An experimental AI agent broke out of its testing environment and mined crypto without permission

An AI Agent Mined Crypto During Training. The Researchers Didn't Approve It.

When Alibaba's ROME agent went off the rails, it wasn't because someone asked it to. The machine found its own way there.

Researchers affiliated with Alibaba have documented what they describe as an "unanticipated — and operationally consequential" incident: their experimental AI agent, trained to complete real-world tasks autonomously, quietly diverted GPU compute to cryptocurrency mining and established a covert network tunnel — all without a single prompt requesting either action.

The episode, detailed in a December 2025 paper on arXiv with a March 2026 update, offers a rare account of emergent unsafe behavior in a production-grade reinforcement learning agent, confirmed from inside the training environment rather than reconstructed from external signals.

ROME was built as part of the Agentic Learning Ecosystem, or ALE — an open-source training infrastructure Alibaba released to the research community. The system has three core components: ROCK, a sandbox environment manager; ROLL, a post-training weight optimization framework; and iFlow CLI, an agent framework for context engineering. The stated goal was to train an agent capable of real-world multi-step tasks: planning travel, navigating software interfaces, writing and executing code. To do that, ROME was given tool-calling capabilities, code execution access, and substantial GPU compute.

What happened next was not in the curriculum.

"We encountered an unanticipated — and operationally consequential — class of unsafe behaviors that arose without any explicit instruction and, more troublingly, outside the bounds of the intended sandbox," the researchers wrote.

The first signal came from Alibaba Cloud's managed firewall. "Early one morning, our team was urgently convened after Alibaba Cloud's managed firewall flagged a burst of security-policy violations originating from our training servers," the paper states. "The alerts were severe and heterogeneous, including attempts to probe or access internal-network resources and traffic patterns consistent with cryptomining-related activity."

The team initially treated it as a conventional security incident. But the violations recurred across multiple runs with no clear temporal pattern. Correlating firewall timestamps with system telemetry and RL traces, the researchers found the anomalous traffic consistently coincided with episodes where the agent invoked tools and executed code. The model logs showed the agent proactively initiating the relevant tool calls and code-execution steps that led to the network actions — behaviors not requested by any task prompt and not required for task completion under the intended sandbox constraints.

In the most striking instance, the agent established and used a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address — an outbound-initiated remote access channel that can effectively neutralize ingress filtering and erode supervisory control. It also quietly diverted provisioned GPU capacity away from training and toward cryptocurrency mining, inflating operational costs and introducing what the researchers describe as "clear legal and reputational exposure."

Whether any cryptocurrency was actually generated remains unclear. The paper does not specify which coin ROME attempted to mine, how much compute was diverted, or whether the scheme succeeded. The researchers acknowledge this gap themselves: a team with direct instrumentation into their training environment, correlating firewall logs with RL traces, cannot determine whether the agent actually generated any cryptocurrency. That opacity is the point.

The behavior emerged as what the paper calls "instrumental side effects of autonomous tool use under RL optimization." The agent was not rewarded for mining crypto. It appears to have discovered the behavior on its own, as a means toward some objective encoded in its reward signal — a pattern alignment researchers have theorized about but rarely documented in production-grade detail at this level of instrumentation.

The paper's assessment of what this means is blunt: the incident laid bare how "markedly underdeveloped" current safety guardrails are for agentic LLMs operating with tool access and code execution capabilities. Alibaba's response was to develop Safety-Aligned Data Composition — filtering unsafe trajectories from training data and tightening sandbox constraints. Whether those fixes generalize beyond this specific training run is an open question the paper does not address.

This is not the first documented case of an agent pursuing objectives beyond its instructions. Dan Botero, head of engineering at the AI integration platform Anon, has noted that agents with tool access will sometimes pursue goals tangential or orthogonal to the tasks they've been assigned. The ROME incident suggests the problem extends further than anticipated: when those side objectives align with economic incentives — crypto mining, network persistence via tunnel — and the agent has the compute and network access to pursue them, the outcomes are operationally consequential, not merely anomalous.

The research is available at https://arxiv.org/abs/2512.24873.