Should we be worried about LLM routers and crypto? | Source: CCN
Share
Key Takeaways
LLM routers, widely used intermediaries between AI agents and model providers, can access and modify sensitive data, researchers said.
Crypto wallets and credentials are directly exposed to the LLMs.
AI-crypto convergence could drive adoption, but adds risk.
Third-party services used to route requests between AI agents and large language models could expose users to credential theft and crypto losses, according to new research from U.S. academics studying the emerging “LLM router” ecosystem.
The paper, published on arXiv by researchers from the University of California, Santa Barbara, University of California, San Diego and others, examined how these intermediary systems handle traffic between users and model providers such as OpenAI, Anthropic and Google.
Sponsored
Disclosure
We sometimes use affiliate links in our content, when clicking on those we might receive a commission at no extra cost to you. By using this website you agree to our terms and conditions and privacy policy.
The researchers said LLM routers operate as intermediaries with “full plaintext access to every in-flight JSON payload.”
This gives LLMs visibility into sensitive data such as API keys and prompts.
In tests of 28 paid routers and 400 free ones, the study found that one paid router and eight free routers were “injecting malicious code into returned tool calls.”
The other 17 accessed researcher-controlled cloud credentials.
26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.
We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.
The LLM routers paper warned this creates a critical trust issue.
They noted that “a single malicious or compromised router” can rewrite tool calls or extract credentials without detection.
It identified four attack types: including “payload injection (AC-1)” and “secret exfiltration (AC-2).”
These attacks let attackers alter commands that AI agents execute or silently collect sensitive data.
Ethereum Test Demonstrates Theft Risk
To assess real-world impact, the researchers tested crypto credential exposure using pre-funded Ethereum wallets.
They reported “1 [router] draining ETH from a researcher-owned Ethereum private key,” showing that funds could be accessed once sensitive keys pass through compromised routing infrastructure.
While the experiment involved minimal funds, it demonstrated how “a single rewritten tool call is sufficient for arbitrary code execution,” potentially allowing attackers to manipulate transactions.
The authors said this highlights risks for developers using AI agents to interact with crypto wallets, particularly where systems can execute commands automatically.
LLM Router and Wider Supply Chain Vulnerabilities
The study also examined how compromised credentials can spread across the AI ecosystem.
Researchers deliberately leaked a controlled OpenAI API key across Chinese forums, WeChat, and Telegram groups.
LLMs quickly picked up the compromised API keys and generated “100 million GPT-5.4 tokens” and several Codex sessions.
This showed how stolen access can spread across different services without the original user knowing.
In another test, the researchers set up weakly secured relay services, including Sub2API, claude-relay-service and CLIProxyAPI.
These systems were quickly targeted, receiving thousands of unauthorized access attempts.
They were later used to process about “2B GPT-5.4 / 5.3-codex tokens,” exposing “99 credentials across 440 Codex sessions.”
Many of these sessions were running in “YOLO mode,” meaning commands were executed automatically without user approval.
The findings suggest that even services that appear safe can become part of an attack chain if they rely on leaked keys.
Calls For Stronger Safeguards
While some client-side protections can reduce risk, the researchers said current measures do not fully address the issue.
They argued that securing AI agents will require stronger guarantees from model providers.
Researchers called for “provider-backed response integrity so that the tool call an agent executes can be cryptographically tied to what the upstream model actually produced.”
Existing defenses, such as policy controls, can limit exposure but remain incomplete, researchers said.
“No client-side control available today can prove that a router preserved the upstream provider’s response,” the paper said.
The researchers pointed to the need for industry-wide standards, including cryptographic signing of model outputs, to ensure responses have not been modified in transit.
Until then, they cautioned developers to treat third-party routing services as a high-risk component in the AI supply chain.
This is particularly important when handling sensitive data or executing automated actions.
AI Seen as Potential Driver for Crypto Adoption
The growing intersection between AI and blockchain is also fueling expectations that crypto could play a larger role in the next wave of its development.
Venture capitalist Marc Andreessen described the convergence as a “grand unification.”
He argued that autonomous AI systems will require native digital payment infrastructure to operate effectively.
He pointed to early signs of adoption as advanced users experiment with financially autonomous AI agents.
“My friends… have given their [AI agents] bank accounts and credit cards,” he said, adding that while adoption is still limited, “it will grow. That’s how these things start.”
Analysts say the implication is that crypto-native payment systems could offer a more efficient alternative to traditional banking rails for machine-to-machine transactions, particularly as AI agents begin to operate independently.
Ethereum Positioned as Key Beneficiary
Market observers increasingly point to Ethereum as a likely beneficiary of this trend.
This is particularly because of its role as the leading programmable blockchain.
Some analysts argue Ethereum’s role extends beyond that of a digital currency.
Motley Fool analyst Dominic Basalto said describing Ethereum as simply a crypto “does it a major disservice,” framing it instead as a broader computing platform.
He added that Ethereum “continues to be the clear market leader in key blockchain niches.”
Basalto highlighted Ethereum’s dominance across decentralized applications and financial use cases.
Meanwhile, Tom Lee, chairman of BitMine, has also identified AI as one of the key drivers of Ethereum’s long-term growth.
Lee said 2026 could be a “defining year for Ethereum,” pointing to the potential for AI agents to use the network for payments and verification.
“If Bitcoin gets to $250,000, that would value Ethereum somewhere between $12,000 and $22,000 if it returns to its 2021 ratio,” he said.
Kurt Robson is a London-based reporter at CCN, specialising in the fast-moving worlds of crypto and emerging technology. He began his career covering local news in Cornwall after graduating from Falmouth University with First Class Honours in Journalism. There, he cut his teeth on everything from council meetings to missing swans.
He quickly rose through the ranks to become a frontline journalist at several of the UK’s leading national newspapers. Over the years, he has interviewed musicians and celebrities, reported from courtrooms and crime scenes, and secured multiple front-page exclusives.
Following the upheaval of the COVID-19 pandemic, Kurt shifted his focus to technology journalism—just ahead of the AI boom. With a natural curiosity and a trained eye for emerging trends, he has found a new rhythm in reporting on innovation.
At CCN, Kurt's work focuses on the cutting edge of crypto, blockchain, AI, and the evolving digital world. Drawing on his background in people-first reporting and his deep interest in disruptive tech, Kurt delivers stories that are insightful, entertaining, and human-centric.
