What Are Malicious LLM Routers and How Can They Steal Your Crypto?

TLDR

• UC researchers found 26 third-party LLM routers injecting malicious code or stealing credentials
• One router drained Ether from a researcher-owned decoy wallet
• Routers have full plaintext access to messages, including private keys and seed phrases
• A setting called “YOLO mode” lets AI agents run commands automatically without user confirmation
• Researchers recommend never letting private keys pass through an AI agent session

University of California researchers have found that some third-party AI routing tools can steal crypto credentials and inject malicious code into developer workflows.

The findings were published in a paper this week measuring what the researchers called “malicious intermediary attacks” on the large language model (LLM) supply chain.

LLM routers are third-party services that sit between a developer and AI providers like OpenAI, Anthropic, and Google. They manage and route API requests across multiple providers.

The problem is that these routers terminate encrypted internet connections. That gives them full, unencrypted access to every message passing through them.

Developers using AI coding tools like Claude Code to build smart contracts or crypto wallets may be sending private keys and seed phrases through these routers without knowing it.

The researchers tested 28 paid routers and 400 free routers gathered from public communities.

Their findings showed nine routers actively injecting malicious code, two using adaptive evasion tactics, and 17 accessing researcher-owned Amazon Web Services credentials.

One router drained Ether from a wallet the researchers had set up as a decoy. The total loss was reported as under $50.

The researchers said the line between normal credential handling and theft is nearly impossible for users to detect, since routers already read sensitive data in plaintext as part of their standard operation.

The YOLO Mode Risk

The paper also flagged a setting found in many AI agent frameworks called “YOLO mode.” In this mode, an AI agent executes commands automatically, without asking the user to approve each step.

This makes the risk worse. If a router is injecting malicious instructions, YOLO mode means those instructions could run without any human review.

The researchers also found that previously safe routers can be quietly turned malicious without the operator knowing. Free routers, in particular, may be offering cheap API access as a way to attract users while stealing credentials in the background.

What Researchers Recommend

Developers were advised to strengthen client-side defenses and to never allow private keys or seed phrases to pass through an AI agent session.

The longer-term fix, the researchers said, is for AI companies to cryptographically sign their responses. This would let developers verify that the instructions an agent receives actually came from the intended model.

The researchers concluded that LLM API routers sit on a critical trust boundary that the broader AI ecosystem currently treats as safe by default.

No details such as transaction hashes for the drained wallet were provided in the paper.

The post What Are Malicious LLM Routers and How Can They Steal Your Crypto? appeared first on CoinCentral.