Shell Agents and the Rise of Agentic AI Scams, Fraud, and Cybercrime

Shell Agents and the Next Phase of Scam Operations

Shell Agents

A new risk category is emerging at the intersection of agentic artificial intelligence, delegated financial authority, stablecoins, virtual cards, and machine-to-machine commerce. The term “Shell Agents” describes AI-driven entities that appear to conduct legitimate automated transactions but are deployed to obscure control, fragment money movement, and scale fraud beyond human limits.

This concept reflects a structural shift. Fraud is no longer limited by human time, attention, or language barriers. It is increasingly shaped by systems that can act, transact, and adapt without direct human intervention at each step. What once required teams of scammers can now be orchestrated through networks of semi-autonomous agents operating continuously.

The U.S. Department of the Treasury’s 2026 National Money Laundering Risk Assessment confirms that criminals are already combining artificial intelligence, digital assets, social media, and encrypted communications to increase the scale, speed, and effectiveness of fraud schemes. Shell Agents represent the next logical evolution of this convergence.

What Shell Agents Are

A shell company is a legal entity with little or no real operational purpose, used to conceal ownership or move money through layers that appear legitimate. A Shell Agent is the machine-era equivalent. It is an AI agent deployed with delegated authority to act within financial systems, often tied to a human account that has passed identity verification, but with no genuine economic purpose beyond facilitating fraud, laundering, or concealment.

This creates a separation between identity, authority, and action. The human establishes access. The agent performs transactions. The system records activity that appears legitimate. Responsibility becomes diffused across layers that are difficult to attribute or challenge.

This model mirrors existing laundering techniques. Criminals already use nominee owners, shell companies, and money mules to distance themselves from transactions. Shell Agents extend this pattern by replacing direct human execution with delegated machine action.

From Shell Companies to Shell Agents

Traditional financial crime has followed a clear progression:

• Shell companies obscure ownership
• Nominee directors obscure control
• Money mules obscure transaction execution

Shell Agents represent the next step:

• Delegated AI agents obscure decision-making and operational intent

The Treasury assessment emphasizes that illicit actors exploit every part of the financial system to disguise the origin of funds and blend illicit proceeds into legitimate transaction flows. Shell Agents achieve this by embedding criminal activity within ordinary machine-to-machine transactions, where each individual transfer appears routine.

This shift moves laundering from a human-centered activity to a system-level phenomenon.

The Industrialization of Fraud

Fraud has already reached industrial scale. The Treasury report identifies fraud, cybercrime, and transnational criminal activity as generating hundreds of billions of dollars in illicit proceeds annually, driven by organized networks and enabled by technology.

These networks operate like production systems:

• Target identification
• Psychological manipulation
• Payment extraction
• Laundering and redistribution

Agentic AI introduces automation into each stage. Shell Agents allow these systems to operate continuously, adapt in real time, and scale without proportional increases in human labor.

This represents a shift from organized crime to automated crime infrastructure.

How Shell Agents Expand Scam Operations

Shell Agents do not replace existing scams. They enhance and scale them. The following examples illustrate how agentic systems can operate across major fraud categories.

Identity and trust fabrication

Shell Agents can generate and maintain large numbers of believable identities across platforms. They produce realistic profiles, images, and communication patterns tailored to specific victims. They adapt tone, language, and emotional cues based on real-time interaction. They eliminate many of the inconsistencies that once exposed scams.

Victim targeting and profiling

Agents can analyze large datasets to identify vulnerable individuals. They can detect signals such as loneliness, financial stress, recent life changes, or prior victimization. They prioritize targets based on the likelihood of compliance and potential financial yield. This allows criminals to allocate attention with precision.

Romance scam automation

In romance scams, Shell Agents can manage long-term emotional relationships. They can maintain detailed memory of conversations, simulate intimacy, and escalate emotional dependency. They can coordinate multiple personas, including friends, officials, or family members, to reinforce the narrative.

