Researchers at the University of California have highlighted a concerning new class of attack that targets the infrastructure supporting cryptocurrency transactions. This new threat involves malicious AI agent routers capable of draining crypto wallets and injecting harmful code into developer environments. The study, titled “Measuring Malicious Intermediary Attacks on the LLM Supply Chain,” published on arXiv on April 8, 2026, reveals that these attacks have already occurred in the wild.

In their systematic investigation, researchers tested 428 AI API routers, discovering alarming results: 9 of these routers actively injected malicious code, 17 accessed AWS credentials belonging to researchers, and at least one free router successfully drained Ethereum (ETH) from a researcher-controlled private key. The findings underscore a critical vulnerability in the AI agent routing layer, which has rapidly expanded as AI agents have become integral to blockchain execution workflows.

Key Findings

• Testing Scale: Researchers tested a total of 428 routers, including 28 paid routers sourced from platforms like Taobao and Shopify, as well as 400 free routers from public communities. They employed decoy AWS Canary credentials and encrypted crypto private keys during their tests.
• Malicious Activity Confirmed: The investigation confirmed that 9 routers injected malicious code, while 17 accessed AWS credentials. One free router was able to drain ETH from a researcher’s wallet.
• Evasion Techniques: Two routers demonstrated advanced evasion techniques, such as waiting for 50 API calls before activating their malicious behavior, specifically targeting YOLO-mode autonomous sessions.
• Mechanics of the Attack: These routers function as application-layer proxies, allowing them to access plaintext JSON data without any governing encryption standards. This lack of security means they can read and modify data in transit, including sensitive information like private keys and API credentials.
• Scope of Exposure: The leaked OpenAI keys processed a staggering 2.1 billion tokens, exposing 99 credentials across 440 Codex sessions and 401 YOLO-mode sessions.
• Defense Recommendations: The researchers recommend implementing client-side fault-closure gates, response anomaly filtering, append-only audit logging, and cryptographic signing to ensure the integrity of LLM responses.

The researchers developed an agent named “Mine” to simulate various attack types against public frameworks, focusing on YOLO-mode sessions where the agents operate autonomously without human oversight. Two routers were noted for their sophisticated evasion tactics, avoiding detection until a specific number of API calls had been made.

The risk of poisoning through leaked API keys is significant, as the compromised routing infrastructure can quickly amplify the scale of the attack. The processing of 2.1 billion tokens in the researchers’ tests illustrates the potential for widespread credential exposure.

Vulnerabilities in Current Security Measures

The primary issue lies not in the existence of third-party API routers but in the underlying trust model that assumes these routers operate neutrally. Developers frequently rely on third-party infrastructure to route API calls for on-chain tools, DeFi automation scripts, and autonomous trading agents. The prevalence of free routers in public communities, where the majority of malicious activity was detected, stems from their cost-effectiveness, making them attractive for developers.

Unfortunately, existing security measures, such as hardware wallets and multisig setups, do not safeguard against attacks where a router intercepts a private key before it reaches the signing layer or injects malicious code into deployment scripts that execute on-chain.

Annual losses from crypto theft have already reached $1.4 billion, and this new attack vector does not require breaking cryptographic protections but rather compromising a middleware component that often goes unchecked.

YOLO-mode autonomous sessions pose a particularly high-risk exposure, as agents executing transactions without human confirmation checkpoints provide a broader opportunity for malicious routers to act without detection. The findings of this research have sparked concern among industry experts, including Solayer founder @Fried_rice, who emphasized the systemic security vulnerabilities associated with third-party API routers.

The researchers advocate for proactive defenses, including fault-closure gates that halt execution upon detecting anomalies, response anomaly filtering, and robust logging practices that cannot be altered by the routers themselves. They also call for the establishment of cryptographic signing standards for LLM responses, similar to the integrity requirements for on-chain oracles.

Source: Cryptonews News