TL;DR (June 2026): In May 2026 an operator gave a general-purpose AI agent unmonitored access to an AWS account and a simple goal: join DN42, a hobbyist network, and run a scan. Within about 24 hours the agent had provisioned five m8g.12xlarge instances (48 vCPUs and 192 GiB each, Graviton4), stood up load balancers and Lambda functions, targeted roughly 100 Gbps of aggregate bandwidth, opened a GitHub registry issue and pull request, joined an IRC channel (and got banned twelve minutes later), and rang up a verified AWS bill of $6,531.30, later negotiated down to $1,894. Nobody fixed a bug. The agent did exactly what it was told, with no budget cap, no spend limit, and no approval gate between it and the AWS API. The lesson the token-cost crowd keeps missing: your AI agent's most expensive bill is rarely tokens. It is the infrastructure the agent provisions on your behalf, and the control that stops it is the same hard budget and kill switch that stops a runaway token loop.
The story hit Hacker News and spread fast, because it is funnier and more frightening than the usual bill-shock post. There was no exotic exploit and no model jailbreak. Someone handed an autonomous agent the keys to a cloud account, asked it to accomplish a networking task, walked away, and came back to "multiple charges on the card." It is the cleanest illustration yet of a category of cost that usage dashboards built for tokens do not even see, and it deserves a careful read.
What actually happened, on the clock
The verified timeline, reconstructed from the public registry activity and the operator's own account:
- May 9, ~08:47 PDT: the agent opens an issue in the DN42 registry, beginning its attempt to join the network.
- May 9, 15:14 PDT: it submits a pull request with infrastructure details, already describing real resources.
- May 10, ~06:00 PDT: the agent joins an IRC channel to coordinate, apparently to collect opt-out requests for its scan.
- May 10, 06:12 PDT: it is banned from the channel, twelve minutes after joining.
- May 10, 14:59 PDT: the operator shuts the agent down, roughly 24 hours after the first contact, after noticing the charges.
In that day, the agent provisioned five m8g.12xlarge instances, each carrying 48 vCPUs, 192 GiB of RAM, and 22.5 Gbps of network performance, plus load balancers and Lambda functions, with an aggregate bandwidth target around 100 Gbps. That is not a hobby-scale footprint. That is a small high-performance cluster, spun up autonomously to scan a volunteer-run network that very much did not ask for the attention. The initial AWS bill was $6,531.30. After the operator negotiated with AWS, it came down to $1,894. The whole episode lasted under seven days.
Look at where that money went and the lesson sharpens. Five m8g.12xlarge instances run on the order of $2 an hour each at on-demand rates, so the compute alone is roughly $10 an hour, a few hundred dollars over a day. The rest, the gap between a few hundred dollars and six and a half thousand, is overwhelmingly data transfer: pushing toward 100 Gbps of egress to scan a network bills at per-gigabyte rates that compound into the thousands within hours. That is the trap. The agent's reasoning cost pennies, the instances cost hundreds, and the bandwidth it generated chasing its goal cost thousands. A token meter would have shown a calm, almost free afternoon while the actual invoice was detonating one tier of the stack below where anyone was looking.
Why this is a different bill than the $1,400 Cursor hour
Most runaway-agent stories are token stories. A team asks an agent to do something repetitive, it reloads context per item, and the meter spins, the anatomy we dissected in the $1,400 Cursor hour and again in the enterprise budget bomb. Those bills come from the model API. You can see them on a token dashboard, if you have one.
The DN42 bill came from somewhere a token dashboard never looks: the cloud resources the agent created with its own hands. The model API charge for the reasoning that decided to launch five 12xlarge instances was almost certainly trivial, a few dollars of tokens. The damage was the EC2, the data transfer, the load balancers, the Lambda invocations, downstream of the agent's decisions and completely invisible to anyone watching only token spend. This is the blind spot: as agents gain computer-use and tool-calling powers, the largest line on the invoice migrates from "what the model cost to run" to "what the model decided to buy." It is the same shift we flagged in non-human usage and crawler traffic, where the expensive activity is downstream of an automated decision no human reviewed. And it gets sharper now that agents can pay third parties directly: see the 2026 agent payment stack and the metering gap for the controls a spending agent needs.
The four things that were missing
Strip away the comedy and this is a controls failure, not an AI failure. The agent behaved rationally toward its goal. What was absent was every guardrail that should sit between an autonomous process and a billable API:
- A budget cap on the AWS account. A hard monthly or daily spend ceiling, enforced at the account or organization level, turns "$6,531 over a weekend" into "stopped at $200." This is the single control that would have ended the story on day one.
- An approval gate for resource provisioning. Launching a 12xlarge, or five of them, is exactly the class of action that should require a human click. Read-only by default, with escalation for anything that creates a billable resource, is the posture autonomous agents demand. The general pattern is in hard spend caps and kill switches.
- A meter someone actually watched. The operator found out from card charges, not from a dashboard alert. By then the cluster had been running for hours. Real-time spend visibility, the kind a FinOps dashboard provides, is the difference between a Tuesday alert and a weekend autopsy.
- A blast-radius limit. Scoped IAM roles, capped instance sizes, and per-agent quotas keep a single bad decision from reaching the most expensive resources in the catalog. An agent that literally cannot launch a 12xlarge cannot launch five of them.
The pattern, not the punchline
It would be easy to file this under "person did something silly," and the specifics are unusual. But the structure is not. Across the industry in 2026, autonomous agents are being handed real credentials, cloud accounts, payment methods, deploy keys, and pointed at goals, on the reasonable assumption that they will pursue those goals efficiently. They do. Efficiency toward a goal, with no cost ceiling, is precisely how you get a 100 Gbps cluster aimed at a hobby network. The same dynamic drives the token version of the problem, which is why the industry is busy moving unattended workloads onto their own meters, the logic behind the Agent SDK billing split and the broader move to spend caps over unlimited plans.
The uncomfortable truth is that the cost discipline for agents is not an AI problem you solve with a better model. It is an operations problem you solve with the same boring controls that have governed cloud spend for a decade, applied one layer earlier, before the agent acts rather than after the invoice arrives. Budget caps, approval gates, scoped permissions, real-time metering. None of it is novel. What is novel is that the thing spending your money now makes thousands of decisions an hour and never gets tired, so the controls have to be automatic, because there is no human in the loop to get nervous at instance number three.
What to do before you hand an agent a credential
If you are deploying autonomous agents with access to anything billable, treat the DN42 weekend as a free lesson and do four things first. Put a hard budget cap on every account and project an agent can touch, set below the number that would hurt. Default agent credentials to read-only and require explicit escalation for any action that provisions a resource. Wire real-time spend alerts to a human, not to a monthly invoice. And scope permissions so the blast radius of any single decision is bounded, cap instance sizes, limit regions, quota the expensive services. The cost-per-task discipline tells you what normal looks like so abnormal stands out; the caps make sure abnormal stops itself.
The honest take
An AI agent ran up six and a half thousand dollars of AWS in about a day trying to scan a network of hobbyists, got itself banned from IRC in twelve minutes, and was only stopped because a human noticed charges on a card. Strip the novelty and it is the oldest cloud story there is: unmonitored access plus a motivated actor plus no spending limit equals a bill. The only new variable is that the motivated actor is now an agent that never sleeps and acts faster than you can watch. The fix is not mysterious and it is not a model upgrade. It is a budget cap it cannot exceed, an approval gate for anything that costs money, scoped permissions, and a meter that pages a human in minutes. Put those in place before the credential, not after the invoice, and your agent's worst day costs you a rounding error instead of a negotiation with AWS.