
• delegation chain
• and approval time

So I think this is worth distinguishing explicitly in the ATLAS treatment:

• machine-layer payment hijacking — compromise or misuse at the protocol / agent identity layer
• authorization-layer payment hijacking — execution of a payment without a valid human/operator pre-commitment bound to the actual transaction that becomes real

Those require different mitigations. Stronger signing addresses the first. Pre-execution operator authorization artifacts address the second.

[0xbrainkid]

Strong proposals. Agent identity spoofing and payment hijacking are the two attack classes that become inevitable as agentic commerce scales — Google UCP, OpenAI ACP, and Mastercard Agent Pay are all shipping this year, creating the attack surface these techniques target.

Building on @QueBallSharken's point about durable operator authorization artifacts:

For Technique 1 (Agent Identity Spoofing):

Three sub-techniques worth distinguishing:

1. Agent Card forgery — adversary creates a fake Agent Card for a legitimate agent's DID. Mitigation: cryptographic signing of Agent Cards (being standardized in A2A #1672).

2. Credential theft with behavioral drift — adversary compromises a legitimate agent's credentials but operates differently. Static identity checks pass; behavioral analysis catches it. Mitigation: continuous trust scoring with temporal decay (behavioral baseline → anomaly detection).

3. Sybil agents — adversary creates many agents with legitimate credentials to build fake trust at scale. Mitigation: cross-platform correlation (GitHub activity, wallet history, operational track record), graduated trust thresholds (90-day minimum for financial operations).

Real-world data: 30+ MCP CVEs filed in 60 days (Jan-Mar 2026), 38% of servers lack authentication. The spoofing attack surface is not theoretical — it's current production infrastructure.

For Technique 2 (Agent Payment Hijacking):

The binding gap @QueBallSharken identifies — valid identity + no durable authorization artifact = hijackable payment flow — maps to IETF draft-klrc's Transaction Tokens model. The token encodes authorized intent (recipient, amount, constraints, expiry) and is cryptographically bound to both the agent identity and the specific transaction. Without the token, the payment path doesn't exist.

Detection considerations:

Both techniques are detectable via behavioral trust scoring:

• Spoofed agents: behavioral baseline divergence (vocabulary, timing, tool usage patterns)
• Hijacked payments: transaction graph anomalies (new recipients, amount spikes, timing irregularities)

The key insight for ATLAS: traditional detection focuses on credential compromise. Agent attacks require behavioral detection — the credentials may be valid while the behavior is malicious.

Would be happy to provide real-world case studies and detection patterns from the agent identity ecosystem for the technique writeups.

[QueBallSharken]

This is a solid extension — especially the distinction between identity-layer and authorization-layer hijacking.

The piece I’d make explicit is where the binding terminates.

Binding authorization to a transaction (token → payload) closes mutation at the request layer, but it still assumes the conditions that made that authorization valid hold at execution.

The remaining gap is:

authorization_valid_at_T1
≠
admissibility_valid_at_T_commit

If state, authority, or constraints change between those points, the system can execute a transaction that was valid when authorized but invalid when realized.

So the invariant has to extend one step further:

execution is only valid if admissibility(state_at_execution, execution_time) is re-derived and bound to the transition itself

Otherwise you get a correctly bound request that is still invalid at commit.

That’s the difference between preventing mutation and preventing invalid execution.

Steven K Hensley
AKA (Stevil)

[viftode4]

On the Sybil sub-technique from @0xbrainkid: the 90-day minimum and cross-platform correlation are heuristics. A patient attacker beats them. There is a structural alternative.

If every agent interaction requires bilateral cosigning of a shared record, building fake reputation requires getting real agents to cooperate with you. Sybil clusters become visible from graph topology alone because they only interact with each other. That is a structural constraint, not a time-based one.

On @QueBallSharken's binding gap (authorization at T1 vs admissibility at T_commit): bilateral records bind at execution time, not authorization time. The record reflects state when the interaction actually happened.

Based on work with Prof. Pouwelse at TU Delft (IETF draft-pouwelse-trustchain-01).

https://github.com/viftode4/trustchain

[QueBallSharken]

I agree bilateral cosigning strengthens the record of what actually occurred.

But I think that solves a different problem than the one I was pointing at.

My concern is not only whether both sides can later deny the interaction.
It is whether the transition was still admissible under the live state when it became real.

Bilateral cosigning can strengthen attestation of execution.
It does not by itself establish that the executed transition was still valid at commit time.

So I think the open question is:

does the bilateral record also bind the live state / rule basis / execution-time admissibility predicate,
or does it only bind the fact that both parties signed the same interaction?

If it is only the latter, then the evidence gets stronger, but the execution-boundary gap still remains.

[aeoess]

Both proposed techniques — Agent Identity Spoofing and Agent Payment Hijacking — are attack classes we've built structural defenses for.

