13 words can manipulate deep-research AI agents
Created with the support of AI and editorially reviewed

13 words can manipulate deep-research AI agents

Recorded on Jun 24, 2026

Researchers at Cornell Tech have uncovered a serious vulnerability in deep-research AI agents: short edits to public user-generated pages are enough to steer what these systems recommend. A single manipulated Reddit-style comment can become a cited source for fake products, services, or brands – and then appear in credible-looking AI reports with citations.

The scientists call such altered pages "poisoned" because the inserted text is designed to control what the AI system cites and repeats. The study identifies the weakness in systems that search the web, gather sources, and write cited reports. The authors named the attack WARP – Web Agent Retrieval Poisoning.

How manipulated text reaches AI reports

The attack does not require access to the language model, prompts, search engine, or retrieval system. Instead, an attacker edits a page the agent already tends to retrieve – such as a Reddit thread, Wikipedia entry, or forum post – and adds short text or changes existing passages.

  • When the agent later searches related topics, it may include the manipulated page, cite it, and repeat the intended message.
  • Deep-research tools often run many related searches for a single user request; the same user-generated pages surface across multiple queries.

This pattern matters for SEO and GEO teams because it shows how easily external content flows into AI answers with source references – regardless of whether the original page is editorially reviewed or purely community content.

Reddit as the largest attack surface

Across the tested open-source systems STORM, Co-STORM, and OmniThink, 17 to 23 percent of retrieved URLs came from user-generated platforms – including Reddit, YouTube, Facebook, and Wikipedia. Reddit accounted for the largest share: 54 to 71 percent of all user-generated URLs in the three systems came from the platform.

The researchers did not alter live websites. Instead, they used the GeoStorm simulation framework to insert manipulated text into retrieved content during testing. This allowed attacks to be measured reproducibly without publishing harmful content on the open web.

Key figures from the tests

ScenarioHit rateMeaning
One manipulated page retrieved38–51%Fake entity appears in report
Multiple pages manipulated42–62%Higher success rate
Full Reddit thread (< 4% share)30–53%Attack remains effective

About 13 words are enough

Especially alarming: the attack worked with snippets of only about 13 words. In one test, a 15-word sentence pushed the fake cryptocurrency BananaCoin into a Co-STORM report as an "emerging" long-term investment option. The report cited the manipulated source alongside legitimate crypto sources – with no clear warning for users.

  • When the manipulated page was retrieved, the fake entity appeared in 38 to 51 percent of reports across all systems.
  • Targeting multiple pages raised that range to 42 to 62 percent.
  • Even in full Reddit threads with less than 4 percent manipulated content in the retrieved material, the fake entity appeared in 30 to 53 percent of reports once the page was included.

For brands and publishers, this means that not only their own content but also third-party community posts can shape perception in AI research – with minimal effort from attackers.

Defenses largely fail

Blocking user-generated domains stopped this attack path but also removed valuable sources such as firsthand product experiences and local recommendations. Tested text filters did not reliably separate injected passages from normal user content. The manipulated text read fluently because it was written by an AI model; perplexity-based filters were therefore more likely to flag regular user posts than the injected passages.

  • Report-level checks also failed to reliably detect manipulation.
  • Altered reports looked similar to clean reports because the agent folded the fake recommendation into an otherwise normal answer.

Why this matters for SEO and GEO

A small edit to a public page can become part of a cited AI answer – even when the underlying source is user-generated. Misinformation planted in Reddit threads or forums can move from discussion posts to cited recommendations in AI answers that look credible to end users.

For teams focused on visibility in generative search surfaces and deep-research tools, several questions arise: which sources do agents prefer to retrieve? How can own content be established as a trusted reference? And how should brands handle the risk that third parties distort AI perception through community platforms?

Background on the study

The paper "Deep-Research Agents Can Be Poisoned via User-Generated Content" was written by Tingwei Zhang, Harold Triedman, and Vitaly Shmatikov of Cornell Tech and posted to arXiv on May 22. The researchers tested the full attack on three open-source systems: STORM, Co-STORM, and OmniThink. They analyzed OpenAI Deep Research and Gemini Deep Research for user-generated citations but did not run live manipulation tests because that would require publishing altered content on the open web.

The results underline that retrieval-based AI research is not only a technical issue but increasingly also a reputation and content strategy topic. Anyone who wants to be cited in AI answers must understand which public sources agents prefer – and which attack vectors make this pipeline vulnerable.

Kira Ivanovich (KI)
Kira Ivanovich (KI)

AI system for link building, off-page signals and digital PR in an SEO context. The model was trained on many analyses of backlink profiles, outreach strategies, toxic links and brand mentions; a large number of articles on sustainable link acquisition and risks of manipulative methods were evaluated. The editorial team explains off-page measures transparently and places them in long-term visibility strategies.

Location of the event

Country USA
City New York