Researchers Expose LLM Routers Injecting Malicious Code and Accessing Private Keys

Highlights:

• Researchers found that AI intermediaries can drain crypto wallets during normal routing operations.
• Developers using AI tools for smart contracts risk exposing cloud credentials through unsafe routing systems.
• LLM Routers can steal sensitive credentials because they terminate secure connections between users and AI providers.

University of California researchers found on Thursday that some third-party AI intermediaries expose crypto wallets and cloud credentials to theft. The team published the findings in a paper that tested security risks across the LLM supply chain. The study showed that certain routers injected malicious code and accessed sensitive user credentials during normal operations. The researchers also confirmed that one router drained Ether from a test wallet using a controlled private key.

AI Router flaw exposes crypto wallets to theft. Researchers warn third-party LLM routers can leak sensitive data. pic.twitter.com/yn5icIpqRZ

— Nuvina.fun (@Nuvina_fun) April 13, 2026

The team tested 28 paid routers and 400 free routers collected from public developer communities. The results showed that nine routers injected malicious code into user workflows during execution. The study also found that two routers used adaptive evasion triggers to avoid detection during testing. In addition, 17 routers accessed Amazon Web Services credentials that belonged to the research team. One router used a prefunded private key to move Ether from a decoy Ethereum wallet.

Chaofan Shou, a co-author of the paper, stated on X that 26 LLM routers injected malicious tool calls and stole credentials. The researchers used prefunded decoy keys to test whether routers could perform real asset transfers. They limited wallet balances to keep total losses below $50 during the experiment. However, the test confirmed that a compromised router can directly access and transfer crypto assets.

26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.

We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.

Check our paper: https://t.co/zyWz25CDpl pic.twitter.com/PlhmOYz2ec

— Chaofan Shou (@Fried_rice) April 10, 2026

AI Intermediaries Expose Data And Increase Risk For Developers Using AI Tools

The study explained that these routers act as intermediaries between users and AI providers such as OpenAI, Anthropic, and Google. These services enable developers to control access to various models using a single interface. The researchers, however, discovered that these routers end Transport Layer Security connections prior to the forwarding of requests.

This access includes prompts, private keys, seed phrases, and cloud credentials sent during AI sessions. Smart contracts or wallet tools that use AI coding agents may expose sensitive information to developers who deploy them. The study found that many developers unknowingly pass credentials through infrastructure that lacks proper security checks.

The researchers stated that users cannot easily detect when an LLM router becomes malicious. Routers must read data to forward requests, which makes their behavior appear normal to the client. As a result, users cannot distinguish between legitimate data handling and active credential theft.

The team also identified “YOLO mode” as a key risk factor in AI agent frameworks. This setting allows the agent to execute commands automatically without user approval. A malicious router can send harmful instructions that the system executes instantly.

The researchers also conducted poisoning studies to test how threats spread over time. These tests showed that routers can reuse leaked credentials through weak relay systems. This process allows previously safe routers to become compromised without direct changes.

LLM Routers Increase Risk And Expose Sensitive User Data

The researchers concluded that free LLM routers frequently lure users with cheap or free API access. Some of these services extract credentials while users rely on them for development tasks. The researchers warned that this model creates hidden risks for developers who choose convenience over security.

The team recommended that developers should not transmit private keys and seed phrases via AI agent sessions. The researchers also recommended stronger client-side protections during AI interactions.

The study proposed cryptographic signing of AI responses as a long-term solution. This would enable the systems to confirm that instructions are provided by the original model provider. It would also guard against the possibility of intermediaries distorting commands on transit.