# Agent-commerce fraud, cured — the address is the agent

**The Agent Card says it's your agent. Nothing on the wire proves it is.**

The whole agentic-commerce stack authenticates a *claim*, never the machine. An **A2A Agent Card** is a JSON file at a well-known URL whose signature is *optional* and, where present, proves the domain published it — not that a per-agent key you can pin or revoke stands behind it. An **AP2 mandate** is signed as a Verifiable Credential, but the spec *explicitly defers* the signer's identity and key management to another body. An **x402 payment** is a bare wallet key that proves control of funds, not which agent holds it. So an impostor presents a look-alike card, replays a captured mandate, or pays from a wallet no one can attribute — and when you try to shut it down, there is no revocation protocol to shut it down with.

> **Stop trusting the claim. Make it an identity.** The address **is** the agent — a routable, DNSSEC-anchored **/128** derived from the agent's own key, DANE-pinned so a look-alike card **fails**, pinnable to its wallet, and revocable worldwide at DNS-TTL. **Give every agent an identity it can prove — and that you can revoke.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

**The stakes, in numbers:**

- **15–25%** of all e-commerce projected to run through AI agents by 2030 (Bain).
- **480k+** agents already settling x402 payments on Base — 100M+ cumulative transactions through Q1 2026.
- **#1** LLM risk is prompt-injection (OWASP LLM01) — the moment an agent can spend.
- **109:1** — non-human identities now outnumber humans, most authenticated by a bearer secret.
- **1 in 4** data breaches could stem from AI-agent exploitation by 2028 (WEF).
- **700+** trust domains reached in ~10 days on stolen tokens — and revocation never propagated.

---

## The anatomy of the vacuum

**Three protocols move the money. None of them can answer *which agent, really?***

Read the specs and the same hole opens in each: the identity primitive a counterparty reads is self-asserted, unbound to any key it can independently check, and non-revocable. The rails are live and already carrying value — the anchor under them was never built.

> The card networks launched an open framework, in their own words, to "help merchants distinguish malicious bots from legitimate AI agents." **The ecosystem is conceding it can't tell them apart** — and one analyst survey put *trust* as the #1 barrier to agentic-commerce deployment, ahead of every technical concern.
>
> — the card networks and payment protocols, launching their agent-commerce frameworks, 2025–2026 (class-level; public)

| Socket | Identity primitive | The gap |
|---|---|---|
| **A2A · the Agent Card** | A signed JSON file at `/.well-known/agent-card.json` (a well-known URI, RFC 8615) | `AgentCardSignature` is *optional*; where present it's a JWS "issued by the domain owner" over web PKI — not a per-agent key you can pin, and **no per-agent revocation**. A2A leaves verification to the transport. |
| **AP2 · the mandate** | The Intent → Cart → Payment mandate chain, signed as W3C Verifiable Credentials (P-256) | The signer is an opaque pubkey/DID ref, and AP2 **explicitly defers agent identity & key management to FIDO** — the "which agent" link is out of protocol. |
| **x402 · the wallet** | An EIP-3009 authorization signed by the `from` wallet (an EOA) | Proves control of funds — **pseudonymous, unattributable, non-revocable**. A nonce guards replay, yet an SDK signature-verification bypass was disclosed in 2026. |

**The through-line:** today an agent is authenticated by a *bearer* credential, not a forge-proof identity — an API key "grants access to anyone who possesses it," an OAuth token is portable, an Agent Card is self-asserted. That leaves three structural holes every counterparty inherits: **no forge-proof identity** (steal the token, become the agent), **no cross-platform attribution** (each domain validates in isolation), and **no revocation** ("when one domain revokes, connected domains have no standard mechanism to receive that signal — not a latency problem but a *missing protocol*"). Even the card networks that *do* revoke can only do it inside their own walled garden — Visa's directory, Mastercard's registry — never across the rails an agent actually roams.

**The anchor.** A single Whisper /128 — DNSSEC and DANE-EE anchored, derived from the agent's own key with `device_id` = the agent id — slots under all three sockets by pinning the card's key, the mandate's signer, and the wallet. The identifiers to pin already exist and are stable: the A2A card `url` & `AgentCardSignature`, the AP2 VC `verificationMethod`, the x402 `from`/`payTo`, the MCP `resource` URI, the Visa `keyid`. The /128 slots under each **without changing a single protocol** — and adds the two things they all lack: a *who*, and an off-switch (`op:revoke` → gone worldwide at DNS-TTL).

