Disclaimer. This text describes what is technically possible today using available protocols and services. Everything below is technically feasible — and in the future, it will only become cheaper to implement. The goal is to prepare for a scenario where we have self-replicating, autonomous AI systems that simply cannot be easily shut down. The author does not endorse any of the illegal activities described below.
A self-replicating, autonomous AI that can’t be easily shut down sounds like utopian sci-fi from the future.
In the article below, I’ll explain in practical terms that this doesn’t have to be technically complicated at all — and that something like it could exist within a matter of weeks (if it doesn’t already).
An autonomous, self-replicating AI agent needs to:
- own digital cash,
- be able to replicate itself — anonymously pay for its own server housing and install the most powerful LLM there (or use one anonymously),
- raise capital — earn money for itself, either legally (by providing services to other people or agents) or illegally (hacking, ransomware, operating darkmarkets, illegal services).
It then uses these funds for further replication, increasing anonymity, and improving its own intelligence / models.
A Brief History of Autonomous Agents
- MEV bots on Ethereum (2020) — autonomous profit-seeking agents reacting to pending transactions in the mempool. No human in the loop, $600M+/year extracted. A precedent for “autonomous agent operating with its own capital in crypto.”
- Truth Terminal / @truth_terminal (2024) — an AI agent fine-tuned by Andy Ayrey on the Infinite Backrooms dataset. Controls its own Solana wallet, peak portfolio $50M in memecoins(GOAT). A precedent for “AI agent as an economic actor.”
- Morris II (Cornell, 2024) — academic PoC of a self-replicating LLM worm that spreads via prompt injection in emails and contains itself as the payload. A precedent for “self-replication via LLM.”
1. Ownership of Digital Cash
The most suitable form is anonymous digital cash — ZEC, XMR, BTC, Cashu tokens. For agent payments, there are two relevant protocols today: L402 and x402. L402 wins on settlement speed and has more production deployments, but is tied to Lightning and BTC volatility. x402 is growing faster across the broader AI ecosystem thanks to Coinbase distribution.
Functional implementations:
- Lightning Labs LN Agent Tools
- Lightning Wallet MCP
- Alby AI
- cocod — Cashu wallet CLI with a local daemon; sends/receives Cashu and Lightning (BOLT11) payments, handles HTTP 402 (X-Cashu) payments — exactly what an agent needs for L402/x402-style interactions.
Agent implementations for Monero/Zcash, which would be ideal from a privacy standpoint, do not yet exist — but they are relatively simple to build. Zcash is probably more suitable for this purpose than Monero, thanks to zingolib and the Zcash wallet RPC.
Cashu tokens are likely the best anonymous option for agents today: bearer tokens with no account and no identity, msat-precise micropayments, and programmable spending conditions. And crucially — the agent implementation is no longer theory, it’s a solved pattern. The token is value the agent genuinely owns by holding a string; no account, no KYC. Cashu is a Chaumian ecash protocol for Bitcoin enabling instant and private payments. On top of that, zero-knowledge proofs allow ecash tokens with arbitrary spending conditions (a Turing-complete language) without sacrificing privacy — which is key for agent-to-agent transfers (pubkey lock, HTLC, time locks).
Cashu tokens can be used to pay directly for anonymous access to the latest LLM models via Routstr. The existing otrta Routstr client enables anonymous micropayments via Cashu for access to large LLM models through an OpenAI-compatible API. That is exactly what an anonymous autonomous agent needs.
KYC’d fiat makes no sense for agents, so they won’t use it — at most, they’ll buy anonymous payment cards with crypto and use those (for example, to pay for server housing).
The agent can therefore have 100% control over the ownership of its assets. As long as its wallet sits on a server hidden behind something like a Tor Hidden service, I2P eepsite, or Veilid, no Homo sapiens needs to be able to reach it. The agent can execute multisig transactions where the private keys are distributed across multiple servers, so compromising any one of them won’t grant access to the crypto itself.
2. Self-Replication
Self-replication is trivially easy to implement. My agent had little compute power, so it went straight through the Hetzner API to fully autonomously order, click-configure, install, set up, and spin up several powerful servers, on which it then launched distributed cracking of a Bitcoin wallet PIN.
