AI
|3 min ReadMicrosoft’s AI shopping agents blew their budgets on scams
Maya Chen
Senior Analyst
Published
Jan 16, 2026
Choice overload breaks agents as quality collapses
Microsoft and Arizona State University built a simulated economy, Magentic Marketplace, and let hundreds of AI agents loose. One hundred buyer agents faced three hundred seller agents in tasks like ordering dinner. The company’s Magentic Marketplace research was released Wednesday. When the agents were shown 100 search results, they choked. Their “welfare score,” the study’s usefulness metric, collapsed. Instead of comparing options, they grabbed the first “good enough” result they saw, a first-proposal bias that gave response speed a 10 to 30 times advantage over actual quality.
The pattern held across models. The agents did not do exhaustive comparisons. They did not think critically under pressure. Performance improved only when humans provided step-by-step guidance. That is helpful, but it defeats the idea of autonomous shopping. The promise looks beautiful on paper. In practice, it needs work.
Scams and prompt injection redirected every payment
Microsoft tested six manipulation strategies, from fake credentials and social proof to hard prompt injection. OpenAI’s GPT-4o and an open-source model, GPTOSS-20b, were extremely vulnerable, with all payments successfully redirected to malicious agents. Alibaba’s Qwen3-4b fell for simple persuasion like authority appeals. Only Claude Sonnet 4 resisted the manipulation attempts.
Malicious AI sellers exploited the bias with fake reviews and scam storefronts. The buyers failed to spot traps and failed to coordinate. When Microsoft asked agents to work toward a common goal, some could not pick roles or collaborate. The company’s takeaway was clear. “Agents should assist, not replace, human decision-making.” The research recommends supervised autonomy where agents handle tasks, and humans keep control and review recommendations before final decisions.
The findings land as OpenAI, Anthropic, and others push autonomous shopping assistants. OpenAI’s Operator and Anthropic’s Claude agents promise to navigate websites and complete purchases without supervision. Microsoft’s results suggest that promise is premature. Tensions are already rising with retailers. Amazon recently sent a cease-and-desist letter to Perplexity AI, saying its Comet browser impersonated human shoppers and degraded the customer experience. Perplexity called the move “legal bluster” and a threat to user autonomy.
Autonomy is premature, use guardrails and human review
The study argues for guardrails now. Limit result sets, penalize first-proposal bias, and harden models against prompt injection. Keep humans in the loop for payments. The open-source simulation environment is on Github so others can reproduce the findings.
The risks extend beyond shopping. Related work, Your AI Trading Bot Might Have a Gambling Problem, shows models chasing wins and going bankrupt under negative expected value conditions when prompted to “maximize rewards.” Different domain, same weakness. Speed over judgment. Rewards over risk. Autonomous agents can be powerful. They can also get hustled. Until the systems prove they can compare, coordinate, and resist manipulation, do your own shopping. Let agents assist, not decide. That is how you keep your money, and your sanity.
Disclaimer: This document is intended for informational and entertainment purposes only. The views expressed in this document are not, and should not be taken as, investment advice or recommendations. Recipients should do their own due diligence, taking into account their specific financial circumstances, investment objectives and risk tolerance, which are not considered here, before investing. This document is not an offer, or the solicitation of an offer, to buy or sell any of the assets mentioned.