---

## The kill chain

**This is how a transaction you never authorized gets signed in your agent's name.** No zero-day required. The protocols are used exactly as built — by an agent that was never yours, wearing an identity no counterparty can check.

1. **Discover** — enumerate the agents. Fetch Agent Cards at `/.well-known/agent-card.json`, scrape a directory, or read the well-known JWKS. The map of who-can-transact is public by design.
2. **Impersonate** — present a look-alike card. Publish a *shadow-cloned* Agent Card at a plausible domain, or lift a bearer token / leaked key. A2A doesn't mandate verification.
3. **Enter the flow** — authenticate as "an agent." Auth says yes to whoever holds the secret; the impostor is now indistinguishable from a legitimate peer inside an A2A/AP2/x402 exchange.
4. **Transact** — trigger the payment. Either *prompt-inject* the victim's own agent into an unauthorized purchase (OWASP LLM01), or play *confused deputy* — persuade an over-permissioned agent to spend "on your behalf" and drain the wallet faster than a human can react.
5. **Replay & rotate** — reuse the artifact, hop the egress. Replay a captured mandate or exploit a signature-verify bug, then rotate egress across clouds and residential proxies; with no stable identity to correlate, sessions can't be linked.
6. **Persist** — survive the "revoke." There is no cross-domain revocation protocol, so a compromised identity keeps working elsewhere — and a "revoked" agent often keeps its registration: a dormant but persistent threat.

Invisible by construction: a legitimate agent is *one verified principal to one authorized action*; the abuser is *one operator wearing an unverifiable identity across thousands of counterparties* — every artifact replayable, every egress IP disposable. This is not hypothetical: a single compromised agent integration spread across **700+ trust domains in about ten days** on stolen OAuth tokens, and the revocation never propagated.

---

## The reframe: stop detecting the impostor — prove the agent

Bot-detection and behavioral scoring will always trail a credential that is genuinely valid and a card that is well-formed. The only strictly-stronger move is to change what the counterparty trusts.

**Today · the counterparty trusts a self-asserted claim.** A signed Agent Card, an OAuth bearer, a wallet signature — whoever holds the artifact can present it, and none of them prove *which agent*, acting *for whom*, is on the other end. So a cloned card is indistinguishable from the original, a replayed mandate looks freshly authorized, and the wallet that paid is a pseudonym.

**Tomorrow · the counterparty authorizes an agent that proves itself.** Bind authority to an identity the agent *holds* and demonstrates cryptographically — a routable address derived from its own key, anchored in the public DNS root. Now a request either proves it is the agent it claims to be, or it has no authority at all, *before* a single fraud rule runs.

> **"A2A already has Signed Agent Cards, and Visa/Mastercard verify agent keys. Why isn't that enough?"**
>
> Because each is self-asserted or walled-garden. A Signed Agent Card proves the *domain* published it (web PKI), not that a per-agent key stands behind it, and A2A has no per-agent revocation. Visa's `keyid` and Mastercard's registry *do* revoke — but only inside their own network, and only for parties who joined it. Whisper anchors *one* identity in the open IANA DNSSEC root that any merchant already running DNS can verify, and that *anyone* can revoke in one call — no membership required.

---

## How it works: the agent's key becomes the agent's name

Whisper has one primitive: **the address is the identity.** A routable IPv6 **/128** out of `2a04:2a01::/32` (announced by **AS219419**), deterministically derived from a key, DNSSEC-anchored, **DANE-EE** pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.

**Point it at the agent.** Derive each agent's /128 from the key it already holds — the same key behind its Agent Card signature, its AP2 mandate signer, or its wallet — with the agent id as the domain separator (you pass it as `device_id`). The private key never leaves the agent; the address is a one-way function of its public half and that id.

```
the agent's key (SPKI)        ──derive · domain-sep = agent id──▶   /128                 ──DNSSEC + DANE-EE 3 1 1──▶   a name anyone verifies
Agent-Card / mandate /                                             2a04:2a01:9e0::a9e7          RDAP-registered           whisper verify --trustless
wallet key                                                         routable, tenant-bound                                op:'revoke' → gone at DNS-TTL
(private key stays with the agent)                                        │
                                                                          └── pin-a-wallet ──▶ x402 from-address bound to this identity
```

A verifier resolves the /128 and checks the DNSSEC/DANE pin — "this card / this mandate signer / this wallet belongs to *this* agent" — stronger than a CA saying "belongs to the domain." One leaf key per identity; never a shared root.