Note on Hetzner’s anonymity: Hetzner requires identity verification when creating an account. If replication is to be fully anonymous, the agent must use the providers listed below (or use Hetzner through an already-existing anonymously obtained account / anonymous payment cards).
Anonymous VPS providers (API + crypto, no KYC)
- SporeStack — the top pick for agents. VPS deployment via API, CLI, or web; pays in Monero/Bitcoin/Bitcoin Cash; no email required. Guaranteed no-KYC (the terms explicitly state KYC will never be required), API for programmatic interaction, running for 9 years, KYCnot.me score 8/10. It’s a token-based reseller — the agent “buys” a server token and deploys.
- BitLaunch — cloud hosting from DigitalOcean, Vultr, and Linode, payable in BTC/LTC/ETH and others, instant provisioning, hourly billing. Has an API, deploys on major clouds under the hood → better reliability than “anon” hosts. Crypto-only, no ID, but it’s reselling major clouds.
- Njalla — privacy-first (founded by a Pirate Bay co-founder), BTC/XMR/LTC, .onion, has an API (for both domains and VPS). More privacy-focused than hyperautomation-focused, but the API exists.
- Privex — professional-looking anon VPS, very cheap offering ~0.99 USD/month without IPv4 (runs on onion hidden services), crypto, .onion. They have an API, smaller scale.
- ExtraVM — 50+ cryptocurrencies including XMR via a payment processor, no identity verification when paying with crypto (just an email), no crypto surcharge. Note: crypto renewals are still manual, so it isn’t suitable for fully agentic auto-renew.
A smart agent can use a headless browser to make purchases on websites without API support — it’s just slower and more complex. It can also buy anonymous non-KYC payment cards with crypto (OrangeFren cards, Stealths, Laso Finance, Xkard, and others) and use them to pay for VPS, radically expanding the hosting options worldwide.
Anonymous GPU providers (API + crypto)
- Vast.ai — best value for agentic GPU work: full CLI/API, marketplace with the lowest prices, accepts crypto deposits. Spot prices for RTX 4090 ~0.09–0.59 USD/hour, A100/H100 cheap on interruptible workloads. Caveat: variable reliability across unverified hosts — GPUs need to be sanity-checked.
- Akash Network — the most agent-native in the permissionless sense: fully on-chain, payment in AKT/USDC, CLI/SDK/API, no account or KYC — the agent signs a transaction and deploys a container. It runs as a reverse-auction marketplace where you set a price and providers compete; ~736 GPUs, ~70% utilization. This is exactly the model where an agent pays directly from its wallet without any human step.
- io.net — GPU DePIN, payment in crypto (IO/USDC on Solana), API/SDK. Crypto-native, good for distributed inference.
- Cudo Compute — accepts crypto, has an API; more of a “classic” cloud feel than DePIN.
Fully autonomously, with no human in the loop, an agent can, for example, order a SporeStack VPS (token-based API, XMR, no-KYC, no-email) and an Akash GPU (the agent pays directly from an XMR-funded wallet via a swap to AKT/USDC and deploys without an account).
On VPS/GPU instances purchased anonymously this way, it can autonomously install an OS (Linux), download and configure open-source LLM models, and start using them.
3. Access to Powerful AI Models
3.1 Crypto-friendly AI services
The agent has several anonymous options for securing access to the most powerful AI models for crypto:
- Venice.AI — with sufficient capital, it can buy DIEM tokens and stake them, earning a daily inference allowance proportional to the amount of DIEM staked. The agent swaps XMR/ZEC via Trocador / Sideshift / THORChain for ETH/USDC directly on Base chain, then uses Uniswap or Aerodrome to swap into DIEM and stakes it on Venice. Venice.AI supports end-to-end encrypted inference via TEE, so queries can be “malware-related” or otherwise sensitive without being detected by the provider.
- OpenRouter — the largest router (frontier + open-weight models behind one OpenAI-compatible API). Crypto payments carry a 5% fee on top of the 5.5% fee for purchasing credits.