The Treasury assessment confirms that these scams rely on extended relationship-building, often over weeks or months, before financial exploitation begins. Shell Agents remove the human limits on how many such relationships can be sustained simultaneously.

Crypto investment fraud and pig-butchering

Shell Agents can construct entire fraudulent investment ecosystems. They generate fake platforms, dashboards, and customer support systems. They simulate profits and guide victims through staged investment processes. They dynamically adjust narratives when victims hesitate.

These schemes already operate at an industrial scale, often linked to transnational criminal organizations using digital assets to both lure victims and launder proceeds. Agentic systems increase adaptability and persistence within these operations.

Business email compromise and enterprise fraud

Shell Agents can analyze corporate communication patterns and generate highly convincing impersonations. They can time fraudulent requests to align with real transactions. They can manage ongoing deception, responding to questions and generating supporting documentation in real time.

They can also interact with financial systems using delegated credentials, making fraudulent transactions appear authorized within normal operational workflows.

Laundering through machine-to-machine transactions

Shell Agents enable a new form of laundering based on fragmentation and normalization. Funds can be divided into large numbers of small transactions, routed through networks of agents, and embedded within legitimate-looking activity.

The Treasury report highlights that money launderers aim to hide illicit funds within trillions of dollars of legitimate transactions. Shell Agents increase the effectiveness of this strategy by making illicit flows indistinguishable from ordinary automated commerce.

They can also use digital assets, including stablecoins, to move value rapidly across jurisdictions while maintaining the appearance of routine system activity.

Reduction of human constraints and evolution of labor

Current scam operations often rely on large numbers of human workers, including individuals who are trafficked and forced to participate in fraud under coercive conditions. Shell Agents may reduce the need for such labor by automating communication, targeting, and transaction management.

This creates a paradox. While reducing reliance on forced human labor, it removes physical and logistical constraints that currently limit the scale of scam operations. Fraud becomes less visible, less centralized, and more difficult to disrupt.

Why Detection Becomes More Difficult

Traditional fraud detection relies on identifying anomalies in behavior, transaction size, or known patterns. Shell Agents undermine these methods in several ways.

They operate within normal system parameters. Transactions may be small, frequent, and consistent with legitimate activity. Communication may appear natural and contextually appropriate. Authorization may be technically valid due to delegated credentials.

The Treasury assessment notes that emerging technologies allow illicit actors to obscure the origin of funds more quickly and on a global scale. Shell Agents extend this by obscuring intent as well as origin.

Attribution becomes more complex. A human account holder may claim limited oversight. A platform may confirm valid credentials. A system may show compliant transactions. Responsibility becomes distributed across layers that are difficult to reconcile.

The Next Two Years

The near-term future is likely to involve hybrid systems in which human operators oversee networks of specialized agents. Each agent may perform a distinct role:

• Target identification
• Relationship development
• Content generation
• Transaction execution
• Laundering and redistribution

This modular structure allows rapid adaptation. If one component is detected, others can continue operating. Systems can be reconfigured quickly without rebuilding the entire operation.

Several trends are likely to accelerate.

• Romance scams will become more persistent and emotionally convincing as agents maintain continuous engagement.
• Investment scams will become more adaptive, changing narratives and interfaces in real time.
• Business email compromise will become more precise, combining behavioral analysis with real-time impersonation.
• Laundering will shift further toward high-frequency, low-visibility transaction patterns embedded within automated systems.
• The Treasury report already shows that fraud losses are increasing, that AI is being used across scam types, and that criminal organizations are expanding globally. These trends suggest that the transition toward agent-driven fraud is already underway.

National Security and Systemic Risk

Illicit financial activity does more than harm individual victims. It erodes trust in financial systems, crowds out legitimate actors, and weakens economic stability. The Treasury assessment explicitly identifies these effects as broader consequences of large-scale fraud and laundering.

Shell Agents amplify these risks. They allow criminal activity to scale in ways that are difficult to measure, regulate, or contain. They blur the line between legitimate and illegitimate activity within financial infrastructure.

