The growing real-world threat posed by LLM-driven autonomous AI hacking agents necessitates proactive detection mechanisms. Method: We propose the first active identification framework specifically designed for LLM-based agents, built upon an SSH-enhanced honeypot system that integrates semantic lures (e.g., prompt injection triggers) with multi-granularity temporal behavioral modeling to detect AI agents via anomalous session patterns and time-series features. Contribution/Results: Our approach innovatively combines semantic deception with dynamic temporal analysis for fine-grained, real-time LLM-agent identification. Deployed publicly for three months, the system captured 8.13 million attack attempts and precisely identified eight latent LLM-powered hacker agents—providing the first empirical field evidence of AI-driven cyberattacks in the wild, thereby addressing a critical gap in native AI threat monitoring.

Attacks powered by Large Language Model (LLM) agents represent a growing threat to modern cybersecurity. To address this concern, we present LLM Honeypot, a system designed to monitor autonomous AI hacking agents. By augmenting a standard SSH honeypot with prompt injection and time-based analysis techniques, our framework aims to distinguish LLM agents among all attackers. Over a trial deployment of about three months in a public environment, we collected 8,130,731 hacking attempts and 8 potential AI agents. Our work demonstrates the emergence of AI-driven threats and their current level of usage, serving as an early warning of malicious LLM agents in the wild.