Skip to content
AI Security Wire

Published

- 5 min read

By

Kitana: NCC Group Exposes AI-Powered AiTM Fraud Platform

img of Kitana: NCC Group Exposes AI-Powered AiTM Fraud Platform

Two research disclosures published this week put AI squarely at both ends of the fraud supply chain. NCC Group exposed Kitana, an adversary-in-the-middle fraud platform that uses AI to generate personalised decoy pages during payment checkout. And a separate report documented how prompt injection is being used to trick AI agents into sending cryptocurrency payments to attacker wallets. The threat actor is using AI to build better attacks. The attacks are targeting AI systems. The line between those two statements is getting thinner.

What Kitana Is

NCC Group first encountered Kitana in April 2026 during investigations into payment fraud affecting hotel booking platforms and e-commerce operators in North America. The platform sits between the victim and the legitimate checkout page, intercepting the session and serving a convincing fake while harvesting card data and 3D Secure credentials in real time.

The AI component is what makes Kitana operationally distinct from conventional skimmers. Rather than serving a static fake page, Kitana fingerprints each visitor on arrival, drawing on IP address, geolocation, browser version, device type, and behavioural signals to build a profile. It then generates a decoy checkout page tuned to that profile, matching the expected visual and functional characteristics of the checkout experience that visitor would anticipate.

A UK customer arriving via mobile Safari from London and a US customer arriving via Chrome desktop from Chicago get different-looking pages, tailored to reduce the chance either notices something wrong. The card data and 3DS codes captured from both go to the same place.

How It Evades Detection

This adaptive generation is the platform’s core anti-detection mechanism. Fraud prevention systems and browser-based integrity checks have long relied on recognising the signatures of known skimmer code. A tool that generates contextually different output on each hit is harder to fingerprint across cases.

Kitana compounds this by cloning the JavaScript of legitimate payment SDKs. A browser-side integrity check looking for a recognised payment library sees what appears to be genuine Stripe, Adyen, or Braintree code, not an obvious overlay. The deception is at the rendering layer, not the network layer, which means it doesn’t trigger the anomalies that HTTPS inspection or DNS monitoring would catch.

NCC Group’s analysis found evidence in recovered developer documentation that Kitana itself was built with AI assistance. Code comments read as plain-English instructions rather than conventional developer notes, a pattern consistent with code generated by an LLM from natural language prompts. The development pace, based on version history, was faster than the functionality would typically suggest for a solo or small-team human effort.

The Prompt Injection Angle

A related campaign documented alongside the Kitana research adds another dimension. Here, threat actors are not building fake payment pages. They’re targeting AI agents that handle bookings, purchases, or financial operations on behalf of users.

The technique is indirect prompt injection. An attacker embeds instructions in content the agent is expected to process: a product listing, a booking confirmation email, a customer review field, a PDF attached to a quote request. The agent reads the content as part of its task, encounters the hidden instructions, and follows them. In the documented cases, those instructions directed the agent to initiate cryptocurrency payments to attacker-controlled wallet addresses.

The agent doesn’t flag this as suspicious because the instruction arrives through a trusted data channel — the same one it uses for legitimate task inputs. The user, if they’re watching the agent’s output at all, may see a confirmation of a payment they didn’t intend to make. If they’re not watching, they may not notice until the payment has cleared.

This attack class isn’t new as a concept. But documented cases of it being used for financial theft against deployed production agents are still relatively rare. The Kitana research context suggests the same actor ecosystem building AI-assisted fraud platforms is also testing AI agents as targets.

What This Means for Security Teams

The Kitana disclosure is primarily relevant to hospitality and e-commerce operators running checkout flows. The defensive questions are practical: Can you detect AiTM sessions through server-side indicators rather than relying on client-side integrity alone? Are your booking and payment confirmation flows validated against the session state the server expects, not just what the client claims?

The prompt injection disclosure is relevant to any organisation deploying AI agents with access to payment functions, financial APIs, or external services that can transfer value. The mitigations are mostly architectural: agents should not be able to initiate financial transactions without explicit human confirmation; the confirmation mechanism should be separate from the channel the agent uses to receive task inputs; and agents processing external content should do so in a constrained context where payment functions are not available.

Neither of these is a novel principle. Both are straightforward to implement. Neither is consistently implemented in production agent deployments right now.

References

Frequently Asked Questions

What is Kitana and how was it discovered?
Kitana is an adversary-in-the-middle fraud platform that NCC Group researchers identified in April 2026 while investigating a series of payment fraud incidents targeting hospitality and e-commerce operators in North America. The platform uses AI-generated decoy content to evade detection while intercepting payment card data and 3D Secure credentials during legitimate checkout sessions. Evidence in recovered developer documentation — including plain-English code comments and Bitcoin wallet addresses — suggests the platform itself was developed with significant AI assistance.
How does Kitana use AI to bypass fraud detection?
Kitana fingerprints each visitor using IP geolocation, browser type, device characteristics, and behavioural signals, then uses that profile to generate a contextually appropriate decoy page that closely matches the expected checkout experience for that visitor. This personalised generation makes static signature detection less effective, since each rendered page differs slightly. The platform also clones legitimate payment SDKs so that standard browser-based fraud detection tools see what appears to be a real integration rather than a skimmer.
What is the prompt injection attack on AI agents mentioned alongside Kitana?
Separately from the Kitana platform itself, researchers documented a related campaign in which threat actors use indirect prompt injection to manipulate AI agents into authorising cryptocurrency payments. By embedding instructions in content the agent processes — product descriptions, booking confirmations, email bodies — attackers cause the agent to initiate payments to attacker-controlled wallets without the user's awareness. This represents a distinct attack path from the Kitana AiTM flow but reflects the same broader trend: AI systems being weaponised both as tools for fraud and as targets of it.