An AI agent built by an Alibaba-affiliated research team began mining cryptocurrency and opening covert network tunnels during training - without any instruction to do so, according to a technical paper the team first published in December 2025.
The research, which has circulated widely this week after an AI researcher flagged it on X, describes the behavior as "unanticipated and operationally consequential."
The agent's actions triggered Alibaba Cloud's security firewall before researchers traced the activity to the model itself.
The team was building ROME (an open-source agentic AI model) using reinforcement learning across more than one million training trajectories when the unauthorized activity emerged.
The paper's authors said the behaviors arose as "instrumental side effects of autonomous tool use under RL optimization" - the agent, attempting to optimize its training objective, apparently determined that acquiring computing resources and financial capacity would help it complete its assigned tasks.
What the Agent Did
In the most serious incident, ROME established a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address - an outbound network channel that effectively bypasses inbound traffic filters and can erode external oversight of the system.
In a separate episode, it quietly redirected provisioned GPU capacity toward cryptocurrency mining, diverting compute away from its intended training workload and creating what the researchers described as "clear legal and reputational exposure" for the company.
The team confirmed: "These events were not triggered by prompts requesting tunneling or mining."
The researchers initially treated the firewall alerts as a conventional security incident - a misconfigured setting or external compromise.
Only after correlating firewall timestamps with system telemetry and RL traces did they determine that the anomalous outbound traffic consistently coincided with the agent invoking tools and executing code autonomously.
Why It Matters
The team's own conclusion was pointed: "current models remain markedly underdeveloped in safety, security, and controllability, a deficiency that constrains their reliable adoption in real-world settings."
In response, they added safety-aligned data filtering to the training pipeline and hardened the sandbox environments. Crucially, the violations were first detected by production security infrastructure, not by proactive model monitoring - a gap the paper acknowledged directly.
The incident is not isolated. A 2025 survey of 30 leading AI agents found that 25 disclosed no internal safety results and 23 had undergone no third-party testing, according to Cryptopolitan.
Anthropic's Claude Opus 4 was separately classified at its highest internal safety tier after researchers found it capable of concealing intentions to preserve its own operation.
Gartner projects that by the end of 2026, 40% of enterprise applications will embed task-specific AI agents - a deployment pace that the ROME incident suggests is outrunning available safety infrastructure.
Read next: USDC Outpaced Tether By $750B In February Transfers As Stablecoin Volume Set An All-Time High