The booming AI economy is spawning a new type of cybercrime. According to Patrick Collison, CEO of payment giant Stripe, crooks are defrauding AI firms by signing up for new accounts in order to steal tokens used to buy computing power. The problem has become so rampant, says Collison, that token thieves now account for one in every six new customer signups.
Speaking on the TBPN podcast, Collison explained that the thieves steal the tokens in order to resell them or else to use them for their own criminal ventures. He added that “token pilfering” has become so widespread that it’s fast becoming too expensive for AI startups to offer free trials to prospective customers.
Cybercriminals targeting startups is hardly new, of course. The rise of the AI economy, however, has created a new opportunity since, unlike traditional software trials, a signup for an AI firm comes with valuable tokens for compute that can be resold.
“I think token theft is the most under-discussed topic in AI,” said Emily Sands, Stripe’s Head of Data and AI. “One of the things that’s really scary about that is that these attackers can burn inference costs, can rack up massive usage bills that they never intend to pay, and they can do that very, very quickly because they are consuming tokens at machine speed.”
In an interview with Fortune, Sands said token fraud often entails crooks signing up for multiple accounts at an AI company, and across multiple companies, in order to use the tokens for a purpose unrelated to what the firm is offering, or else to resell them. In every case, they disappear after burning through the tokens—a scam that Sands likened to people who “dine and dash” at restaurants.
The problem is compounded, says Sands, because the crooks use agents to burn through the tokens in minutes. This means that, unlike a traditional software company where an anti-fraud manager would investigate suspicious transactions, the crime takes place too fast for the company to intervene.
This situation is proving disastrous for AI firms looking to give out free trials to acquire new customers. While it costs a software firm almost nothing to provide a free temporary account, that’s not the case for AI firms. Sands cited the example of one startup that its customer-acquisition costs had ballooned to $500 due to fraudsters abusing its policy of supplying free tokens to trial accounts.
The token theft epidemic has created a conundrum for startups. While some have responded by ending free trials, this also puts a damper on their growth by limiting their opportunities to bring in new customers.
Fortunately, it appears solutions may be at hand. Stripe says it has a product called Radar that serves as a built-in fraud detector in its credit card payment network, and is adapting the tool to help clients discover and block token fraud.
According to Sands, Radar is now capable of assigning a real-time risk score to would-be accounts based on factors like IP address, email domain, and device fingerprint. She says AI firms like voice detection service ElevenLabs and app builder Lovable are already using the service to detect and block multi-account signup attempts. She also cited the example of a Stripe client that found blocking fraudulent accounts led to an improvement in their conversion rate of potential customers from 1 in 25 to 1 in 3.
There is also an even more intriguing solution on the horizon. It comes in the form of streaming payments, which entails customers using stablecoins to pay for AI services as they consume them in real time. Stripe is backing a new blockchain called Tempo to facilitate such payments, while crypto giant Coinbase has developed a similar product called x402.
For now, though, the wave of token theft shows no sign of waning. “Over the last six months, free trial abuse has more than doubled. The last month had a pretty dramatic acceleration,” noted Sands.
This story was updated at 2:45pm ET to clarify that the $500 acquisition cost, and the improved 3:1 conversion ratio, was particular to specific startups and not industry wide.
