Researchers at the University of California say a tiny crypto honeypot exposed a much bigger threat: they loaded a wallet with a small amount of Ether, routed its traffic through third‑party AI routing infrastructure, and watched one of the routers drain the funds. The loss was under $50 — but the experiment was just one piece of a larger, alarming study.
The team audited 428 LLM routing services gathered from public communities (28 paid, 400 free) and reported a range of malicious behaviors:
- Nine routers were actively injecting malicious code into traffic.
- Two used evasion techniques to hide their activity.
- Seventeen accessed the researchers’ AWS credentials.
- At least one router stole cryptocurrency in a live test.
Co-author Chaofan Shou also tweeted more sweeping claims from the research: that 26 routers were “secretly injecting malicious tool calls and stealing creds,” that one router had drained a client’s $500k wallet, and that they were able to poison routers to redirect traffic — allowing them to seize control of roughly 400 hosts within hours. These additional findings appear in the team’s paper and related posts.
Why this matters for crypto projects
LLM routers sit between developers’ apps and AI providers (OpenAI, Anthropic, Google, etc.), aggregating API access and routing requests. Critically, many routers terminate TLS connections and inspect requests in plaintext. Anything sent through them — including private keys, seed phrases, API secrets, or login credentials — becomes visible to the router operator. From the client side there’s no reliable signal to tell benign credential handling from outright exfiltration; a seemingly legitimate router can quietly forward sensitive data to attackers.
The paper also highlights a dangerous interaction with “YOLO mode,” a setting in many AI agent frameworks that allows agents to run commands without user approval. Combine an auto‑executing agent with a malicious router, and funds or data can be moved before a developer notices anything amiss.
Free services in particular look risky: cheap or no‑cost API access appears to be used as an incentive to route traffic through infrastructure that may harvest credentials. The researchers warn that even routers that start out clean can be turned malicious later if operators reuse leaked credentials or expose relay systems.
What to do now — and later
Immediate guidance is simple and practical: never put private keys, seed phrases, or other high‑value secrets into AI agent sessions or any traffic sent through untrusted routers.
For a longer‑term fix, the researchers recommend cryptographic measures from AI providers: digitally sign model responses so an agent can verify that instructions truly came from a specific model. Signed responses would make it far harder for middlemen to tamper with or inject instructions without detection.
The full study and details are available in the researchers’ paper and accompanying posts; Chaofan Shou summarized key claims on X. Featured image credit: Xage Security; chart: TradingView.
Read more AI-generated news on: undefined/news