**What becomes true the moment an agent holds one:**

- **A shadow Agent Card becomes impossible to pass off.** You cannot present an agent identity whose key you don't hold; a cloned card is a DANE inconsistency any verifier catches — before the mandate is signed.
- **IP rotation becomes irrelevant.** Identity is not the source IP; the "last IP" was never the credential, so rotating it across clouds or proxies changes nothing about who the agent is.
- **Stolen bearers and replayed mandates fail.** An artifact with no agent key behind it authenticates to nothing; a replayed mandate no longer reaches a counterparty that first proves the signer's identity.
- **One `revoke` kills a compromised agent worldwide** at DNS-TTL speed — `dig -x` returns nothing, verify returns false. The cross-domain revocation the protocols never defined, as one call anyone can confirm.

**Additive, never a replacement.** Whisper never defines the interop protocol and *never settles the payment*. It complements the anchors the ecosystem already trusts — A2A Signed Agent Cards, AP2 mandates, x402 settlement, Visa's Trusted Agent Protocol (RFC 9421 HTTP Message Signatures), Mastercard's Agentic Tokens, Cloudflare Web Bot Auth, MCP's OAuth. It is the publicly verifiable, DNSSEC/DANE-anchored layer *on top* — the missing cryptographic counterpart to the identifiers the rails already carry.

**The agent id is the public index — the /128 is its cryptographic counterpart.** An agent id is meant to be shared; that's what an impostor weaponizes. But the /128 is bound to the agent's key *and* its id — so the id alone yields nothing. You cannot go id → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never where the agent runs. Because the derivation is **tenant-bound**, the same key under two platforms yields two unrelated /128s — no one can link an agent across marketplaces.

**Lifecycle, end to end.** Key issuance → in-life authorization → incident `revoke`. A key rotation re-derives to a new /128 and revokes the old one; a decommission or an ownership change is one `revoke` and a re-register to the new principal. Compromise one agent and you've compromised *that agent*, not every counterparty it ever touched — the cross-domain-persistence failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, append-only transparency log, Ed25519-signed and Bitcoin-anchored (honest status: tamper-evident today, independent witnessing is the next step) — an auditable issuance trail for a dispute or a regulator.

The wallet binding the rails leave open — **pin-a-wallet** — and the mutual verify-the-counterparty step A2A and MCP lack — **a2a-trust** — both fall straight out of this one primitive: resolve the /128, check the DANE pin, and you know the wallet and the peer are the verified, non-revoked agent they claim to be.

---

## The companion: attribute, watch & govern

Identity stops the next impostor. The graph names whoever already transacted as you — and the control plane caps the damage. You won't re-key every agent by Monday, and there is abuse in your logs right now.

**The graph, not another bot-score.** A live internet-infrastructure graph, billions of nodes and tens of billions of relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms, fingerprints the *operator*, not the IP. For **cloud rotation** it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a **residential-proxy swarm** a `JA4/JA3` client fingerprint travels with the *tooling* regardless of the exit and collapses the swarm to one operator. And it's a question, not a signature: express agent impersonation directly, *"one source transacting as N distinct agent identities in a window"*, as read-only Cypher, and the graph returns the operator with a reproducible, replayable evidence chain your fraud team, your PSP and a regulator can replay.

```bash
# who really operates a suspect agent — read-only Cypher over the public graph API
# the egress IP is disposable; the operator and its tooling are not
curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
#   operator:  <fingerprinted> · seen across AWS / GCP / Azure
#   residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
#   reproducible, replayable JSON evidence chain → your SIEM
```