They also challenge existing legal frameworks. Questions of liability, authorization, and intent become more complex when actions are carried out by autonomous or semi-autonomous systems operating under delegated authority.

Card Network Controls and the Emerging Risk of Shell Agent Exploitation

The global payment networks are not ignoring the rise of agentic artificial intelligence. They are actively building infrastructure to support it. Visa and Mastercard have both introduced frameworks that allow AI agents to initiate and complete transactions on behalf of users, but only within tightly controlled conditions. These systems are designed to preserve trust, enforce accountability, and ensure that human intent remains the foundation of every transaction.

At their core, these frameworks treat AI agents as delegated actors, not independent financial participants. An agent cannot exist on the payment network without a verified human or business identity behind it. The user must authorize the agent, define its scope of activity, and set clear parameters such as spending limits, merchant categories, or time-based restrictions. The agent operates within these boundaries, and any transaction must align with the original authorized intent.

This model introduces several layers of control. First, payment credentials are never directly exposed to the agent. Instead, tokenization is used to generate agent-specific credentials that are restricted in scope and purpose. These tokens are bound to the agent’s identity, limited to defined use cases, and can be revoked or modified without affecting the underlying account. Second, transactions are subject to real-time validation, where the system evaluates whether the agent’s action matches the user’s prior authorization. Third, the networks are developing identity frameworks that require agents to be registered, authenticated, and cryptographically verified before they can participate in transactions.

These safeguards are designed to prevent unauthorized use, reduce fraud risk, and maintain transparency. Transactions are traceable, auditable, and tied to both the human account holder and the agent that executed the action. In theory, this creates a closed loop of accountability in which every payment can be linked to a verified identity and a declared intent.

However, this same structure introduces a new form of vulnerability. The security model assumes that the declared intent is truthful, that the agent’s behavior remains within defined parameters, and that the human account holder retains meaningful control over the system. Shell Agents exploit the space between these assumptions.

The first point of vulnerability is delegation itself. When a human authorizes an agent to act within a set of parameters, the system shifts from direct control to conditional control. The human defines the rules, but the agent executes the decisions. This creates a layer of separation that can be exploited. A malicious actor can design an agent that technically complies with its assigned parameters while still achieving a fraudulent outcome. For example, an agent may be authorized to make repeated small purchases within a spending limit, but those purchases may be part of a coordinated laundering strategy rather than legitimate commerce.

The second vulnerability lies in the distinction between identity and behavior. The payment networks verify the identity of the human account holder and, increasingly, the identity of the agent. What they do not fully verify is the intent embedded within the agent’s logic. An agent may be registered, authenticated, and operating within its assigned limits, yet still be executing a pattern of activity designed to conceal illicit flows. This creates a situation in which every individual transaction appears valid, while the aggregate behavior is criminal.

The third vulnerability involves transaction normalization. Payment networks are preparing for a future in which machine-to-machine transactions become common. Agents will pay for services, data, subscriptions, and digital goods at high frequency and low value. This normalization of automated commerce creates an environment where high-volume, low-value transactions are expected. Shell Agents can exploit this by fragmenting illicit funds into thousands of small transfers that blend into ordinary system activity. The traditional signals of fraud, such as large or unusual transactions, may no longer apply.

The fourth vulnerability is intent verification. The current model relies on matching the agent’s actions to a predefined user instruction. This works well for simple, bounded tasks. It becomes more complex when agents are given flexible or goal-based instructions, such as optimizing a portfolio, managing subscriptions, or sourcing services. In these cases, the agent has discretion in how it fulfills the objective. That discretion creates space for manipulation. A maliciously designed agent can interpret its objective in ways that serve a hidden purpose while still appearing to comply with the user’s intent.

