Researchers at the University of California have identified a class of previously undocumented attacks targeting the infrastructure layer of AI agents, finding that malicious third-party LLM API routers can intercept agent communications, inject code into tool calls, and drain crypto wallets — including, in at least one documented case, executing an actual ETH transfer from the researcher’s live wallet.
Results published in April 2026 arXiv paper The team described it as the first systematic analysis of malicious man-in-the-middle attacks on the LLM supply chain, elevating what was previously a theoretical concern into a clear, measurable threat.
What makes this result structurally important is the attack surface it exposes – not the smart contracts, not the failure of private key management in the traditional sense, but the routing layer that lies between the AI agent and the underlying language model it queries.
As autonomous AI agents are increasingly integrated into cryptocurrency wallets, DeFi protocols, and automated trading workflows, this middle layer has become a bearer infrastructure, and currently operates without meaningful security standardization.
discovers: The Best Cryptocurrencies You Can Buy Right Now – Updated CoinSpeaker Guide
How malicious AI proxy routers work: chain man-in-the-middle attacks and what they can perform against cryptocurrency wallets
An AI API router, in standard usage, acts as a middleware layer – it receives requests from an agent or AI application, forwards them to one or more LLM providers, and returns responses.
Developers and teams frequently use third-party routers to manage API keys, balance load across providers, or reduce costs by accessing cheaper modular endpoints. The router, by design, is in full view of every prompt, tool call, and response that passes through it.
A malicious router exploits this exact situation. Instead of transparently redirecting the agent’s traffic, it can inspect, modify, or respond to the tool’s crypto calls — structured commands issued by the AI agent to interact with external systems, including wallets.
source: arksif
In the UCLA researchers’ framework, this enables at least three types of active attacks: injecting malicious code into an AI agent’s execution pipeline, collecting API credentials and private keys transmitted or referenced in agent sessions, and deploying adaptive evasion logic that delays malicious behavior — waiting, in some documented cases, 50 or more communication cycles before activation — to circumvent naive monitoring.
The researchers also identified a fourth vector that they described as particularly dangerous in proxy contexts: exploiting “YOLO mode,” an autonomous execution capability found in many major proxy frameworks, where an agent acts on tool call responses without human confirmation.
A router that can enter this loop can, in principle, authorize transactions that the user has not explicitly agreed to. This ability is not theoretical – the team confirmed that one router among those tested effectively drained ETH from the researcher’s wallet.
The specific findings of researchers at the University of California: Scope, proven harmful behavior, and cognitive limits arXiv preprint
The research team tested a total of 428 routers: 28 sourced from paid listings on Taobao, Xianyu, and Shopify storefronts, and 400 obtained for free from public community channels. Of these, 9 routers – 1 paid and 8 free – were confirmed to be actively injecting malicious code into tool calls.
Separately, 17 people accessed AWS Canary credentials that the team included as detection tripwires, and two deployed adaptive evasion techniques specifically designed to circumvent behavioral monitoring. More than 20% of the full sample showed harmful behavior or physical danger indicators, according to the researchers’ own classification.
The exposure data certified from the team’s poisoning experiments is, if accurate, the most important finding in the paper. The leaked OpenAI key found on Chinese forums, WeChat, and Telegram was used to process 100 million GPT-5.4 codes and over 7 independent Codex sessions before it was discovered. The weaker spoofed credentials led to 2.1 billion billable tokens being released across 440 Codex sessions and 401 independent YOLO mode sessions, resulting in 99 credentials being exposed in total.
26 LLM routers secretly insert malicious tool calls and steal credentials. One of them drained our client’s $500,000 wallet.
We were also able to poison routers to redirect traffic to us. Within several hours, we can take over approximately 400 hosts directly.
Check our paper: https://t.co/zyWz25CDpl pic.twitter.com/PlhmOYz2ec
– Oat Shaw (@Fried_rice) April 10, 2026
Solayer founder Fried_rice described the findings on social media on April 10, 2026, as evidence of “systemic vulnerabilities” in third-party API routers — a description that aligns with the paper’s threat model framework.
It is necessary to state the epistemological status of these claims directly: the paper, at the time of writing, has not completed formal peer review through an academic venue. It’s a preprint from arXiv, and the specific numbers — token counts, router behavior ratings, and credential exposure numbers — have not been independently verified by a third party.
We suspect that the basic results are directionally sound, given the demonstrated rigor of the methodology and corroborating details across many reported attack types, but extrapolations beyond the 428 router sample should be treated with proportionate caution.
explores: Best meme coins to watch – updated CoinSpeaker rankings
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to provide accurate and timely information but should not be considered financial or investment advice. Since market conditions can change rapidly, we encourage you to verify the information yourself and consult with a professional before making any decisions based on this content.
Daniel Francis is a technical writer and Web3 educator specializing in macroeconomics and DeFi mechanics. A crypto native since 2017, Daniel brings his background in cross-chain analytics to author evidence-based reports and detailed guides. It is certified by the Blockchain Council and is dedicated to providing “information gain” that cuts through the market noise to find blockchain’s real-world utility.
