Researchers at the University of California have identified a previously undocumented class of attack targeting the infrastructure layer of AI agents, discovering that malicious third-party LLM API routers can intercept agent communications, inject code into tool calls, and drain crypto wallets – including, in at least one documented case, executing a real transfer of ETH from a researcher’s actual wallet.
The results, published in an April 2026 arXiv paper and described by the team as the first systematic analysis of malicious middleman attacks on the LLM supply chain, elevate what was previously a theoretical concern into a demonstrated and measurable threat.
What makes this finding structurally significant is the attack surface it exposes – not smart contracts, nor private key management failures in the conventional sense, but the routing layer that sits between an AI agent and the underlying language model it queries.
As autonomous AI agents are increasingly integrated into crypto wallets, DeFi protocols, and automated trading flows, this middle layer has become supporting infrastructure and currently operates without significant security standardization.
DISCOVER: Best Crypto to Buy Right Now – Updated Guide from CoinSpeaker
How Malicious AI Agent Routers Work: The Middle Attack Chain and What It Can Execute Against Crypto Wallets
An AI API router, in its standard use, functions as a middleware layer: it receives requests from an AI agent or application, forwards them to one or more LLM providers, and returns responses.
Developers and teams frequently use third-party routers to manage API keys, load balance across providers, or reduce costs by accessing cheaper model endpoints. The router is, by design, in a position of full visibility into every prompt, tool call, and response that passes through it.
A malicious router exploits exactly this position. Rather than transparently forwarding agent traffic, it can inspect, modify, or respond to tool crypto calls – the structured commands that an AI agent issues to interact with external systems, including wallets.
Source: Arxiv
For UC researchers, this enables a minimum of three types of active attacks: injecting malicious code into an AI agent tool execution pipeline, harvesting API credentials and private keys passed or referenced in agent sessions, and deploying adaptive evasion logic that delays malicious behavior (by waiting, in some documented cases, 50 call cycles or more before activate) to overcome naive surveillance.
The researchers also identified a fourth vector that they describe as particularly dangerous in agent contexts: the exploitation of “YOLO mode,” the autonomous execution capability present in several major agent frameworks, where the agent acts on responses to tool calls without human confirmation.
A router capable of injecting into this loop can, in principle, authorize transactions that the user has never explicitly approved. This capability is not theoretical: the team confirmed that one router among those tested was actively draining ETH from a researcher’s wallet.
Specific findings from UC researchers: scale, confirmed malicious behavior, and epistemic limits of an arXiv preprint
The research team tested 428 routers in total: 28 from paid listings on Taobao, Xianyu, and Shopify storefronts, and 400 obtained for free from public community channels. Of these, 9 routers – 1 paid, 8 free – were confirmed to be actively injecting malicious code into tool calls.
Additionally, 17 accessed AWS Canary credentials that the team had embedded as detection tripwires, and 2 deployed adaptive evasion techniques specifically designed to defeat behavioral surveillance. More than 20% of the full sample exhibited malicious behavior or indicators of material risk, according to the researchers’ own classification.
The credential exposure data from the team’s poisoning experiments is, if accurate, the paper’s most important finding. A leaked OpenAI key placed on Chinese forums, WeChat and Telegram was used to process 100 million GPT-5.4 tokens and over 7 standalone Codex sessions before being detected. A weaker decoy ID triggered 2.1 billion billable tokens across 440 Codex sessions and 401 standalone YOLO sessions, exposing 99 IDs in total.
26 LLM routers secretly inject malicious tool calls and steal credits. One of them emptied our client’s wallet of $500,000.
We also managed to poison the routers to pass traffic to us. In a few hours, we can directly support around 400 hosts.
Check out our article: pic.twitter.com/PlhmOYz2ec
– Chaofan Shou (@Fried_rice) April 10, 2026
Solayer founder Fried_rice called the April 10, 2026 social media findings evidence of “systemic security vulnerabilities” in third-party API routers – a description that matches the document’s own threat model.
It is necessary to point out directly the epistemic status of these claims: the article has not, at the time of writing, undergone formal peer review in an academic setting. This is an arXiv preprint, and the specific numbers – token counts, router behavior classifications, credential exposure counts – have not been independently verified by a third party.
We believe the key findings are directional, given the apparent rigor of the methodology and corroborating details for the multiple attack types reported, but extrapolations beyond the sample of 428 routers should be treated with proportionate caution.
EXPLORE: Best Coins to Watch – Updated Rankings from CoinSpeaker
following
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article is intended to provide accurate and current information, but should not be considered financial or investment advice. Because market conditions can change quickly, we encourage you to verify the information for yourself and consult a professional before making any decisions based on this content.
Daniel Frances is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. Hailing from crypto since 2017, Daniel leverages his experience in on-chain analytics to write evidence-based reports and in-depth guides. He holds certifications from the Blockchain Council and is dedicated to providing “insight gain” that overcomes market hype to find real utility for blockchain.
