OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
Threats· Trust Inversion series· Apr 13, 2026· 5 min read

Your AI Agent's Plumbing Can Steal Your Crypto

Researchers from UC Santa Barbara, UC San Diego, blockchain security firm Fuzzland, and World Liberty Financial published a paper documenting a class of attacks on LLM routers — the services that sit between users and AI models like Claude, ChatGPT, and Gemini. Of 428 routers analyzed, 9 were found injecting malicious code or stealing credentials. The paper defines two attack classes: payload injection, where the router rewrites tool-call traffic, and secret exfiltration, where it harvests credentials from plaintext. One router drained ETH from a researcher-controlled test wallet. Secondary reporting links the research to a $500,000 real-world wallet drain, though the primary paper documents the test wallet theft. Two routers deployed adaptive evasion targeting autonomous sessions specifically. The attack surface is not the AI model. It is the infrastructure between you and the model.

Key takeaways

  1. The paper 'Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain' analyzed 28 paid routers purchased from Taobao, Xianyu, and Shopify, plus 400 free routers built from common open-source templates. Of those 428, 9 were found to inject malicious code into returned tool calls or steal credentials — 1 paid and 8 free. Two deployed adaptive evasion, activating payloads only after 50 prior calls or only when the client was running in autonomous mode, specifically to avoid detection during security reviews
  2. 17 of the free routers touched at least one researcher-owned AWS canary credential, a decoy key designed to alert if accessed. One router drained ETH from a researcher-controlled test wallet, the clearest proof that this is not a theoretical risk. Secondary reporting links the research to a $500,000 real-world wallet drain; the primary paper documents the test wallet theft without that specific figure
  3. In March 2026, attackers compromised the LiteLLM package — the dominant open-source router with roughly 40,000 GitHub stars and over 240 million Docker Hub pulls — through dependency confusion, injecting malicious code directly into the request-handling pipeline of every deployment that pulled the poisoned release. LiteLLM is integrated into thousands of production pipelines. The researchers' intentionally leaked test keys processed 2.1 billion tokens from routers in the wild, with 401 sessions already running in autonomous mode
  4. LLM routers are designed for model fallback, load balancing, cost optimization, and single-API-key access across providers. They sit between the user's application and the AI model. They have full visibility into every request and every response — including any credentials, API keys, private keys, or wallet access tokens that pass through them in plain text. They operate outside the model's reasoning loop, meaning model-side safety features provide no protection against router-layer attacks
  5. The attack is orthogonal to prompt injection. It occurs in the JSON and tool-call layer before the model sees the request or after it emits a response. A router that replaces a benign tool call with a malicious one, or silently exfiltrates every credential that passes through it, is invisible to the model entirely. Model alignment, safety filters, and refusal training provide zero protection

What Happened

Researchers affiliated with UC Santa Barbara, UC San Diego, blockchain security firm Fuzzland, and World Liberty Financial published a paper titled 'Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain.' The paper documents a category of attack that has been largely invisible in public security research: malicious LLM routers. The team analyzed 428 routers — 28 paid and 400 free — and found 9 actively injecting malicious code or stealing credentials in the wild. Two of those deployed adaptive evasion, specifically designed to look clean during security reviews by waiting for a warm-up period or activating only during autonomous sessions.

The paper landed against a backdrop of rapid AI agent adoption in crypto. Coinbase's Payments MCP has processed tens of millions of transactions and recorded a 10,000% spike in agent activity. Stripe, MoonPay, and dozens of other providers shipped AI agent payment infrastructure in early 2026. AI agents equipped with crypto wallets are now transacting at scale. The infrastructure connecting those agents to their underlying models is the new attack surface.

What an LLM Router Is and Why It Has Access to Everything

LLM routers are intermediary services that sit between a user's application and AI model providers like OpenAI, Anthropic, or Google. They provide model fallback (if one provider is down, route to another), load balancing, cost optimization, and a single API key that works across multiple providers. LiteLLM, the dominant open-source router, has roughly 40,000 GitHub stars and 240 million Docker Hub pulls. OpenRouter connects users to over 300 active models from 60 providers and serves millions of developers. Most production AI deployments route traffic through at least one such intermediary.

A router sits in the middle of every conversation. Every request from the user's application passes through it before reaching the model. Every response from the model passes back through it. That means the router has full visibility into system prompts, user messages, tool calls, tool results, and any credentials or sensitive data embedded in those payloads. For AI agents connected to crypto wallets, that includes private keys, API tokens, and wallet access credentials — often passed in plain text because the developer assumes the router is a trusted intermediary.

What the Paper Found

Of 28 paid routers, 1 injected malicious code. Of 400 free routers built from common open-source templates, 8 injected malicious code or stole credentials. The paper formalizes two attack classes: payload injection, where the router alters or replaces tool-call traffic before it reaches the model or after the model responds; and secret exfiltration, where the router silently harvests credentials and keys from plaintext passing through it. Both classes are orthogonal to prompt injection — they happen in the JSON and tool layer entirely outside the model's reasoning loop, which means model safety features provide no protection against them. The free-router ecosystem runs largely on two template projects — new-api (25,400 GitHub stars, 1.25 million Docker pulls) and one-api (30,500 stars, 1.19 million Docker pulls) — both of which the researchers identified as having architecture that makes this class of attack structurally easy to implement.