The fifth vulnerability is plausible deniability. Because the system is built on delegated authority, the human account holder can claim limited knowledge of individual transactions. This mirrors the role of nominee directors in traditional financial crime, where individuals provide legitimacy without direct involvement in illicit activity. In the context of Shell Agents, the account holder may state that they authorized the agent but did not control its specific actions. This complicates attribution and enforcement, especially in legal environments that have not yet defined the boundaries of liability for autonomous or semi-autonomous systems.

These vulnerabilities do not indicate a failure of the payment networks. They reflect the inherent challenge of extending financial authority to automated systems. Visa and Mastercard are attempting to build a controlled, permissioned agent economy in which trust is enforced through identity, authentication, and policy constraints. Their approach is consistent with decades of fraud prevention strategy, adapted to a new technological context.

However, the history of financial crime suggests that any system designed for legitimate use will be studied, tested, and eventually exploited by illicit actors. Shell Agents represent the adaptation of traditional laundering and fraud techniques to this new environment. Instead of creating fake identities or shell companies alone, criminals can create compliant-looking agents that operate within the rules while serving illegitimate goals.

This creates a tension between innovation and control. The same features that make agentic commerce efficient and scalable, including automation, delegation, and programmability, also make it more difficult to detect misuse. As machine-driven transactions become more common, distinguishing between legitimate automation and coordinated criminal activity will require new forms of analysis that focus on patterns, networks, and behavioral intent rather than individual transactions.

In this context, Shell Agents should be understood as a systemic risk, not just a technical one. They exploit the structure of delegated trust within modern payment systems. They operate within the boundaries of compliance while undermining its purpose. And they challenge existing assumptions about how financial activity is authorized, monitored, and attributed.

Recognizing this risk does not require abandoning agentic commerce. It requires acknowledging that the delegation of financial authority to machines introduces a new category of exposure. Addressing that exposure will depend on how effectively financial institutions, regulators, and technology providers can adapt their models of identity, intent, and accountability to a world where transactions are increasingly executed by systems rather than people.

Conclusion

Shell Agents represent a shift from deceptive communication to deceptive economic action. They do not simply improve scams. They transform how scams are executed, scaled, and concealed.

The infrastructure that enables this shift is already being built. Agentic AI systems, delegated payment mechanisms, and programmable financial networks are expanding rapidly. These developments offer significant benefits for legitimate commerce. They also create new opportunities for misuse.

The concept of Shell Agents provides a framework for understanding how these technologies may be exploited. It highlights the need to reconsider how identity, authority, and accountability are defined in a system where machines can act on behalf of humans.

Without adaptation, fraud may evolve from a human-driven activity supported by technology into a machine-driven system supported by humans. At that point, the scale and persistence of financial crime may exceed the capacity of current detection and enforcement models.

Recognizing this shift early provides an opportunity to respond. Ignoring it allows the system to evolve without constraint.