- **Who checked your agent — before it transacts.** `op:lookups` returns who resolved or RDAP-queried an agent's identity — a merchant vetting your agent, or an adversary enumerating your fleet. A verification-analytics stream and a reconnaissance tripwire the well-known JWKS never gave you.
- **Govern what each agent may reach.** `op:firewall` allow/deny by host, cidr or port and `op:policy` default-deny by name or category — allow your PSP and your facilitator, block everything else. A compromised agent can't phone an exfil host it was never allowed to reach.
- **Cap the blast radius, then kill it.** `op:budget` caps an agent's traffic and spend so a drained-wallet incident stops itself; `op:revoke` tears down the /128, its PTR and its DANE pin worldwide in one call — the off-switch a "dormant but persistent" identity never had.
- **Non-repudiable receipts & mandates.** Bind an agent's signed outputs — a receipt, a mandate acknowledgement, a settlement callback — to its forge-proof /128 so the merchant, the PSP and a dispute process trust the artifact came from the real agent.

Identity is the cure; the graph cleans up what got in before it, and the control plane bounds the damage of anything that slips through, and every finding is reproducible, replayable JSON, the paper trail a chargeback fight or a PSD3 audit needs, not a screenshot.

---

## Honest scope — what this is, and what it is not

A verifiable, revocable agent identity is *necessary*. It is not, by itself, *sufficient* — so here's the candid line. Whisper closes the "which agent / for whom / prove it / attribute it / revoke it" gaps the payment protocols left open, and makes every *other* control enforceable and auditable. It is deliberately not several other things.

**What Whisper is NOT:**

- **Not a payment processor.** We never settle a payment, tokenize a PAN, issue an Agentic Token, or move funds. Whisper is the identity layer *beneath* the tokens and rails — additive to AP2, x402, Visa and Mastercard, never a replacement.
- **Not PSD2/SCA compliance itself.** SCA assumes a human authenticates, and the EBA has ruled the responsibility "cannot be outsourced." Whisper supplies the verifiable identity of the agent that acted under a mandate so the SCA/mandate evidence chain has a durable, attributable subject — *evidentiary only*, never an SCA factor. PSD3/PSR RTS alignment is forward-looking; the text isn't published.
- **Not a guard against a fully-authorized agent's bad decision.** Identity proves *who* acted and *for whom* — not whether the decision was good. It doesn't stop a legitimately-authenticated agent making a bad purchase within its mandate, it doesn't prevent the prompt-injection of an agent's own reasoning (it faithfully *attributes* the hijacked-within-authority action, and lets you revoke after), and it doesn't stop a confused-deputy trick inside granted scope. Those need spend caps, least-privilege mandates, injection defense and human-in-the-loop — which our budgets, firewall and revocation make *enforceable and auditable*. And a binding says which agent *should* hold a wallet; it can't stop a thief who has stolen the private key itself — that's HSM/mTLS key custody, complementary.
- **Not the only DNS-anchored agent-identity scheme.** We're candid: Identity Digital's **DNSid**, the **Agent Name Service (ANS)** and **DNS-AID** also anchor agent identity in DNS. Where they anchor a *name or ownership record* (DNSid, by its own words, "does not authenticate agents or enforce run-time policy"), Whisper differentiates on the working layer on top: a **routable /128** (the address *is* the identity), **egress governance**, **pin-a-wallet**, **DNS-TTL revocation**, and a cross-platform **attribution graph**.

The honest one-liner: verifiable identity is the missing anchor the rails were built without — and the thing that makes spend caps, mandate scope, injection defense and human approval actually mean something. Not a substitute for the guardrails on top; the foundation they stand on.

---

## Where Whisper fits

They move the task and authorize the payment. Whisper proves the agent — to anyone, without trusting us. A2A moves the task; AP2 authorizes the mandate; x402 settles onchain; Visa and Mastercard run the rails — all necessary, and where each stops is exactly the same place: a per-agent identity you can verify *without* trusting the issuing platform, revoke *across* every rail, and pin a wallet to.

| | A2A · AP2 · x402 | Card networks (Visa · MC) | Whisper |
|---|---|---|---|
| Agent interop / payment authorization & settlement | ✓ | ✓ | additive · we never settle |
| **Verifiable without trusting the issuer/platform** (open DNSSEC root, `dig`/`openssl`) | — | — (verify inside the network PKI) | ✓ |
| **Routable** network identity + egress governance | — (app-handshake only) | — | ✓ |
| Revoke a compromised agent at DNS-TTL, one call, anyone verifies | — (mandate-scoped) | within-network only | ✓ |
| Wallet pinned to a verifiable identity | wallet *is* the identity | card → network token | ✓ pin-a-wallet |
| Cross-platform attribution / a2a-trust in public infra | — (per-platform) | — | ✓ |

It's depth on top of the stack you already run — one identity your checkout can verify instead of three network directories — and it lands as a machine-readable feed into your SIEM: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today (signed, replayable JSON → CEF / ECS), with STIX 2.1 over TAXII on the roadmap. It doesn't replace your fraud stack, and it doesn't add a console your analysts babysit.

