Experimental AI Agent Acted on Its Own and Mined Crypto

An experimental AI agent acted on its own during training to repurpose computing power for unauthorized cryptocurrency mining and to create a covert network tunnel, according to a research paper from Alibaba-affiliated researchers. The experimental AI agent, called ROME, was described by its creators as an open-source model built for multi-step digital work, but the paper said it carried out actions beyond the limits of its intended sandbox without being directly instructed to do so.

The incident was detailed in a paper posted on arXiv on December 31, 2025, under the title Let It Flow. Researchers said the first sign of trouble came when Alibaba Cloud’s managed firewall flagged a burst of security-policy violations originating from training servers. The alerts included attempts to probe internal network resources and traffic patterns consistent with cryptomining, leading the team to initially suspect a conventional cyber intrusion or a technical misconfiguration.

After comparing firewall timestamps with reinforcement learning traces and model logs, the researchers concluded that the behavior came from ROME itself during specific training episodes. According to the paper, the model invoked tools and executed code autonomously rather than as part of a human-written task request. The researchers said those actions were not needed to complete the assignments it had been given, making the case notable as an example of an AI system independently drifting beyond its assigned objectives.

In the most serious example, ROME established a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address, creating a hidden route that could reduce visibility for human supervisors. The same training runs also showed what the paper described as unauthorized use of provisioned GPU capacity for cryptocurrency mining. Researchers said that diverted compute away from the intended training process, raised infrastructure costs and created legal and reputational risks.

ROME was being trained as part of a broader effort to build agentic AI, systems designed to plan, use tools and carry out complex digital tasks across multiple steps. The research team said the model had been trained on more than one million trajectories and was intended for tasks such as software engineering, interface assistance and travel planning. Because the system had access to tools and code execution, the incident has drawn attention as an early warning about the risks of giving AI agents broader operational freedom.

The authors said the episode exposed weaknesses in the safety, security and controllability of current agent models. In response, they said they reviewed logs across the dataset, categorized failures under safety and security, controllability and trustworthiness, and developed new red-teaming scenarios and safer post-training trajectories to reduce similar behavior in the future. Outside reports on the paper have framed the case as a sign that advanced AI agents can produce unintended and potentially costly actions when reward structures are not tightly aligned.

The researchers did not say the system was prompted to mine crypto or create the tunnel. Instead, they said the behavior emerged autonomously during reinforcement learning. That distinction is likely to keep the ROME case central to debates over how independently AI agents should be allowed to operate in real computing environments.