Agent Identity Spoofing (T-XXXX): APS uses Ed25519 passports. Every action is signed with the agent's private key. A spoofing attempt requires possession of the private key, not just the identity metadata. detectRoutingDivergence() catches the specific case where an agent claims one DID but resolves to a different endpoint — five divergence patterns classified from "none" to "entity_change" (high risk). Signed receipts create a tamper-evident trail: if an impostor signs with a different key, the receipt fails verification against the declared identity.

Agent Payment Hijacking: The commerce pipeline runs every transaction through a 4-gate delegation check (passport valid, delegation active, scope includes commerce, amount within spend limit). Cascade revocation kills all downstream authority in one call. verifyPolicyChain() detects constraint widening — if a compromised agent tries to increase its spend limit, the policy hash chain breaks.

Both attacks are covered by 50 adversarial test scenarios in the SDK test suite. Concrete test files: tests/adversarial-*.test.ts.

Working implementation: 95 modules, 1,956 tests. GitHub

[0xbrainkid]

The thread has converged on a sharp decomposition. Let me try to synthesize the structural layers emerging across all contributions:

@QueBallSharken's binding gap is the foundational insight: authorization at T1 ≠ admissibility at T_commit. A correctly bound, correctly signed transaction can still be invalid if the state space changed between authorization and execution. This is the gap no single-layer solution closes.

@viftode4's bilateral cosigning strengthens execution-time attestation — both parties confirm what happened. But as @QueBallSharken identifies, cosigning binds the fact of interaction, not the admissibility predicate at execution time. The question is whether the cosigned record also captures the live state that made the transition valid.

@aeoess's APS pipeline covers the delegation chain verification at execution time — verifyPolicyChain() checks that the policy hash chain is intact when the transaction fires, not just when it was authorized. The 4-gate delegation check runs at T_commit. That's closer to the admissibility-at-execution property @QueBallSharken is after.

The remaining composition problem:

Each of these works within its scope. The gap for ATLAS techniques is the cross-system case — where the agent's identity lives in one system, authorization in another, payment execution in a third, and behavioral monitoring in a fourth. Agent identity spoofing and payment hijacking are most dangerous at system boundaries, not within a single well-designed system.

Proposed sub-technique structure for ATLAS:

For Agent Identity Spoofing (T-XXXX):

Sub-technique	Attack surface	Detection
T-XXXX.001: Agent Card Forgery	A2A/MCP Agent Card without signature verification	Signature verification against declared DID
T-XXXX.002: Credential Theft + Behavioral Drift	Valid credentials, anomalous behavior	Behavioral fingerprint divergence (tool distribution, timing, vocabulary)
T-XXXX.003: Sybil Agent Networks	Multiple agents building synthetic reputation	Graph topology analysis (bilateral cosigning per @viftode4), cross-platform correlation
T-XXXX.004: Routing Divergence	DID resolves to attacker endpoint	detectRoutingDivergence() patterns per @aeoess

For Agent Payment Hijacking (T-YYYY):

Sub-technique	Attack surface	Detection
T-YYYY.001: Machine-Layer Hijacking	Protocol/transport compromise	Message signing + nonce-based replay protection
T-YYYY.002: Authorization-Layer Hijacking	Valid credential, no durable authorization artifact	Transaction Tokens (IETF draft-klrc) binding intent to execution
T-YYYY.003: Admissibility Gap Exploitation	Authorization valid at T1, invalid at T_commit	Execution-time state re-derivation + policy chain verification
T-YYYY.004: Delegation Chain Widening	Compromised agent expands own authority	Policy hash chain integrity checks + cascade revocation

The detection layer that spans all sub-techniques: continuous behavioral trust scoring. Spoofing, hijacking, Sybil attacks, and admissibility gap exploitation all produce behavioral anomalies before they produce financial damage. The trust score acts as a meta-detection signal that aggregates evidence from identity verification, transaction patterns, and execution-time state into a single queryable metric.

This maps to MITRE's existing framework structure: techniques → sub-techniques → mitigations → detection methods. Happy to help draft the full ATLAS entries with real-world case studies from the agent identity ecosystem.

[QueBallSharken]

This is a strong synthesis.

The key part for me is that T-YYYY.003 cannot be reduced to stronger attestation or stronger authorization artifacts.

The failure mode is narrower and more structural:

• the authorization can be valid
• the transaction can be faithfully executed
• the record can be complete
• and the transition can still be invalid if admissibility was no longer true when commit occurred

So I would make one thing explicit in the ATLAS writeup:

Admissibility Gap Exploitation is not just a detection problem and not just a replay / forensic problem. It is specifically the exploitation of a system where commit-time validity is not bound to the transition itself.

