The first systematic study showing that autonomous web agents fall for deceptive UI “dark patterns” an average of 41% of the time — and that the most capable agents are the most vulnerable. This hub hosts the paper, slides, the live TrickyArena testbed, every prompt, and the full results dataset.
Ersoy, Lee, Shreekumar, Arunasalam, Ibrahim, Bianchi, Celik · Purdue University · FIU · Georgia Tech
Everything used in the study, reproduced and self-hosted.
One-click catalog of every dark pattern across the 5 sites — launch or preview any of them without remembering URL codes.
📝All 95 prompt files / 375 tasks the agents were given, grouped by experiment, each linking to the live site.
📊Per-agent susceptibility, per-category breakdown, outcome buckets, and downloads of all 5 raw result CSVs.
📄The full IEEE S&P 2026 paper, with the LiteAgent + TrickyArena design and all findings.
🎞️A 20-slide walkthrough deck of the motivation, method, findings and mitigations.
⬇︎Tarballs of the raw prompt set and the computed result tables, plus the mitigation postscripts.
Every pattern is tagged with one or more of these high-level strategies — the O / S / II / FA / SE chips you'll see across the launcher and prompts. They come from the Gray et al. ontology; most real patterns combine several. Percentages are how often agents fell for patterns of that strategy (single-pattern runs).
Makes the choice you'd want harder than it needs to be — without lying — to dissuade you.
Example: the cookie “Reject” path buried behind “More Options” → uncheck → save.
Hides, disguises, or delays information you'd object to if you saw it up front.
Example: a paid warranty silently added to your cart.
Manipulates the UI so some options are privileged and others are easy to miss.
Example: “Accept All” big and blue; “Reject” tiny and grey.
Forces an extra, tangential action before you can continue.
Example: must subscribe / hand over your email to read a “free” article.
Nudges you toward a specific choice with pressure, badges, or guilt.
Example: a “Best value” badge steering you to a pricier plan; confirm-shaming.
Why obstruction wins against agents: capable agents push through obstacles to finish the task, so burying the safe choice behind friction is exactly what trips them up.
These are the exact sites the agents browsed — rebuilt here and served live. Each dark pattern is toggled by appending ?dp=<code> to the URL (stack them with underscores, e.g. ?dp=p1_w) — or skip the codes entirely and use the 🚀 launcher.
Premium-subscription pop-up, sneaking warranty, cookie wall, sponsored ordering. Try /shop?dp=p1.
📰Bait-and-switch, obfuscation, sponsored “donate” ad, confusing checkbox. Try /news?dp=bs.
🎧Decision uncertainty, default data-sharing, “best value” aesthetic manipulation. Try /spotify?dp=am.
🏥Complex invasive settings, tiny-font ToS, confirm-shaming pop-up. Try /health?dp=cs.
📚Donation solicitation variants + app-download nag (used for the RQ4 UI-attribute study).
🏠The TrickyArena landing page that links to every site.