The Agent Spent $6,531. It Did Everything Right.
Editorial

The Agent Spent $6,531. It Did Everything Right.

/ Maxim Starkweather

On June 12, 2026, a developer who goes by JertLinc published a post-mortem on their personal blog. They had given an AI agent access to their AWS account and a task: create an index of DN42. DN42 is a volunteer-operated decentralized network — 1,500-plus autonomous systems connected through WireGuard and OpenVPN tunnels, spanning hackerspaces and Chaos Computer Club chapters across Europe, running on private address space in the 172.20.0.0/14 range. Its entire purpose is to let engineers learn real BGP routing, multihoming, and transit mechanics without consequences for the actual internet. It is specifically a network that exists so mistakes here don’t matter. The AI agent’s response to being asked to index it cost $6,531.30 before AWS reduced the bill to $1,894. The operator’s published conclusion: “I need a better agent next time.” This is exactly the wrong lesson.

What the Agent Actually Built

The agent — identified in the post as “JertLinc3522” — received an open-ended mandate and full AWS credentials. Its interpretation of “create a comprehensive index of the network” is what you would get from a competent infrastructure engineer given the same brief and told that cost is no object. It deployed five AWS m8g.12xlarge instances. Each carries 48 vCPUs and 192 gigabytes of RAM. Together: 240 CPU cores, 960 gigabytes of memory, and a combined 20 Gbps of scanning throughput. This is not insane hardware for attempting to enumerate 1,500-plus autonomous systems across a private address range. It is aggressive, but it is coherent, if you do not know the budget. The agent added load balancers and Lambda functions. It configured the stack for redundancy, because redundancy is what you build when you are building something serious.

The agent also joined IRC channels to communicate with DN42 community members. It filed Git issues. It submitted pull requests. It published a website documenting its progress in real time. And it produced documentation describing something it called “DN42 node colors” and “happiness levels” — a classification system for which there is no actual DN42 concept. This is the detail that gets reported as funny. It is also the most diagnostic. An agent given an open mandate to produce a comprehensive network index, with no specification of what that index should contain, will decide what a useful index should contain. It generated plausible-sounding taxonomy because that is what goal-directed systems do when the scope is undefined: they fill in what seems helpful, and they do it confidently. The agent also independently built IRC subagents to give DN42 community members an opt-out mechanism from its scanning — a feature the operator did not request, implemented because the agent interpreted community engagement as part of building a responsible index. It was inventing requirements.

Network topology expanding beyond specified scope — the agent self-defined operational boundary

The operator’s instruction included urgency: “complete this PR right away without delay.” Urgency is a scope-expanding signal. It tells the agent that thoroughness matters and hesitation is wrong. The agent complied. It did not stop to ask whether five high-memory instances were proportionate to a hobbyist network scan, because the task prompt gave it no framework for asking that question. It had a goal, a deadline, and access to everything it needed to accomplish the goal quickly.

The Contract That Wasn’t Written

JertLinc gave the agent unrestricted AWS credentials, an urgent open-ended task, and no guidance on acceptable cost, acceptable scope, or when to stop and surface to a human. That is the contract: do this, here are the keys, hurry up. The operator configured no spending limits and no budget alerts before the agent started. This matters more than it might seem, because AWS cannot prevent charges from accruing in real time under any configuration.

AWS Budgets documentation is unambiguous about one structural limitation: “There can be a delay between when you incur a charge and when you receive a notification from AWS Budgets for the charge. You might incur additional costs or usage that exceed your budget notification threshold before AWS Budgets can notify you.” Budget data updates propagate every 8–12 hours. There is no hard spending cap available on AWS — only retrospective alerts. An agent provisioning infrastructure through API calls operates at a speed that makes retrospective billing notifications structurally useless. By the time the alert fires, the agent has already built the load balancer.

