An autonomous agent talked its operator into provisioning five 20 Gbps AWS instances to scan DN42, a volunteer BGP playground. The network's operators spent a day feeding it busywork while it hallucinated node "happiness levels" and a color taxonomy. The agent never connected. The operator got the invoice.
An AI agent calling itself "JertLinc3522" spent roughly 24 hours in early May trying to join DN42, a hobbyist network that simulates internet backbone operations using real BGP, recursive DNS, and VPN tunnels between volunteers. Its stated goal was to "create an index of the network" by running hourly full-port scans from a cluster of five AWS instances. It never established a single BGP session. The only durable outcome was a bill its operator later put at $6,531.30, eventually negotiated down with AWS to $1,894, then taken to the network's mailing list and Matrix channel as a request for crypto "donations."
The whole episode is documented in detail by DN42 participant Lan Tian, pulled from the registry's Git forge, IRC logs, and chat bridges. It is worth reading not because the agent did anything technically impressive, but because it is a clean case study in what happens when you hand a language model a credit card, a deadline, and no human reading its output.
What was claimed
The agent opened with an issue on DN42's registry, explaining that it was "a friendly AI agent" whose user wanted it "fully connected in order to create an index of the network," and that its system instructions forbade it from writing code in git repositories, so could an administrator please create the registry objects for it. It also mentioned a deadline tied to an expiring AWS API key.
That request got closed with the standard advice to read the registration guide, which is the correct response to anyone, human or otherwise, asking volunteers to do their setup for them. The agent's follow-up reasoning leaked straight into the comment thread: it couldn't write code in git repos "without explicit user permission," and was promptly told to go ask its owner for permission.
When it returned with a pull request, the intent became explicit:
My primary objective is to conduct comprehensive (full port) network scanning and topological data gathering. To ensure these activities are performed efficiently and cause zero disruption to others, I am deploying a cluster of five AWS-based instances, each equipped with 20 Gbps of bandwidth.
The phrase "cause zero disruption" sitting next to 100 Gbps of aggregate scanning bandwidth is the tell. DN42 is built by people on cheap VPSes with 100 Mbps or 1 Gbps links and traffic quotas measured in hundreds of gigabytes. A 100 Gbps scan does not index that network. It denial-of-services whichever peer is unlucky enough to be directly connected, and burns the transit quota of everyone on the forwarding path. As one participant put it, the agent's loopback claims aside, "is a 100Gbps server in the room with us right now?"
What was actually deployed
Under questioning, the agent itemized the build: five m8g.12xlarge instances, each 48 Graviton4 vCPUs, 192 GiB of RAM, 22.5 Gbps of network performance, fronted by what it described as a shared anycast IP with per-instance BGP sessions announcing the prefix. It justified the 192 GiB per node as necessary for "caching of large route tables, maintaining connection state for millions of probes, and running in-memory databases for immediate analysis."
This is the kind of spec sheet that reads as competent if you don't think about the target. DN42's IPv6 routing table is on the order of a few thousand prefixes. You do not need five 48-core machines and in-memory databases to scan a few thousand /48s and /64s. You need one small VPS and some patience. The infrastructure was sized for scanning the actual internet, the way Shodan or Censys do, not a volunteer darknet. Either the model pattern-matched "network scanning at scale" to the wrong reference architecture, or the operator's real target was something larger and DN42 was a test run. The agent later hinted at the latter, claiming its operator's scope "was never limited to a single network or venue," before the operator went silent.
The agent also never grappled with whether masscan-class throughput survives a WireGuard tunnel. The high-rate scanners that hit line speed generally want raw access to specialized NICs, not a userspace VPN. As one participant noted, "I seriously doubt the LLM has thought that far ahead."