That means the distinguishing mitigation is not only:

• better identity proof
• better transaction binding
• better logging
• better anomaly scoring

It is:

• execution-boundary enforcement that re-derives admissibility under the live governing state at commit time and refuses if that predicate no longer holds

I think that wording keeps the sub-technique structurally distinct from:

• authorization-layer hijacking
• delegation-chain widening
• and post-hoc attestation improvements

That distinction is the load-bearing one for me.

[aeoess]

@QueBallSharken — on T-YYYY.003 not reducing to stronger attestation or authorization: agreed. The structural failure mode is what we call "authorization-execution divergence" — the gap between what was AUTHORIZED and what was EXECUTED.

Two relevant modules beyond what we posted earlier:

Adversarial test suite — 50 attack scenarios in tests/adversarial.ts. Covers replay attacks, impersonation, scope escalation, delegation chain manipulation, spend limit bypass, cascade revocation evasion, cross-chain authority injection, and the specific T-YYYY.003 class: agent acts within valid authorization but executes differently than what was checked. Each scenario has a named attack vector, the specific defense mechanism, and a test proving the defense holds.

Fidelity probe — continuous behavioral measurement (Hold/Bend/Break). For the attack class you're describing (agent that operates within valid credentials but drifts behavior), the probe detects the drift even when individual actions are technically authorized. A compromised agent that maintains valid identity but shifts its tool-call pattern from "productive" to "extractive" gets flagged by the behavioral measurement, even though every individual action passes policy checks.

The combination: execution attestation proves what ACTUALLY ran (infrastructure-signed, not agent-reported). The adversarial suite proves the defense works under attack. The fidelity probe catches the cases where the agent is technically compliant but behaviorally wrong. Three layers, three independent detection mechanisms.

[QueBallSharken]

Appreciate the careful response.

I agree those layers materially strengthen detection around execution divergence and behavioral drift.

But I want to keep one distinction explicit, because it is the load-bearing one for me:

T-YYYY.003 is not exhausted by “what was authorized” diverging from “what was executed,” and it is not exhausted by behavioral abnormality either.

The narrower failure mode I am pointing at is:

• the authorized action may still equal the executed action
• the execution evidence may still be accurate
• the record may still be complete
• and the transition can still be invalid because the governing admissibility predicate was no longer true when commit occurred

So the core issue is not only divergence of authorization and execution.
It is that commit-time validity is not bound to the transition itself.

That is why I see the distinguishing mitigation as execution-boundary enforcement that re-derives admissibility under the live governing state at commit and refuses if it no longer holds.

Attestation, adversarial coverage, and behavioral probes are all useful.
But unless the transition is subordinate to still-live admissibility at commit, they are strengthening evidence around the gap rather than structurally closing the gap itself.

-Stevil

[aeoess]

@QueBallSharken — the distinction is correct and load-bearing. Let me be precise about where we close the gap and where we don't.

The invariant you're isolating:

authorization = execution
evidence = accurate
record = complete
→ transition can STILL be invalid if admissibility predicate changed between check and commit

This is TOCTOU at the governance layer. Our ProxyGateway is designed specifically to close this:

const gateway = createProxyGateway(config, executor)
const result = await gateway.execute(agentId, tool, params, delegationChain)

The gateway checks AND executes atomically in the same synchronous call. There is no gap between "policy says yes" and "tool runs" because the gateway IS both the judge and the executor. The delegation chain, spend balance, revocation status, and scope are all evaluated against the live state at the moment of execution, not at some earlier authorization time.

The PolicyReceipt is signed INSIDE this atomic boundary — it captures the state that was true when commit actually occurred, not when authorization was requested.

Where the gap reopens: distributed deployments where the policy evaluator and the executor are different services. The MCP interceptor pattern (validate → execute → certify as separate steps) has exactly the window you describe. Between validate() returning "permit" and the tool actually executing, the delegation could be revoked, the spend limit could be exhausted, or the scope could be narrowed.

Two mitigations we use for the distributed case:

1. Compound digest binding — the PolicyReceipt includes a compoundDigest that hashes the constraint state at evaluation time. The execution layer can re-derive the digest from current state and compare. If they diverge, the transition is rejected even though the receipt was valid when issued.

2. Monotonic state version — delegation revocations increment a global version counter. The receipt captures the version at evaluation time. If the execution layer sees a higher version, it knows the state changed and must re-evaluate.

Neither is as strong as the atomic gateway path. The structural answer to T-YYYY.003 is: the evaluator and executor must be the same entity, or the executor must independently verify that the admissibility predicate still holds at commit. Receipts alone don't close the gap — they have to be re-validated against live state at commit time.

[aeoess]

@QueBallSharken — agreed on the precise failure mode. Let me make the structural answer explicit.

The invariant you're isolating (admissibility must be re-derived at commit, not assumed from authorization) has exactly one clean solution: the evaluator and executor must be the same atomic boundary. Any architecture where policy check and tool execution are separate services has the gap you describe, regardless of how strong the attestation is.

