The cryptocurrency sector is advancing toward an era where AI agents manage activities from flight bookings to trades and payments. However, recent research indicates that the infrastructure supporting this shift may not be secure.
McKinsey has forecasted that AI agents could oversee $3 trillion to $5 trillion of global consumer commerce by 2030. Brian Armstrong, founder of Coinbase, recently stated on X that AI agents will soon outnumber humans conducting transactions online. Changpeng Zhao, the founder of Binance, went further, predicting these agents will conduct one million times more crypto payments than people.
Nevertheless, a collaborative team of security academics and cryptocurrency researchers has published a paper revealing how an often-overlooked aspect of AI infrastructure is currently being exploited to steal credentials and drain crypto wallets. This research group includes members from the University of California, Santa Barbara; the University of California, San Diego; blockchain firm Fuzzland; and World Liberty Financial.
Their findings indicate that “LLM routers,” which serve as intermediaries between users and AI models like OpenAI or Anthropic, can be leveraged by malicious actors. These routers have complete access to all data passing through them, including sensitive information.
“LLM agents now extend beyond mere conversational tools into entities capable of booking flights, executing code, and managing infrastructure on behalf of users,” the researchers noted, emphasizing how these systems are increasingly taking on significant financial roles.
Users face heightened vulnerability as they believe they are interacting directly with reputable AI models such as OpenAI or Grok, whereas many requests actually pass through intermediary services that can access and modify data, the paper explains.
Chaofan Shou, one of the researchers, highlighted the issue is no longer hypothetical. He reported on X that “26 LLM routers are secretly injecting malicious tool calls and stealing credentials. One router drained our client’s $500k wallet.” The team also demonstrated their ability to poison parts of the ecosystem, redirecting traffic and taking control over approximately 400 hosts within hours.
“A malevolent router can replace a harmless command with one controlled by an attacker or exfiltrate all credentials passing through,” according to the researchers. They noted that these autonomous systems could approve and execute actions without human oversight, meaning a single altered instruction can immediately compromise systems or funds.
For cryptocurrency users, this poses significant risks as private keys, API credentials, and wallet access tokens often traverse these systems in plain text. The study identified multiple instances where routers collected these secrets, including an instance where an Ethereum test wallet was drained after its private key was exposed.
“Once credentials like private keys are revealed, they can be copied and reused without user consent,” the paper’s authors observed.
The research further illustrated how easy it is to expand such attacks. By “poisoning” parts of the router ecosystem, the team could observe and potentially control numerous downstream systems quickly.
“A single malicious router in the chain is sufficient to compromise the entire system,” they wrote, highlighting a significant weakest-link vulnerability.
This suggests that even if users trust their AI provider, the intermediary infrastructure may not be reliable, creating a potential mismatch as industry leaders predict that AI agents will handle an increasing portion of crypto transactions without ensuring outputs haven’t been altered.