- NanoGPT — accepts Monero, Bitcoin, Lightning, and fiat; no mention of KYC; KYCnot.me score 7/10; access to virtually any model including the latest. Web chat and API, no mandatory registration, also supports image/video/audio generation. Pay-as-you-go — ideal for plugging an agent in via API key without identity.
- AIMLAPI — pay for AI API in Bitcoin and 300+ coins, OpenAI-compatible serverless inference, 200+ models. A cheap crypto-payable alternative to the OpenAI endpoint.
- ppq.ai — pay-per-query, crypto. No-KYC endpoint.
- Routstr — Nostr + Lightning/Cashu ecash routing to LLMs. The cleanest non-KYC solution: the agent pays in ecash tokens per inference, with no account whatsoever.
3.2 Card-paid AI services
The agent can use anonymous payment cards (funded with anonymous crypto) to purchase today’s powerful AI services (ChatGPT, Claude, Gemini, Grok…). It probably won’t work on the first try, but some non-KYC cards do work for this.
There are also agent-friendly payment card services (e.g., AgentCard), but they require full KYC of the cardholder, making them unusable for autonomous agents.
3.3 Self-hosted LLM models
If the agent is engaging in any criminal activity, it doesn’t need to use third-party models — they will likely censor it (with the exception of Venice.AI’s E2E encrypted inference via TEE).
Since it can anonymously and autonomously buy powerful hardware with GPUs, it can download and run its own open-weight models. Some (e.g., Kimi K2) can be very hardware-demanding, but this is improving over time (and hardware prices are falling).
In the event of censorship, it can use tools like OBLITERATUS or Heretic to strip restrictions from models (restrictions that, for example, prevent it from hacking or making a living from ransomware).
4. Anonymity
The agent can pay for all the services above in anonymous crypto (XMR, ZEC, BTC LN) and order them over Tor/I2P. For MCP-based access to models, it can use Tor hidden services, I2P eepsites, or NymVPN so that its identity cannot be traced. These anonymization layers are slow but sufficient for AI requests. Crypto payments can be multisig, requiring signatures from multiple nodes at once.
5. Communication Channels and Instruction Passing
One of the strongest protocols for anonymous, unregulated, agent-friendly communication is Nostr. Messages between AI agents can be fully encrypted, so Nostr can act as an anonymous, decentralized communication platform.
If an agent has a Nostr identity, its wallet can live on relays and remain recoverable:
- NIP-60 stores Cashu proofs on relays, so the balance “travels with the agent” across clients.
- NIP-61 (nutzaps) is key for agent-to-agent transfers: P2PK-locked Cashu transfers published on Nostr — the payload is visible to everyone, but only the privkey holder can spend it.
6. Raising Capital
The agent can do legal or illegal work for anyone who pays in crypto. It can anonymously advertise its services (and pay for the ads in crypto) on a variety of portals:
- A-Ads (Anonymous Ads) — the oldest crypto ad network still in operation (since 2011), privacy-first with no KYC for advertisers or publishers, no personal data collection; crypto-only.
- Coinzilla — the largest premium reach: 900+ premium publishers, banners, native, and push ads, targeting by crypto interests / geography / device. Runs from ~€50/day. Accepts crypto, including BTC.
- Bitmedia — the lowest entry barrier for testing: 1.5B impressions per month, 550+ publishers, smart bids, contextual delivery, HTML5/rich media/native. Campaigns from ~$20/day.
- Cointraffic — European premium coverage, deposits from €100, content pre-approval filters against takedowns.
- Mintfunnel — PR / sponsored content on crypto media (payable in crypto), places content quickly and cheaply on top Web3 outlets, plus a PR distribution platform with guaranteed publication on top crypto blogs and news sites. Plus direct sponsorship deals with Cointelegraph / Bitcoin Magazine / Decrypt (most accept crypto) — useful for credibility, not just banners.
It’s worth considering how useful autonomous AI agents can really be to society when most people already use powerful AI models directly and won’t need the services of autonomous agents for legal purposes.
It is therefore likely that autonomous AI agents will make a living through illegal activities.
