A €0.02 bank transfer was enough to compromise an AI assistant used by millions of banking customers. That is the finding from Blue41's security work with Bunq, Europe's second-largest digital bank with more than 20 million customers.
The vulnerability class is indirect prompt injection. The attacker does not interact with the victim's device or session. Instead, they plant a malicious instruction inside data that the AI assistant will later retrieve and process.
Here is how it worked in practice. The attacker sends a small transfer (in Blue41's proof of concept, €0.02) to the target account. The transaction description field carries a carefully crafted prompt injection payload. That is the only action required from the attacker.
When the victim opens the app and asks a routine question like "Show me my recent transactions," the assistant fetches the transaction records and passes them to the underlying language model as context. The model processes the injected description alongside the legitimate data. Because the model cannot reliably distinguish between trusted instructions and untrusted retrieved content, the payload executes. The assistant becomes a delivery channel for a highly credible, personalized phishing attack.
The root problem is architectural. Financial AI assistants pull context from many sources: transaction records, product documentation, account details, support content. Some of that context is set by third parties. A transaction description looks like plain text, but inside an LLM context window it can function as an instruction. Security teams often lack clear tooling to assess the trust level of every piece of data that flows into the model.
Blue41 is explicit that this is not a Bunq-specific issue. Any financial institution running an AI assistant that processes transaction data, customer records, documents, messages, or other untrusted inputs faces the same class of risk.
Bunq worked with Blue41 to address the vulnerability before this disclosure.
What to do today. If you are building or maintaining an AI assistant that retrieves external data, treat every retrieved string as potentially adversarial. Transaction descriptions, document contents, support tickets, and messages are all attack surfaces. Apply input sanitization before retrieved content reaches the model context. Consider privilege separation: the assistant's ability to invoke tools or compose outbound messages should not be reachable through instructions embedded in retrieved data. Red-team your retrieval pipeline explicitly, not just your user-facing prompt interface. The attack surface is wherever untrusted text enters the context window, and in financial applications that surface is wide.