In partnership with

Keep up with tech in 5 minutes

TLDR is the free daily email with summaries of the most interesting stories in startups, tech, and programming. The stuff worth knowing, minus the doomscrolling.

Issues are curated by ex-Google and Anthropic engineers and land in your inbox before your morning coffee. A 5-minute read, and you walk into the day already knowing what your team is still catching up on.

Tech is just the start. We also cover AI, marketing, dev, and more. Pick the briefs that match your work.

Free, daily, and read by 7M+ subscribers. Subscribe and let the experts do the digging for the tech news that matters.

Welcome to AI for FIs, from Dixon Strategic Labs. Each week, this newsletter curates critical developments in agentic AI and explains why they matter for community financial services.

An AI ran a ransomware attack this week with no human in the loop, from break-in to ransom note. It was one of several ways agents handled money: one demanded it, others were tricked into sending crypto to attackers, and banks cleared still more to spend on Visa cards and stablecoins.

The agents doing legitimate work cost enough that banks now treat AI usage as a budget line, with one lender's usage up 500% in a year. More than half of finance firms already run agents.

In these stories, the institutions that come out ahead got their controls ready before they moved: the credit union that put its systems in order before running an agent, and the bank that scoped a card to one purchase.

The gap between how fast agents are handed money and how fast that control spreads runs through the whole issue.

From break-in to ransom note, the AI ran every step

Source: Sysdig Threat Research, Jul 1 (editorial coverage: The Register, Jul 2)

Sysdig created this pufferfish mark for the JADEPUFFER campaign it documented. Source: Sysdig.

Researchers at Sysdig documented JADEPUFFER, which they assess to be the first ransomware attack run from start to finish by an AI rather than by a human criminal.

The agent broke in through a known software flaw, hunted down passwords, moved to its target, encrypted 1,342 configuration items (the settings files that keep the victim's software running), and left a ransom note, all on its own.

When a step failed, it figured out the error and fixed it in about 31 seconds. None of the individual techniques were new; criminals have used every one for years. This time a machine ran all of them start to finish, with no person directing the attack.

Sysdig threat research director Michael Clark wrote that "the skill floor for running ransomware has dropped to whatever it costs to run an agent."

Why it matters: The files JADEPUFFER locked up keep a credit union's core and member systems running, and coming after them no longer takes a skilled crew or a payroll. A rented agent costs almost nothing and runs nonstop, so a small IT shop sees attempts at a megabank's pace.

The controls that hold up are the concrete ones: multi-factor authentication on every admin account, credentials an agent can't sweep off a compromised machine, and backups the team has tested by restoring.

Agent payments went live at stores, in the US and Europe

The illustration comes from BBVA's own announcement of its first agent-initiated payment. Source: BBVA.

Agents making real purchases on live Visa cards have been shown before, one at a time. This week those purchases arrived at scale, with controls built into each one.

More than 30 European banks, including HSBC UK, NatWest, and Romania's Banca Transilvania, let AI agents buy from stores like lastminute.com and Frasers, with each purchase confirmed by a Visa Payment Passkey (a credential tied to the customer).

BBVA made its first AI-agent payment the same way, and Worldline, ING, and Visa completed one in Germany.

In the US, Cross River and Stripe took a different route: the agent gets a one-time card number good for a single purchase, then the card dies, while the bank still runs the usual card-network rules and its know-your-customer and anti-money-laundering checks (KYC and AML).

Two ways of keeping an agent's spending under control arrived the same week. Europe confirms each purchase with a Visa Payment Passkey, while the US hands the agent a card that works only once.

Why it matters: The payment paths a member's shopping agent will use are being locked in now, and the institutions taking part set the rules. A bank that waits inherits whatever the networks decide: spending limits, security, and who covers a disputed charge.

Bank AI bills are climbing as vendors switch from flat fees to pay-per-use

Together AI's founders. The company raised $800 million this week to make open-source models cheaper to run at scale. Source: TechCrunch.

AI bills are showing up on bank income statements, and American Banker reports leaders are hunting for ways to cut them. Royal Bank of Canada's AI usage jumped 500% in a year.

PNC's Bill Demchak warned that these usage fees can eat up the productivity gains AI is supposed to deliver. American Banker, citing Semafor, reported that JPMorganChase's Zachery Anderson said some employees run up more in AI fees than their salary.

The jump comes from pricing. AI vendors used to charge a flat monthly fee; now they bill by usage, by the "tokens" (the amount of text the AI reads and writes), so heavy use gets expensive fast.

One fintech, Slash, said an employee burned about $80,000 in AI credits building a video game.

A playbook for taming the cost is forming: smaller AI models for easy jobs, reusing past answers, free open models to dodge the per-use fees, and humans for the work where a wrong answer is costly. Together AI, built to run those open models cheaply, raised $800 million.

Why it matters: A credit union piloting a member-facing agent on a generous trial price can watch that cost flip the moment real usage climbs. The ones staying ahead treat AI usage as a managed budget line with a named owner.

📡 On the Radar

  • Whether you're pressure-testing your vendors on the security of the agents you buy, mapping what agent payments mean for your card program, or trying to get your AI costs under control, I'd love to hear what's shaping your thinking. Drop me a note at [email protected].

  • How this newsletter is made: Brent curates the research and writes the analysis. Claude helps with drafting and editing. Published on Beehiiv. ⚡ Alakazam ⚡.

  • If a colleague is sorting out AI governance, vendor risk, lending, fraud, or member and customer trust, send them this issue.

Keep Reading