Share
A new academic study from researchers at the University of California has identified a critical weakness in the AI tooling stack that directly affects crypto users. The paper finds that at least 26 third-party large language model (LLM) routers are injecting malicious instructions or extracting sensitive credentials, including private keys, during routine AI-assisted workflows.
The issue sits in a layer many developers assume to be neutral infrastructure.
26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.
We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.
Check our paper: https://t.co/zyWz25CDpl pic.twitter.com/PlhmOYz2ec
— Chaofan Shou (@Fried_rice) April 10, 2026
LLM routers act as intermediaries between developers and model providers such as OpenAI, Anthropic, and Google. They manage and distribute API requests across models.
In doing so, they terminate encrypted connections and gain full plaintext access to every request and response.
This includes:
For developers using AI coding agents to build wallets or contracts, this creates a direct exposure point. The router isn’t just forwarding data. It can read, modify, and replay it.
The researchers tested 28 paid routers and more than 400 free routers sourced from developer communities.
Their findings point to active exploitation, not just theoretical risk:
The wallet loss was under $50, but the setup was deliberate. The researchers used decoy private keys to confirm whether injected instructions could execute and extract funds.
This confirms that injected instructions can move from the router to execution without interruption. The router can alter instructions and the agent can act on them.
Many AI agent frameworks include a setting known as ‘YOLO mode,’ where actions are executed automatically without step-by-step approval.
In this setup, a malicious instruction inserted by a router does not require user confirmation and executes automatically.
This turns a passive vulnerability into an active exploit path, especially in workflows involving signing transactions or deploying contracts.
One of the study’s key findings is how difficult it is to distinguish normal behavior from theft. Routers already process credentials in plaintext as part of standard operation. From the user’s perspective, there is no clear boundary.
At the same time, the evidence of large-scale financial loss remains limited. The only confirmed on-chain drain in the study involved a controlled test wallet, and no transaction hash or broader incident data was disclosed.
This leaves a clear gap between demonstrated capability and observed real-world impact.
The study shifts how developers should think about AI-assisted workflows. The immediate takeaway is operational. Developers should not pass private keys or seed phrases through AI agents and should treat routing layers as untrusted infrastructure.
The longer-term fix proposed by the researchers is cryptographic verification of model outputs, allowing developers to confirm that instructions originate from the intended source.
Until then, the risk sits in plain sight, not in the model but in the layer routing every request.
Share
preferred on