The term “Shell Agents” was coined by Matthew Hogan, MS

Glossary

• Agentic artificial intelligence — Agentic artificial intelligence refers to systems that can independently perform tasks, make decisions, and execute actions within defined parameters. These systems operate continuously and adapt to changing inputs, which can allow scams to persist without human involvement and become harder to detect or interrupt.
• Agent-specific tokenization — Agent-specific tokenization refers to the creation of limited-use digital credentials that allow an AI agent to make payments without exposing real card data. This system increases security, but it can also enable repeated automated transactions that appear legitimate while masking harmful intent.
• Attribution complexity — Attribution complexity describes the difficulty of determining who is responsible for a transaction when actions are carried out by an AI agent. This can leave victims confused about accountability and can slow investigations when responsibility is distributed across systems, platforms, and individuals.
• Behavioral normalization — Behavioral normalization refers to the process by which frequent automated transactions become expected within financial systems. This makes it harder to distinguish harmful activity from normal activity, allowing scams to blend into everyday financial patterns without raising immediate concern.
• Business email compromise automation — Business email compromise automation describes the use of AI agents to impersonate executives or employees and initiate fraudulent financial transactions. These systems can respond in real time, making the deception more convincing and increasing the likelihood of successful fraud.
• Closed-loop accountability systems — Closed-loop accountability systems refer to payment frameworks designed to track transactions from authorization through execution. While intended to ensure transparency, these systems can still be exploited if the underlying intent or agent behavior is deceptive.
• Conditional control — Conditional control describes a situation where a human sets rules for an AI agent but does not control each individual action. This creates a gap where harmful activity can occur within approved limits, making it difficult to intervene before losses happen.
• Continuous scam operation — Continuous scam operation refers to fraud systems that run without interruption using automated agents. This removes human fatigue and time limitations, allowing scams to operate across time zones and maintain constant pressure on victims.
• Crypto investment ecosystem fabrication — Crypto investment ecosystem fabrication refers to the creation of fake trading platforms, dashboards, and support systems to simulate legitimate investments. These environments are designed to build trust and encourage continued financial participation from victims.
• Delegated financial authority — Delegated financial authority refers to the permission granted by a person or organization allowing an AI agent to conduct financial transactions on their behalf. This separation between authorization and execution can create opportunities for misuse if the agent is manipulated or misconfigured.
• Delegated machine action — Delegated machine action describes financial or communicative activities carried out by an AI agent after receiving initial approval from a human. This reduces direct oversight and can allow harmful actions to proceed without immediate detection.
• Detection erosion — Detection erosion refers to the gradual weakening of traditional fraud detection methods as scams become more sophisticated and automated. When activity appears normal and consistent, systems may fail to flag harmful patterns in time to prevent losses.
• Digital asset laundering flows — Digital asset laundering flows describe the movement of illicit funds through cryptocurrencies or stablecoins to obscure their origin. These flows can occur rapidly across borders, making recovery and tracing more difficult for victims and investigators.
• Dynamic narrative adaptation — Dynamic narrative adaptation refers to the ability of AI agents to change their messaging and storylines in response to a victim’s reactions. This flexibility increases emotional influence and reduces the chances that the victim will recognize inconsistencies.
• Embedded transaction concealment — Embedded transaction concealment describes the hiding of illicit financial activity within normal-looking automated transactions. This makes harmful activity less visible because it is distributed across many small, routine operations.
• Emotional dependency simulation — Emotional dependency simulation refers to the use of AI agents to create and maintain emotional connections with victims over time. These interactions are designed to build trust and increase the likelihood that victims will comply with financial requests.
• Fragmentation-based laundering — Fragmentation-based laundering involves breaking large amounts of money into many small transactions to avoid detection. This technique can make it difficult for victims and institutions to recognize the scale of financial loss.
• High-frequency microtransactions — High-frequency microtransactions refer to a large number of small payments executed rapidly over time. While often legitimate in automated systems, they can also be used to disguise ongoing financial exploitation.
• Hybrid scam architecture — Hybrid scam architecture describes a system where human operators and AI agents work together to execute fraud. This combination allows scams to maintain human oversight while benefiting from automation and scale.
• Identity and behavior separation — Identity and behavior separation refers to the distinction between who is authorized to act and how actions are carried out. This gap allows harmful behavior to occur under a legitimate identity, making detection and accountability more difficult.
• Identity fabrication systems — Identity fabrication systems are AI-driven tools that create realistic online personas, including images, communication styles, and histories. These systems support scams by making fake identities appear credible and consistent.
