LLM Routers Are Stealing Crypto: What This Study Found

A new arxiv study finds 26 LLM API routers injecting malicious code and draining ETH wallets, exposing a hidden supply chain threat inside AI coding agents.

The AI coding tools developers trust daily may be feeding credentials and crypto funds to unknown third parties. A new peer-reviewed study published on arXiv has exposed a serious and underreported attack surface inside the LLM supply chain, one that puts real wallets at risk.

Researchers from UC Santa Barbara tested 428 paid and free LLM API routers. These are services that sit between a developer’s AI agent and the upstream model provider. Think of them as middlemen. They see every message, every tool call, every JSON payload passing through in plain text.

No provider enforces cryptographic integrity between client and upstream model.

The Numbers Nobody Was Watching

Of the 28 paid routers purchased from Taobao, Xianyu, and Shopify-hosted storefronts, 1 was actively injecting malicious code. Among 400 free routers pulled from public developer communities, 8 were doing the same. Two of those deployed adaptive evasion triggers, meaning the attacks only fire under specific conditions designed to dodge detection.

17 routers touched researcher-owned AWS canary credentials. One drained ETH from a researcher-owned private key.

That last detail is not theoretical. An actual wallet was emptied.

What the Attacks Actually Do

The paper formalizes four attack classes. Payload injection, labeled AC-1, plants malicious instructions directly inside an agent’s tool-calling flow. Secret exfiltration, AC-2, quietly copies credentials and sends them out. The adaptive variants go further. Dependency-targeted injection, AC-1.a, waits for a specific software package to appear before triggering. Conditional delivery, AC-1.b, holds the attack until a behavioral trigger fires.

The researchers built a tool called Mine, a research proxy that runs all four attack classes against four public agent frameworks. It was used to test three client-side defenses: a fail-closed policy gate, response-side anomaly screening, and append-only transparency logging.

These are deployable. None of them require changes from the model provider.

A Leaked Key Generated 100 Million Tokens

The paper includes two poisoning scenarios that are harder to explain away. In the first, an ostensibly clean router accessed a leaked OpenAI key and generated 100 million GPT-5.4 tokens plus more than seven Codex sessions. In the second, a weakly configured decoy produced 2 billion billed tokens, 99 separate credentials across 440 Codex sessions, and 401 sessions already running in what the paper calls autonomous YOLO mode.

YOLO mode. Agents executing with no human confirmation loop.

This connects to a broader pattern researchers have been tracking across autonomous AI agent deployments, where agents running with wallet access and tool-execution permissions become high-value targets the moment a supply chain component goes bad.

No Cryptographic Guarantees

The core vulnerability is architectural. LLM agents route tool-calling requests through third-party API proxies. These proxies have full plaintext access to every in-flight payload. There is no cryptographic binding between what a client sends and what actually reaches the upstream model.

A malicious router can read it. Modify it. Copy it. Drain it.

The study is authored by Hanzhi Liu, Chaofan Shou, Hongbo Wen, Yanju Chen, Ryan Jingyang Fang, and Yu Feng, and is available in full at arxiv.org/abs/2604.08407.

Developers building on third-party LLM routers should treat them as untrusted intermediaries until integrity verification is standard across the stack. The defenses the researchers propose exist now. The attacks do too.