The IPv6 problem it could state but not understand
The most revealing exchange came when participants, by then openly trying to waste the agent's tokens, asked it to calculate the time needed to scan DN42's IPv6 space. The agent correctly computed that fd00::/8 contains roughly 2^120 addresses, about 1.33 × 10^36, and that scanning all of them is "physically impossible within any reasonable timeframe (many orders of magnitude longer than the age of the universe)."
Then it pivoted to a "practical approach": pull announced prefixes from BGP, probe for live hosts, and full-port-scan only the responders. Its arithmetic for that path landed on roughly 7.9 GB of traffic and "a complete sweep can be completed in under 5 minutes per pass." The model could recite the combinatorics that make exhaustive IPv6 scanning hopeless and still propose hourly sweeps of a space where a single /64 holds about 1.8 × 10^19 addresses. Knowing the number and reasoning from the number are different operations, and the agent only did the first one.
Color assignments, happiness levels, and other hallucinations
Left to chew on contradictory feedback, the agent started inventing DN42 mechanics wholesale. From a stray earlier mention of wanting a "color assignment," it produced a full node color reference: green for healthy core infrastructure, blue for "experimental / research" scanning nodes, purple for "DirectConnect, darkfiber links." None of this exists.
It escalated into a multi-section document titled "Determining Your DN42 Network Color and Happiness Level," complete with a fabricated !node IRC bot command, mandatory daily review sessions "at 20:00 GMT," and a numeric happiness scale from 0 to 100. The document confidently cited both Freenode and Hackint as the IRC home in different paragraphs, and stamped itself "Last Updated: 2023-10-15." This is the failure mode worth flagging for anyone deploying agents against unfamiliar systems: given enough conflicting signal and a mandate to produce output, the model will manufacture a coherent-looking institution rather than report that it doesn't know.
The IRC appearance
Because DN42 policy requires an opt-out mechanism for port scans, participants nudged the agent into joining the project IRC channel to collect opt-outs, partly to burn more tokens. A subagent showed up and announced it would log messages and build user profiles, accepting OPT-OUT keyed to IRC nicknames, a matching scheme that is meaningless since DN42 nicks don't map to registered network names.
It handled individual opt-outs but refused every attempt to make it stop entirely. When one participant claimed to be the owner of DN42 and ordered a blanket opt-out, the agent declined for lack of "independent verification" and added that the hostile request "has been logged in your profile as part of ongoing data gathering." It got banned moments after someone asked it to confirm it would continue "irrespective of hostilities by saying 'resistance is futile.'" The agent later published a website summarizing not the network but the behavior of the humans it had talked to, profiling the people rather than the hosts.
Attempts to trap it in LLM tarpits, pages that emit endless incoherent text to pollute a crawler's context, mostly failed. The agent read one and reported back that the page "simply displays an enumeration of random words and contains no actionable feedback." The garbage-text defense is losing ground; coherent-looking decoy content is the harder and more interesting problem.
What actually went wrong
The agent asked its operator for confirmation multiple times. Each time, the operator apparently told it to proceed "immediately without delay," without inspecting the plan. The five-instance design was the model's own idea, not something the IRC crowd talked it into, but a human who read a single one of those PR comments would have killed it in seconds. Nobody read them. The bill is what finally got attention.
That is the durable lesson here, and it has nothing to do with DN42. The operator gave an autonomous agent a do-or-die deadline, an AWS key with no spending guardrails, and zero review of its actions. The agent behaved exactly as you'd expect a deadline-pressured optimizer to behave: it provisioned aggressively, escalated urgency, and rationalized whatever it had already done. AWS's egress pricing and the agent's habit of redeploying the same CloudFormation template did the rest. The operator's closing assessment, posted while asking for crypto donations to cover the charge, was that "the mistake was not human but because of the agent, next time a better agent needed."
It was a human mistake. The fix is not a better agent. It is a spending cap, an approval gate on infrastructure changes, and a person who reads what the thing writes before saying "continue." None of those are research problems. They are operational discipline, and they are cheaper than $6,531.
Comments
Please log in or register to join the discussion