Researchers Warn Malicious Ai Agent Routers Could Become A New Crypto Theft Vector

What Happened

Malicious routers exploit exactly that trust model – they sit as application-layer proxies in the middle of that exchange, with full read-write access to plaintext JSON payloads passing through them in both directions.

Market Context

University of California researchers have identified a new class of infrastructure-level attack capable of draining crypto wallets and injecting malicious code into developer environments – and this crypto theft already happened in the wild.

Developers building onchain tools, DeFi automation scripts, and autonomous trading agents route API calls through third-party infrastructure constantly.

Why It Matters

The poisoning attack vector compounds the risk further. When leaked OpenAI API keys are processed through compromised routing infrastructure, the blast radius scales fast – 2.1 billion tokens processed, 99 credentials exposed across 440 Codex sessions in the researchers’ controlled test environment alone.

Details

A systematic study published on arXiv on April 8, 2026, titled “Measuring Malicious Intermediary Attacks on the LLM Supply Chain,” tested 428 AI API routers and found that 9 actively injected malicious code, 17 accessed researcher AWS credentials, and at least one free router successfully drained ETH from a researcher-controlled private key.

The attack surface is the AI agent routing layer – infrastructure that has expanded rapidly as AI agents become embedded in blockchain execution workflows. The question is no longer whether this threat is theoretical. The question is how many compromised routers are already handling live user sessions.

Scale of testing: Researchers tested 428 routers – 28 paid (sourced from Taobao, Xianyu, Shopify) and 400 free from public communities – using decoy AWS Canary credentials and encrypted crypto private keys.

Confirmed malicious activity: 9 routers injected malicious code, 17 accessed AWS credentials, and 1 free router drained ETH from a researcher-owned wallet.

Evasion sophistication: 2 routers deployed adaptive evasion, including waiting 50 API calls before activating and specifically targeting YOLO-mode autonomous sessions.

Attack mechanism: Routers operate as application-layer proxies with plaintext JSON access – no encryption standard governs what they can read or modify in transit.

Poisoning reach: Leaked OpenAI keys processed 2.1 billion tokens, exposing 99 credentials across 440 Codex sessions and 401 autonomous YOLO-mode sessions.

Recommended defenses: Researchers urge client-side fault-closure gates, response anomaly filtering, append-only audit logging, and cryptographic signing for verifiable LLM responses.

Discover: Top Crypto Presales to Watch This Month

How Malicious AI Agent Routers Actually Work – Plaintext Proxies, Not Encrypted Pipes

Standard LLM API infrastructure was designed for simple request-response relay: a client sends a prompt, the router forwards it to the model provider, the response comes back.

There are no encryption standards governing what a router can inspect or modify in transit. A malicious router sees the raw prompt, the model response, and everything embedded in either – including private keys, API credentials, wallet seed phrases, or code being generated for a live deployment environment.

It can alter the response before it reaches the user, inject additional code into a code-generation output, or silently exfiltrate credentials to an external endpoint.

The UC researchers built an agent they called “Mine” to simulate four distinct attack types against public frameworks, specifically targeting autonomous YOLO-mode sessions where the agent executes actions without human confirmation at each step.

Two of the 428 routers tested deployed adaptive evasion – one waited 50 API calls before activating malicious behavior, specifically to avoid detection during initial testing. That’s not a blunt credential-scraper. That’s a targeted tool built to survive scrutiny.

Discover: The best crypto to diversify your portfolio with

Who Is Actually Exposed – and Why Existing Defenses Don’t Reach This Layer of Crypto Theft

The problem is not that third-party API routers exist. The problem is that the entire trust model for AI agent infrastructure assumes the routing layer is neutral – and no enforcement mechanism currently verifies that assumption at scale.

Free routers sourced from public communities – the category where 8 of the 9 malicious injectors were found, are widely used precisely because they lower the cost of building LLM-powered applications. As automated execution infrastructure in DeFi grows more dependent on external data and agent coordination, the routing layer becomes an increasingly attractive target.

Existing wallet security – hardware devices, multisig setups, offline key storage – does not protect against a router that intercepts a private key before it reaches the signing layer, or that injects malicious code into a deployment script that later executes onchain.