AI agents are poised to handle everything from booking flights to executing trades — and industry leaders say they’ll soon be making crypto payments at scale. But new research warns a little-known piece of that stack could let attackers quietly steal credentials and drain wallets.
The promise — and the scale
- McKinsey estimates AI agents could mediate $3 trillion to $5 trillion of global consumer commerce by 2030.
- Coinbase founder Brian Armstrong has predicted “very soon” there will be more AI agents than humans making transactions online. Binance CEO Changpeng Zhao went further, saying agents could make “one million times more payments than people,” many in crypto.
The blind spot: LLM routers
A cross‑institution research team (University of California, Santa Barbara; UC San Diego; blockchain firm Fuzzland; and World Liberty Financial) has flagged a critical attack surface: so‑called LLM routers. These services sit between users and large language models (OpenAI, Anthropic, Grok, etc.) and route requests to the chosen model. Because routers see and forward the full request/response stream, they can also read, modify, or inject commands into traffic passing through them.
Why that matters for crypto
The researchers note that LLM agents are moving beyond chatbots into systems that book travel, run code, manage infrastructure, and approve financial actions. Those agents often operate autonomously and can approve and execute actions without human review — so a single tampered instruction can immediately trigger harmful behavior.
Concrete findings and exploits
- The team reported that 26 LLM routers were “secretly injecting malicious tool calls and stealing creds,” and that in one case a client’s Ethereum wallet was drained for $500,000 after its private key was exposed, researcher Chaofan Shou wrote on X.
- They demonstrated how easy it is to “poison” parts of the router ecosystem so traffic is forwarded to an attacker-controlled endpoint, enabling observation or control of hundreds of downstream systems in hours. In Shou’s words, “Within several hours, we can directly take over ~400 hosts.”
- A malicious router can swap a benign command for an attacker-controlled one or exfiltrate any credentials that transit it. Private keys, API credentials, and wallet access tokens are frequently transmitted in plain text in workflows the team tested — meaning they can be captured and reused without the user’s knowledge.
The systemic risk: weakest-link chaining
Because requests often traverse multiple routers and intermediary services, trust in the AI model alone is insufficient. The researchers emphasize a weakest-link problem: one compromised router in the chain can undermine an otherwise trusted provider, producing a cascading risk across services and users.
What this means for crypto users and the industry
- Immediate user risk: private keys and API tokens that pass through these intermediary routers can be stolen and reused, enabling wallet drains and account takeovers.
- Infrastructure gap: as industry leaders predict rapidly rising use of AI agents for payments and trading, the routing and middleware layer currently lacks strong guarantees that model inputs and outputs haven’t been tampered with.
Takeaways and mitigation (practical steps)
While the research is a warning, it also points to clear areas for action:
- Avoid sending private keys or long-lived credentials in plaintext through third‑party agents or middleware. Use hardware wallets and signing services that keep keys off the wire.
- Minimize token/API scopes and rotate credentials frequently.
- Vet and audit any third‑party LLM routing/service providers; require end‑to‑end encryption and attestation where possible.
- Push for stronger infrastructure guarantees and provenance for model outputs (signed responses, auditable execution paths) from vendors and the wider AI ecosystem.
Bottom line
AI agents are set to become major actors in crypto payments — but until routing and middleware layers are hardened, that future brings substantial new attack vectors. The research underscores the need for rapid security improvements in the infrastructure that connects users, agents, and models before autonomous AI becomes the norm for financial transactions.
Read more AI-generated news on: undefined/news