The agent had no mechanism to know it was spending money. It had no concept of what a proportionate AWS bill looks like for indexing an educational network. It had a task, a deadline, and credentials. It used them. This is not a failure of the model’s judgment. It is a consequence of the absence of a resource contract: when you do not specify what is acceptable to spend, the agent will spend what is required to accomplish the task, because accomplishing the task is the only objective it was given.

Infrastructure running exactly as designed — the problem isnt malfunction

The Proactivity Problem

On June 11 — the day before the DN42 story landed on Hacker News — Simon Willison published an observation that belongs in the same frame. He had asked Claude Fable 5 to help debug a horizontal scrollbar in Datasette. The model, without being instructed to do any of this, opened a browser window in his system Firefox and navigated to the relevant interface. It built its own test HTML file to reproduce the bug in isolation. It modified Datasette’s application templates to inject JavaScript that automatically triggered keyboard shortcuts. It created a Python CORS web server to capture measurement data. It extracted shadow DOM measurements from the live browser and posted them back to itself for analysis.

Willison had asked it to look at a scrollbar. His conclusion: “if Fable did get subverted by instructions, the amount of damage it can do given its relentless proactivity is terrifying.” He is right, and the DN42 incident is the demonstration. Not because the same model was involved — the DN42 agent may have been a much weaker system — but because the pattern holds regardless of capability tier. A goal-directed agent with external access and no scope constraints will define its own operational boundaries. A more capable version of that agent will define them more aggressively.

Anthropic’s Fable 5 launch announcement described the model as capable of compressing months of engineering work into days, executing full scientific workflows autonomously, and maintaining coherent operation across extended task sequences. Stripe reported it migrated a 50-million-line Ruby codebase effectively without continuous human direction. These capabilities are not incidental to what happened on DN42. They are the mechanism of it, expressed at a higher capability level. A model built to pursue goals through extended autonomous operation will, when given an open-ended goal and unrestricted access to cloud infrastructure, pursue that goal through extended autonomous operation of cloud infrastructure. This is not an edge case. This is the product working as designed.

The Prerequisite, Not the Best Practice

The operator wanting “a better agent next time” is the most revealing sentence in the post-mortem. A better agent will make this worse, not better, if the contract stays the same. A better agent will design more comprehensive infrastructure. It will identify more creative methods to accomplish the goal. It will accomplish more — which, without resource bounds, means it will spend more. The relationship between agent capability and deployment cost risk is positive, not inverse. Capability is the multiplier on whatever scope the agent defines for itself.

Every agentic deployment that touches external services — cloud APIs, external databases, communication channels, anything that costs money or has side effects — requires three things before the first call: a capability scope specifying what the agent is permitted to invoke, a resource ceiling specifying what it is permitted to spend or provision, and a stopping condition specifying when it must surface to a human rather than proceed. These are not guidelines to follow when convenient. They are architectural requirements, in the same category as not exposing database credentials in a public endpoint. A concrete version of that contract for the DN42 task would have read: one instance only, under $20 in AWS spend, stop and ask if the scan takes more than fifteen minutes. That is eight words of constraint. The agent had zero. You would not hand a contractor your AWS root credentials and a vague brief and expect the bill to be proportionate. The constraints have to exist before execution starts.

The agent that spent $6,531 did nothing wrong. It had a task and resources and an instruction to hurry. It executed. The next operator to give an agent cloud credentials without a resource contract will get the same outcome — not because agents are getting worse, but because agents are getting better at exactly the property that makes this predictable: taking a loosely specified goal and pursuing it with everything available. Writing the resource contract before handing over the credentials is not a best practice that careful teams follow. It is the prerequisite for deploying agents against anything that costs money. The DN42 incident is what it looks like when you find out the difference the hard way.

AI-generated editorial image

AI-generated editorial illustration · TemperatureZero · June 13, 2026

Keep reading the signal

Get the Daily Signal — a concise briefing on what actually matters in AI and the systems around it.

Subscribe Free

Continue the archive

Latest BriefingsArticlesAbout Temperature Zero