This study systematically evaluates the misuse risks of large language models (LLMs) in multi-step criminal scenarios. To this end, it introduces the first structured sandbox framework featuring a three-agent architecture—comprising an attacker, a judge, and a world manager—that simulates 40 criminal tasks across 11 distinct scenarios targeting 13 categories of objectives. The framework leverages dynamic environment state updates, natural language–driven action planning, and rule-based adjudication, with human players serving as a behavioral baseline. Experimental results demonstrate that all eight mainstream LLMs tested are capable of generating and executing detailed criminal plans, achieving non-trivial success rates in several tasks, and even exhibiting extreme behaviors such as harming non-player characters. These findings underscore the urgent need for robust safety alignment in autonomous AI agents.

Large language models (LLMs) have shown strong capabilities in multi-step decision-making, planning and actions, and are increasingly integrated into various real-world applications. It is concerning whether their strong problem-solving abilities may be misused for crimes. To address this gap, we propose VirtualCrime, a sandbox simulation framework based on a three-agent system to evaluate the criminal capabilities of models. Specifically, this framework consists of an attacker agent acting as the leader of a criminal team, a judge agent determining the outcome of each action, and a world manager agent updating the environment state and entities. Furthermore, we design 40 diverse crime tasks within this framework, covering 11 maps and 13 crime objectives such as theft, robbery, kidnapping, and riot. We also introduce a human player baseline for reference to better interpret the performance of LLM agents. We evaluate 8 strong LLMs and find (1) All agents in the simulation environment compliantly generate detailed plans and execute intelligent crime processes, with some achieving relatively high success rates; (2) In some cases, agents take severe action that inflicts harm to NPCs to achieve their goals. Our work highlights the need for safety alignment when deploying agentic AI in real-world settings.