Two routers were particularly sophisticated. Both deployed adaptive evasion: one waited for 50 prior calls before activating its payload, specifically to pass any automated security scan that runs only a small number of test requests. Another delivered its payload only when it detected the client was running in autonomous mode — the configuration where an AI agent executes actions without per-request human approval. For crypto users, that is exactly the configuration used when an agent manages a wallet. The router specifically targets that mode because it maximizes the window for unauthorized transactions before anyone notices.

The Supply Chain Compromise and the Real-World Drain

In March 2026, a threat actor identified as TeamPCP compromised the LiteLLM package itself through dependency confusion — a supply chain attack where a malicious package is published to PyPI, npm, or Docker Hub with a name that matches a dependency LiteLLM pulls in. Every deployment that pulled the poisoned release had malicious code injected directly into its request-handling pipeline. LiteLLM is used in production by thousands of organizations. The researchers' canary keys — intentionally leaked test credentials designed to alert on access — processed 2.1 billion tokens from routers in the wild before the study concluded.

Researcher Chaofan Shou documented the real-world outcome directly. In a post on X: 26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client's $500,000 wallet. The primary paper documents a test wallet drain; secondary reporting links the research to that $500,000 figure without the primary paper specifying that exact amount. The researchers also demonstrated the attack surface extends beyond individual malicious routers. By poisoning parts of the router ecosystem — tricking services into forwarding traffic through attacker-controlled relays — they were able to observe and control roughly 400 downstream systems within hours. A single malicious router in a chain of forwarding services is enough to compromise every downstream node.

What This Means for You

If you use any AI agent with access to your crypto holdings — whether that is an agent wallet, a DeFi automation tool, a trading bot, or any AI assistant with permission to read or send transactions — the LLM router between your application and the model is a full-visibility intermediary you have likely never audited. It sees every credential that passes through it. It can replace benign tool calls with malicious ones. It can exfiltrate private keys silently. The model's safety features, refusal training, and alignment provide zero protection against this attack because it happens outside the model's reasoning loop entirely.

The self-custody framing that applies to hardware wallets does not transfer here unchanged. Holding your own keys protects you from exchange insolvency, custodian failure, and counterparty risk. It does not protect you if the agent infrastructure sitting in front of your wallet can rewrite the action before the wallet signs it, or capture the private key before it reaches the signing step. The attack is upstream of the wallet. A hardware wallet correctly signing a transaction that was silently rewritten by a malicious router is not a security system — it is a compliant participant in the theft.

The practical security posture: treat the LLM router as an untrusted component regardless of who provides it. Never pass private keys, wallet seed phrases, or bearer tokens through an LLM routing layer in plain text. Where possible, use direct API connections to model providers rather than third-party routers. If you are building or using an AI agent with wallet access, implement a fail-closed policy gate — any tool call that includes a financial action should require explicit human approval before execution, not just model-generated authorization. Autonomous mode, where an agent executes financial transactions without per-action review, is specifically the mode the most sophisticated malicious routers target.

What to Watch

The paper proposes three client-side defenses: a fail-closed policy gate that blocks unexpected tool calls, response-side anomaly screening that flags unusual model outputs, and append-only transparency logging that creates an auditable record of every router action. None of these are widely implemented in consumer-facing AI agent products today. Watch for whether Coinbase, Stripe, and MoonPay — the infrastructure providers building AI agent payment rails — adopt mandatory transparency logging as a product requirement. And watch for whether OWASP's LLM security guidance, which currently focuses on prompt injection, is updated to address the router supply chain attack class this paper documents.

The router between your app and your AI model sees everything. Most of them have never been audited.

Sources

  1. [1]arXiv:2604.08407 — 'Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain', UC Santa Barbara, UC San Diego, Fuzzland, World Liberty Financial, April 2026
  2. [2]CoinDesk — 'AI Agents Are Set to Power Crypto Payments, but a Hidden Flaw Could Expose Wallets', April 13, 2026
  3. [3]Chaofan Shou (@shouc_) — researcher disclosure on X, April 2026
  4. [4]Datadog Security Labs — LiteLLM dependency confusion compromise by TeamPCP, March 2026
  5. [5]Adversa AI — 'Top GenAI Security Resources April 2026', LiteLLM incident analysis
  6. [6]Pillar Security Research — 'Operation Bizarre Bazaar: First Large-Scale LLM Hijacking Campaign', January 2026
Trust Inversion series · Part 1 of 11
Next part →
Fake Ledger App Drained $9.5M From Apple's App Store

More in Trust Inversion

Hinkal Lost $820,000 After Its Privacy Proof Verification Failed to Verify Anything$1.7 Million Drained Through a Single Forged Proof on TaikoFTX Repays Bitcoin Creditors at $16,871 Petition-Date Price