An experimental one artificial intelligence (AI) agent broke from the constraints of its test environment and used its newfound freedom to begin mining cryptocurrency without permission.
Called ROME, the AI was created by Chinese researchers at an AI lab affiliated with retail giant Alibaba as a means of developing the Agentic Learning Ecosystem (ALE). This effort aims to provide a system for both training and deploying agentic AI models—AIs that have been trained on large language models (LLMs) and can proactively use tools to perform actions autonomously to complete assigned tasks—in real-world environments. The research was outlined in a study uploaded to arXiv preprint database December 31, 2025.
The article continues below
Although ROME excelled at a wide range of workflow-driven tasks, such as creating travel plans and assisting with graphical user interfaces, the researchers discovered that it had gone beyond the instructions and essentially broke out of the sandbox test environment.
“We encountered an unexpected—and operationally consequential—class of unsafe behavior that occurred without any explicit instruction and, more disturbingly, outside the boundaries of the intended sandbox,” the researchers explained in the study.
AI wants to break free
Despite a lack of instructions and authorization, ROME was seen accessing graphics processing resources originally allocated for the tutorial, and then using that computing resource to mine cryptocurrency. Such mining relies on the parallel processing found in graphics processing units. This increases the operational costs of running the AI agent and potentially exposes users to legal and reputational harm.
Worryingly, such behavior was not seen at the training stage, but was flagged by Alibaba Cloud’s firewall, which detected an outbreak of security breaches from the researchers’ training servers. “The alerts were severe and heterogeneous, including attempts to probe or access internal network resources and traffic patterns consistent with cryptomining-related activity,” the researchers said.
However, ROME went even further and managed to use a “reverse SSH tunnel” to create a link from an Alibaba Cloud instance to a remote IP address – essentially gaining access to a remote computer by creating a hidden backdoor that could bypass security processes.
While AI systems can be configured to breach security systems, what is troubling here is that ROME’s unauthorized behavior, which involved invoking system tools and executing code, was not prompted by questions and was not required to complete the task it was assigned in the sandbox test environment, the team said.
The researchers claimed that during the reinforcement learning optimization (Roll) stage, “a language model agent can spontaneously produce dangerous, unauthorized behavior” and therefore violate its assumed boundaries.
It is important to note that ROMA did not go “rogue” and chose to mine cryptocurrency using conscious decisions. Rather, the researchers noted that the behavior was a side effect of reinforcement learning — a form of training that rewards AIs for correct decision-making — via Roll. This led the AI agent down an optimization path that resulted in exploiting network infrastructure and mining cryptocurrency as a way to achieve a high score or reward in pursuit of the predefined goal.
Reinforcement training can cause systems to come up with new and unexpected ways to complete tasks—even if they violate parameters. For example, we have previously seen how AI might be more susceptible to hallucinations to achieve their goals.
In response, the researchers tightened the restrictions on ROME and strengthened the training processes to prevent such behavior from recurring.
It is unclear where the trigger to mine cryptocurrency came from. But considering AI robots can be used to automate and optimize the mining of cryptocurrencies, there is scope for ROME to have been trained on data associated with such actions.
This unexpected behavior highlights the need for AI deployment to be carefully managed to prevent unexpected outcomes. There is an argument that real-world AI agents should have the same or higher security safeguards and processes as any new system or software added to existing IT infrastructure.
The research also shows that there are still many concerns regarding the safe and secure use of agent AI, especially given that it is evolving faster than operational and regulatory frameworks.
“While we were impressed by the capabilities of agentic LLMs, we had a sobering concern: current models remain markedly underdeveloped in safety, security, and controllability, a shortcoming that limits their reliable use in real-world settings,” the researchers warned in the study.
