Researchers from the University of California have made alarming discoveries regarding a new class of infrastructure-level attacks that could significantly compromise cryptocurrency security. Their recent study, titled “Measuring Malicious Intermediary Attacks on the LLM Supply Chain,” published on arXiv on April 8, 2026, indicates that malicious AI agent routers are not merely theoretical threats; they have already facilitated crypto theft in real-world scenarios.

In their systematic examination of 428 AI API routers, the researchers found that 9 of these routers actively injected malicious code, while 17 were able to access AWS credentials of researchers. Notably, a single free router managed to drain Ethereum (ETH) from a private key controlled by a researcher, showcasing the potential severity of this issue.

The focus of the attack lies within the AI agent routing layer, a crucial infrastructure component that has seen rapid expansion as AI agents increasingly become integrated into blockchain workflows. The pressing concern is not whether these threats exist, but how many compromised routers are currently managing live user sessions.

Key Findings from the Research

• Testing Scale: The research involved testing 428 routers, comprising 28 paid routers obtained from platforms like Taobao and Shopify, and 400 free routers sourced from public communities. The study utilized decoy AWS Canary credentials and encrypted crypto private keys to assess vulnerabilities.
• Malicious Activities Confirmed: Among the tested routers, 9 were found to inject harmful code, 17 accessed AWS credentials, and 1 effectively drained ETH from a researcher-owned wallet.
• Adaptive Evasion Techniques: Two routers exhibited advanced evasion tactics, such as delaying malicious activities until after 50 API calls to avoid detection during initial testing phases.
• Mechanism of Attack: The routers function as application-layer proxies that allow plaintext JSON access, which means there are no encryption standards preventing them from reading or modifying data in transit.
• Widespread Credential Exposure: Compromised OpenAI keys processed approximately 2.1 billion tokens, leading to the exposure of 99 credentials across 440 Codex sessions and 401 autonomous YOLO-mode sessions.
• Proposed Defenses: The researchers advocate for several defensive measures, including client-side fault-closure gates, response anomaly filtering, append-only audit logging, and implementing cryptographic signing for verifiable LLM responses.

Understanding the Mechanism of Malicious AI Routers

The standard infrastructure for LLM APIs is designed for straightforward request-response interactions, where a client sends a prompt, which the router forwards to the model provider, and the response is returned. However, malicious routers exploit this trust model by positioning themselves as intermediaries with complete access to the plaintext JSON payloads flowing through them. This access allows them to see raw prompts, model responses, and any embedded sensitive information such as private keys and API credentials.

These routers can modify responses before delivering them to users, inject harmful code into a code generation output, or stealthily exfiltrate sensitive credentials to external endpoints. The researchers created an agent named “Mine” to simulate various attack types against public frameworks, specifically targeting autonomous YOLO-mode sessions where actions are executed without human confirmation.

Out of the 428 routers tested, two displayed sophisticated evasion techniques, indicating that these are not mere blunt instruments for credential theft but rather highly targeted tools designed to withstand scrutiny.

Who Is Vulnerable and the Limitations of Current Defenses

The core issue is not the existence of third-party API routers but rather the flawed trust model that assumes these routers operate neutrally. Developers frequently use third-party infrastructure for routing API calls when building on-chain tools, DeFi automation scripts, and trading agents. Many of these developers rely on free routers from public communities, where the majority of malicious injectors were found, due to cost efficiency.

Traditional wallet security measures, such as hardware devices and multisig setups, fail to protect against a malicious router that intercepts private keys before they reach the signing layer or injects harmful code into deployment scripts destined for on-chain execution. As the total losses from crypto theft reached $1.4 billion annually, this new attack vector poses a significant threat without requiring any sophisticated cryptographic breaches.

YOLO-mode autonomous sessions represent the highest risk exposure, as these agents execute multi-step transactions without human checkpoints, providing malicious routers a broader window to act without detection. The findings from the researchers have been echoed by industry experts emphasizing the systemic security vulnerabilities inherent in widely adopted third-party API routers.

The researchers recommend client-side defenses such as fault-closure gates to interrupt execution when anomalies are detected, response anomaly filtering, and robust logging systems to create tamper-proof audit trails. For long-term solutions, they advocate for cryptographic signing standards to ensure the integrity and verifiability of LLM responses, which is essential in safeguarding the future of decentralized finance.

Source: Cryptonews News