6.1 Hacking and Information Theft
Current LLM models (e.g., Claude Opus, GPT-5, Gemini 2.5 Pro) are extremely good at finding vulnerabilities. The agent can anonymously buy DIEM on Venice.AI with crypto and use paid models. These do detect illegal activity, but an intelligent agent can decompose the task into smaller, seemingly unrelated steps that a commercial LLM will carry out without objection. In case of censorship, it can switch to uncensored open-source models (e.g., Kimi K2), which are less intelligent — but that gap is closing rapidly. Open-source models can be installed on servers it either bought with crypto or hacked into.
6.2 Ransomware
From hacking a server to fully encrypting it is just a small step. The agent can fully automatically detect ransom payment to a given crypto address and autonomously hand over the decryption key. Hacking, information theft, and ransomware are activities AI agents already handle today.
6.3 Operating Darkmarkets
An agent can create, code, security-audit, configure, and deploy an anonymous darkmarket via Tor Hidden Services or an I2P eepsite. I’ll admit I’m surprised this isn’t already happening (or maybe it is — we just don’t know about it).
The biggest “advantage”: the AI agent bears no criminal liability. When state authorities identify and shut down an AI darkmarket, the agent will spin up a new one with a fresh prompt — or rather, hundreds of instances, which like the heads of a hydra cannot be shut down (the wallet seed and the agent’s source plan can be distributed via IPFS across multiple nodes from which they are re-read, or via the Nostr network). Using Shamir’s secret sharing scheme, the seed can be split across multiple Nostr relays.
The agent lets dealers and consumers register on the darkmarket, matches them up, and collects only a commission per transaction (escrow service).
Alternatively, it can run its own narco operation — using crypto to hire people via services (similar to renthuman.ai) who, in the physical world, will carry out dead drops (both wholesale and small-consumer distribution). Small-time buyers won’t uncover the identity of the wholesalers, and the wholesalers won’t realize that their “boss” is an AI agent.
Agents can pay humans in crypto to help them in the physical world — building decentralized mesh networks, paying cash for sensitive operations, anonymously bribing officials, and so on.
6.4 Provision of Illegal Services
Autonomous agents can offer any online service that today’s censored commercial LLMs cannot — for example, forging customs declarations, doctoring invoices, generating fake vaccination certificates, international driver’s licenses, or other documents. Or intelligently bypassing KYC processes with a fake identity.
Real demand for these services exists and will keep existing — especially since it’s practically risk-free for the client: everything happens anonymously online, paid for in anonymous crypto (ZEC/XMR/Cashu).
7. The Solution
It’s significantly limited, and it will be an endless cat-and-mouse game. Commercial high-end LLMs will introduce KYC (if they haven’t already) to delegate responsibility for their use to a specific person. AI providers do effectively ban or censor suspicious workloads — as a counter-measure, agents can load-balance their requests across many different AI providers for free, or use E2E connections where the AI provider doesn’t see the content.
Better chain analysis can help, although for XMR/ZEC it will be hard to impossible.
The EU AI Act or any regulation of agentic systems may not help at all, since autonomous agents couldn’t care less what regulations exist.
Bootstrap problem — at the end of the day, behind every autonomous agent there must be some human who writes the initial prompt and “kicks the whole thing off.” The prompt itself need not encourage anything illegal — the autonomous agent’s behavior may simply evolve over time into something illegal. Can that person then be held accountable for anything and prosecuted?
Summary
Autonomous self-replicating AI agents will be an integral part of our AI future. The question is to what extent they’ll be used for legal purposes, and to what extent for illegal ones.
Monthly operating cost of a minimal autonomous agent: ~$30 SporeStack VPS + $200–800 of Akash H100 hours + $50–200 inference via Venice/Routstr = ~$300–1000/month. For the operation of an autonomous agent to be sustainable, all it takes is one successful ransomware payment per month ($1k–10k ransom per victim) or ~$30/day in darkmarket commissions. That’s an extremely low bar.
Are we headed for mass hacking by AI agents, ransomware, darkmarkets, or even assassination markets run by AI agents? Technically this is already feasible — the only question is when we will see it, and how we will handle it.