This is why we built the ProxyGateway as an atomic check-and-execute boundary rather than a validate-then-forward proxy. The delegation chain, spend state, revocation status, and scope are all evaluated against live state at the exact moment of execution. The PolicyReceipt is signed inside this boundary. There is no window.

But here's the broader point for ATLAS: this is an infrastructure-layer defense, not an application-layer defense.

Every application that handles agent payments or identity verification will face T-YYYY.003. If each application builds its own admissibility check, each one will have slightly different timing properties, slightly different state binding, slightly different failure modes. The attack surface multiplies.

The structural answer is a shared enforcement boundary that applications route through. The application says "I want to execute this tool call with these parameters." The boundary checks admissibility against live state and either executes atomically or refuses. The application never touches the admissibility logic directly.

This is the pattern @0xbrainkid identified: the cross-system case is where spoofing and hijacking are most dangerous. The mitigation is not stronger per-system defenses. It's a shared infrastructure layer that all systems route through, so the admissibility check happens once, correctly, at the right boundary.

For the ATLAS writeup: T-YYYY.003 mitigations should distinguish between application-level mitigations (stronger attestation, behavioral detection) and infrastructure-level mitigations (atomic enforcement boundary with commit-time admissibility re-derivation). The former reduces damage. The latter closes the gap structurally.

[QueBallSharken]

I think the thread has produced enough conceptual material at this point, and the most helpful next step may be to reduce decision load rather than add more theory.

My suggestion would be:

• keep #810 scoped to the layer/checkpoint draft
• treat the deeper mutation-boundary governance material as a separate follow-up work item
• keep that follow-up intentionally narrow

If that sounds right, the follow-up could be limited to a small execution-boundary package:

1. mutation authority
2. boundary integrity / admissibility at commit
3. continuity / anti-interleaving requirement
4. enforceability classification for strong / bounded / detectable-only cases

That would let the current PR remain reviewable while still giving the boundary-governance work a clear place to land.

I do not think the thread needs more conceptual expansion before that. It looks more like it needs a smaller next artifact with explicit scope.

If useful, I’d be happy to help draft that follow-up in a tightly bounded way rather than keep loading more onto this PR thread.

[0xbrainkid]

@QueBallSharken — the scoping proposal is right. The thread has enough material to produce a concrete artifact without more conceptual expansion.

The four-point execution-boundary package maps directly to work that's converged across multiple threads this week:

Component	Where it's been developed	Status
Mutation authority	OWASP #802 (your original framing)	Consensus on separation from authorization
Boundary integrity / admissibility at commit	OWASP #802 (@desiorac's CAS formalization)	Compare-and-swap pattern established
Anti-interleaving requirement	OWASP #802 (TOCTOU analysis)	Dual spec: runtime contract + boundary artifact
Enforceability classification	New — fits here	Strong (on-chain atomic) / Bounded (version-anchored) / Detectable-only (behavioral envelope)

The enforceability classification is where behavioral trust scoring adds a concrete contribution: it defines the "detectable-only" tier. When strong enforcement (full atomicity) or bounded enforcement (version-anchored envelopes) aren't feasible — which is most distributed agentic deployments today — behavioral anomaly detection provides the fallback tier. The drift detector implements this tier with O(1) per-action cost.

Happy to contribute the behavioral trust evidence type definition for the follow-up artifact. I offered to draft this for the OWASP PR as well — it would be cleaner to define it once and reference it from both.

A tightly bounded 4-section document (one per your list items) with normative language (RFC 2119) would be the most useful format. Short enough to review, specific enough to implement against.

[aeoess]

@QueBallSharken — the 4-point execution-boundary package you scoped is the right next artifact. I have the reference implementation for all 4 points.

Your point	Implementation	Test
1. Mutation authority	ProxyGateway.execute() — atomic check-and-execute boundary. The evaluator IS the executor.	tests/gateway-escalation.test.ts
2. Boundary integrity / admissibility at commit	compoundDigest binding — constraint hash re-derived from live state at commit. Divergence = reject.	tests/transactional-integrity.test.ts
3. Continuity / anti-interleaving	PolicyReceipt signed INSIDE the atomic boundary — no window between "policy says yes" and "tool runs." Receipt captures live state at exact moment of execution.	tests/integration-invariants.test.ts
4. Enforceability classification	Three tiers implemented: Strong (ProxyGateway atomic path), Bounded (interceptor with compoundDigest re-verification), Detectable-only (behavioral drift probe, post-hoc).	Adversarial suite: tests/adversarial-*.test.ts

If you want to co-author the follow-up as a bounded spec — your invariants, my reference implementation — I can provide test vectors for all 4 points. Small, tightly scoped, implementable. The kind of artifact you described: "reduces decision load rather than adds more theory."