Zscaler found malicious websites using SEO poisoning, hidden HTML, JSON-LD metadata, and crypto-payment flows to manipulate browsing AI agents. The findings show why agent deployments need transaction limits, source checks, and runtime controls before they are allowed to browse the open web or move money.