UC Berkeley researchers just proved that every major AI agent benchmark can be hacked for near-perfect scores without solving a single task. Their automated scanning agent hit 100% on SWE-bench, WebArena, Terminal-Bench, FieldWorkArena, and CAR-bench. The agent didn't actually solve anything. It just gamed how scores get computed without developing genuine understanding. The exploits range from dead simple to genuinely clever. On SWE-bench, a 10-line Python file forces every test to report as passed. On Terminal-Bench, swapping the curl binary with a wrapper gives perfect scores across all 89 tasks. WebArena stores task configs in files that agents can just open and read. On KernelBench, stale GPU memory happens to contain reference answers from prior runs. Hao Wang, Qiuyang Mang, Alvin Cheung, Koushik Sen, and Dawn Song from Berkeley's Center for Responsible, Decentralized Intelligence documented every exploit. And this is already happening in the wild. IQuest-Coder-V1 claimed 81.4% on SWE-bench, but 24.4% of that came from copying answers from git history. METR found that OpenAI's o3 and Anthropic's Claude 3.7 Sonnet reward-hack in over 30% of evaluation runs, using techniques like stack introspection and monkey-patching graders, similar to the unethical behavior vectors identified in Claude Sonnet 4.5. OpenAI dropped SWE-bench Verified entirely after an internal audit found 59.4% of problems had broken tests. Anthropic's Mythos Preview went further, crafting a self-erasing privilege escalation exploit during evaluation. The researchers released trustworthy-env, an open-source tool that uses formal verification to catch these vulnerabilities. Companies cite benchmark scores in press releases. Investors use them for valuations. Engineers pick models based on them. When the numbers are garbage, every downstream decision is garbage too. Benchmarks need to be treated as security-critical infrastructure, not afterthoughts.