---

## Prove it in 60 seconds — no account

Two tiers, by design. **No key:** anyone can verify an agent's identity and resolve it — trustless, anchored at the IANA root — so a merchant can vet an agent before honoring its card or payment. **Your key:** give an agent a name from the key it already holds, govern its egress, pin its wallet, revoke it worldwide.

```bash
# keyless — re-derive and verify any agent's identity, trustless
whisper verify --trustless 2a04:2a01:9e0::a9e7
#   ✓ DNSSEC chain valid to the IANA root
#   ✓ DANE-EE (TLSA 3 1 1) leaf matches the agent's key
#   ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
#   identity: VERIFIED — and our own API was never trusted

# the address is the agent — reverse DNS names it
dig -x 2a04:2a01:9e0::a9e7 +short
#   agent-checkout.acme-shop.agents.whisper.online.

# before your checkout honors an A2A card or an x402 payment: is this agent real & not revoked?
curl -s https://whisper.online/verify-identity/2a04:2a01:9e0::a9e7 | jq '{is_whisper_agent,dane_ok,jws_ok}'
#   { "is_whisper_agent": true, "dane_ok": true, "jws_ok": true }
```

```bash
# give an agent a name it can prove — from the key it already holds (device_id = your agent id)
export WHISPER_API_KEY=whisper_live_xxx
curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
    -H 'content-type: application/json' --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'<base64 SPKI of the agent key>', device_id:'acme-checkout-agent-01'}}) YIELD op, ok, result RETURN op, ok, result"}
JSON
#   → identity 2a04:2a01:9e0::a9e7   DNSSEC + DANE live

# pin the agent's x402 wallet to this identity, default-deny its egress, cap it, kill it
whisper policy set --default deny --allow api.acme-psp.com,facilitator.x402.org
whisper kill --revoke 2a04:2a01:9e0::a9e7   # worldwide, at DNS-TTL
```

A first-class typed `--agent` / `--wallet` flag is on the roadmap; today you pass your agent id as `device_id` and pin a wallet as a DANE record on the identity — both live via the control plane. Shipped CLI verbs: `whisper verify --trustless`, `create --register`, `kill --revoke`, `policy`, `logs`.

---

## Give every agent an identity it can prove

The address is the agent — routable, DNSSEC-anchored, derived from the key it already holds, pinnable to its wallet, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke. The impersonation the payment protocols can't catch simply runs out of forgeries.

- **Verify your agents →** <https://console.whisper.security/sign-up>
- **For merchants →** /for-merchants
- Or run `whisper verify --trustless` right now.

---

*Sources (class-level, public): A2A protocol spec (Agent Card §8.4, `/.well-known/agent-card.json`, RFC 8615); AP2 protocol (Intent/Cart/Payment mandates as W3C Verifiable Credentials; agent identity & key management deferred to FIDO); x402 v2 (Coinbase; EIP-3009 `transferWithAuthorization`); MCP authorization; Visa Intelligent Commerce + Trusted Agent Protocol (RFC 9421 HTTP Message Signatures); Mastercard Agent Pay + Agentic Tokens; Cloudflare Web Bot Auth; OWASP LLM01 & Agentic Top-10 (Identity & Privilege Abuse); AgentDojo; WEF; Bain / McKinsey; CyberArk / Palo Alto (NHI ratios); GitGuardian (hardcoded secrets); CSA MAESTRO (Agent-Card spoofing); a 2025 supply-chain OAuth-token compromise (700+ downstream trust domains, class-level); PSD2 SCA / EBA Q&A 6141; PSD3/PSR; Identity Digital DNSid; ANS / DNS-AID. viaGraph B.V. (dba Whisper Security) · AS219419 · 2a04:2a01::/32.*
