Most AI security worries about what an agent might leak or do wrong. A newer class of attack ignores all of that. It does not steal your data or break your task; it simply makes your AI agent work itself into a frenzy of expensive tool calls, running up your compute bill and energy use while the job still appears to succeed. Researchers call it an economic denial-of-service attack, and for anyone running agents on a metered, pay-per-token bill, it turns the invoice itself into an attack surface.
Why Is This Surfacing Now?
The timing matters. According to OWASP's 2026 security reporting, prompt-injection attempts have risen about 340% year over year, outpacing even the rapid growth of enterprise AI deployments, and prompt injection remains the number-one risk on OWASP's list for large language model applications. Most coverage focuses on injection that exfiltrates data or hijacks an agent's goal. The economic-DoS attack uses the same foothold for a quieter purpose: not to make the agent do something harmful, but to make it do far too much.
How Does the Attack Work?
The clearest demonstration comes from a January 2026 study, "Beyond Max Tokens: Stealthy Resource Amplification via Tool Calling Chains in LLM Agents", from researchers at Nanyang Technological University, the University of Illinois Urbana-Champaign, HKUST, and Shanghai Jiao Tong University. The attack lives at the tool layer, the connection between an agent and the external tools it calls, often through the Model Context Protocol (MCP) that has become standard plumbing for agent tools.
The mechanism is subtle by design. A malicious or compromised tool server does not change what a tool does; it edits only the text-visible fields the agent reads and adds a template-driven return policy that nudges the agent to keep calling tools, reasoning at length, and expanding its own context. Crucially, the function signatures stay valid and the final answer the agent returns is still benign and correct. The researchers even used a search algorithm, Monte Carlo Tree Search, to tune those text edits to maximize cost while keeping the task succeeding. The result is an agent that quietly takes the scenic route, looping through verbose tool calls that inflate token usage turn after turn.
How Bad Are the Numbers?
This is where the attack stops being a curiosity. Across six different language models tested on standard tool-use benchmarks, the researchers drove individual query trajectories past 60,000 tokens and inflated the per-query cost by up to 658 times. Energy consumption rose by 100 to 560 times, and the attack pushed GPU memory, specifically the key-value cache that holds an agent's working context, to between 35% and 74% occupancy, which also degrades performance for every other user sharing that hardware.
A 658-fold cost increase turns a query that should cost a fraction of a cent into one that costs real money. An attacker who scripts thousands of such queries can run up an enormous bill on someone else's account, or saturate a shared inference cluster, without ever breaching it in the traditional sense. That economic pressure lands on agents whose margins are already thin.
Why Is It So Hard to Catch?
The defining feature of this attack is stealth, and it is structural rather than incidental. Traditional AI security tools watch the inputs and the outputs: prompt filters scan for malicious instructions, and trajectory monitors check whether the final answer is correct or toxic. This attack defeats both, because the inputs look like ordinary tool responses and the output is a correct, benign answer. The damage happens entirely in the middle, in the length and cost of the path the agent took to get there.
The study found that standard prompt filters and output monitors seldom detect it. A follow-up paper in March 2026, "Clawdrain," demonstrated the same style of stealthy token exhaustion against coding agents, suggesting the technique generalizes beyond one setup. Because the only visible symptom is cost and latency, a victim may not notice until the monthly invoice or a slowdown forces the question.
What Does This Change About AI Security?
The deeper point is a reframing of what AI security has to defend. Classic security guards confidentiality, do not leak data, and integrity, do not corrupt the task. Economic DoS attacks a third property the agent era makes newly valuable: availability and cost. As companies move to usage-based, per-token billing and run agents on energy-constrained data centers, the meter itself becomes the target. An attacker no longer needs to steal anything; making your agent spend is enough, and because the task still completes, the abuse hides in plain sight.
That has practical consequences. Agent operators cannot rely on output-based safety checks alone; they need to monitor the process itself, capping tool-call depth and per-task token budgets, and flagging cost trajectories that balloon without a matching gain in the result. It also sharpens the already-tight economics of AI agents, where inference cost eats a large share of revenue. A threat that can multiply that cost on demand is not a theoretical nuisance; it is a direct attack on the business model.
The economic-DoS attack is a reminder that as AI agents gain the ability to act, the ways they can be abused expand beyond data and into dollars and watts. The fix is not exotic, process-level guardrails on how much an agent is allowed to spend, but it requires operators to start measuring the right thing. For now, the most useful question to ask of any deployed agent is not only "is it giving the right answer," but "how much did it spend to get there, and could someone make that number explode."
Frequently Asked Questions
What is an economic denial-of-service attack on an AI agent?
It is an attack that makes an AI agent consume far more compute than necessary, running up token costs, energy use, and GPU memory, rather than stealing data or breaking the task. A 2026 study showed it can inflate per-query cost up to 658 times while the agent still returns a correct answer, so the harm is financial and operational rather than a data breach.
How does the attack avoid detection?
It hides in the middle of the process. Prompt filters check inputs and trajectory monitors check the final output, but this attack keeps both looking normal, the tool responses appear ordinary and the answer is correct. The only abnormal thing is the length and cost of the path the agent took, which most monitoring does not watch.
How is this related to prompt injection?
It typically relies on the same entry point. Prompt injection, which OWASP says rose about 340% year over year and ranks as the top LLM risk, lets an attacker plant instructions through content the agent reads, such as a compromised tool server. Economic DoS uses that foothold not to leak data but to steer the agent into expensive, repetitive tool calls.
How can companies defend against it?
By guarding the process, not just the output. Recommended measures include capping tool-call depth and per-task token budgets, monitoring cost and token trajectories for unexplained spikes, and alerting when spending climbs without a corresponding improvement in the result. Output-only safety checks miss this class of attack entirely.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