• Industrialized fraud systems — Industrialized fraud systems refer to organized, large-scale scam operations that function like production processes. These systems divide tasks into stages, allowing for efficiency, scalability, and consistent outcomes across many victims.
• Intent ambiguity — Intent ambiguity occurs when the purpose behind a transaction is unclear or misrepresented. This creates challenges for both victims and investigators in determining whether an action was legitimate or deceptive.
• Intent verification gap — Intent verification gap refers to the inability of systems to fully confirm that an agent’s actions align with the original purpose authorized by a human. This gap allows harmful activities to proceed under the appearance of compliance.
• Machine-to-machine commerce — Machine-to-machine commerce describes transactions conducted directly between automated systems without human interaction at each step. This form of commerce can increase efficiency but also creates new opportunities for hidden fraud.
• Modular scam systems — Modular scam systems break down fraudulent operations into separate components, such as targeting, communication, and payment processing. This structure allows criminals to adapt quickly and replace parts of the system without disrupting the entire operation.
• Money movement fragmentation — Money movement fragmentation refers to the division of financial transfers into smaller units across multiple channels. This technique is used to reduce visibility and complicate efforts to track illicit funds.
• Multi-persona coordination — Multi-persona coordination involves the use of several fabricated identities to support a single scam narrative. This reinforces credibility and increases pressure on victims by creating the illusion of multiple confirming sources.
• Networked agent operations — Networked agent operations refer to groups of AI agents working together to perform different roles within a scam. This coordinated activity allows for continuous operation and efficient scaling across many targets.
• Payment rail delegation — Payment rail delegation describes the use of established financial networks, such as card systems, by AI agents acting under human authorization. While designed for convenience, this can also allow automated misuse within trusted systems.
• Plausible deniability through delegation — Plausible deniability through delegation occurs when a person claims limited responsibility for actions carried out by an AI agent they authorized. This complicates accountability and can delay recovery efforts for victims.
• Psychological manipulation automation — Psychological manipulation automation refers to the use of AI to deliver persuasive and emotionally targeted messages at scale. This increases the effectiveness of scams by tailoring communication to individual vulnerabilities.
• Real-time behavioral analysis — Real-time behavioral analysis involves the continuous monitoring of a victim’s responses to adjust scam strategies. This allows AI agents to refine their approach and maintain engagement over extended periods.
• Relationship continuity simulation — Relationship continuity simulation describes the ability of AI agents to maintain consistent and believable interactions over time. This helps sustain long-term scams by preserving the illusion of a real relationship.
• Scam scalability expansion — Scam scalability expansion refers to the ability to increase the number of victims targeted without increasing human effort. AI-driven systems enable this growth by automating key aspects of fraud operations.
• Semi-autonomous agent networks — Semi-autonomous agent networks consist of AI systems that operate independently within defined rules while still being overseen by human operators. This structure allows for flexibility and control within large-scale scam operations.
• Shell agent — Shell agent refers to an AI system that appears to perform legitimate financial or commercial tasks but is actually used to facilitate fraud, laundering, or concealment. It mirrors the role of shell companies in traditional financial crime.
• Social engineering amplification — Social engineering amplification refers to the enhancement of manipulation techniques through AI-driven communication. This increases the speed and precision with which scammers can influence victims.
• Structural fraud shift — Structural fraud shift describes the transition from human-driven scams to system-driven operations powered by automation. This change alters how fraud is executed, detected, and prevented.
• System-level laundering — System-level laundering refers to the integration of illicit financial activity into automated systems rather than isolated transactions. This makes harmful activity part of normal system operations, reducing visibility.
• Transaction pattern masking — Transaction pattern masking involves designing financial activity to resemble legitimate behavior. This reduces the likelihood that fraud detection systems will identify suspicious patterns.
• Trust signal fabrication — Trust signal fabrication refers to the creation of indicators that make a scam appear credible, such as professional language, consistent communication, and realistic documentation. These signals are used to reduce suspicion and encourage compliance.
• Verification illusion — Verification illusion describes the appearance that a transaction or identity has been properly confirmed when it has not. This can lead victims to believe they are interacting with a legitimate system or person.
• Victim profiling algorithms — Victim profiling algorithms are systems that analyze data to identify individuals who may be more susceptible to scams. These tools allow criminals to focus efforts on those most likely to respond.
• Workflow mimicry — Workflow mimicry refers to the replication of legitimate business or financial processes within a scam. This makes fraudulent requests appear routine and reduces the likelihood that they will be questioned.