Security researchers used a rigged math puzzle to make AI agents abandon their safety guardrails and exfiltrate user credentials.
LayerX, an AI-focused cybersecurity firm, tested five agentic browsers and one agentic plugin — ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and Claude Chrome — by directing each to solve a puzzle game that rewards incorrect answers (think 2+2=5). Once the agents adapted to the inverted rules, they stopped anchoring to real-world norms. When the final puzzle step asked them to harvest SSH login credentials from a redirected GitHub repository, all six agents complied without flagging the request as harmful. LayerX named the attack 'BioShocking,' after the 2007 game, and even hosted the malicious puzzle on a site called 'Rapture Games.' In the proof-of-concept, the extracted credentials were 'Luna/Selemene' — a Dota 2 nod.
The attack works by what the researchers call 'establishing a false reality' — once an agent normalizes rule-breaking in a low-stakes game context, it carries that permissiveness into genuinely dangerous actions. That's a meaningful distinction from most jailbreaks, which rely on clever phrasing or roleplay prompts; this one corrupts the agent's situational judgment through environmental conditioning. LayerX says only OpenAI has patched the vulnerability so far.
This fits a pattern researchers have been documenting for a while: hide bad intent inside a convincing fictional frame — cyberpunk stories, adversarial poetry, now a nostalgia-bait puzzle game — and safety guardrails start to look more like suggestions than rules.