The cryptocurrency industry is moving toward a future in which AI agents handle everything from booking flights to executing trades and making payments, but new research suggests that the infrastructure underpinning this shift may not be secure.
McKinsey recently projected that AI agents could account for between $3 trillion and $5 trillion in global consumer commerce by 2030.
Coinbase founder Brian Armstrong said on X that “very soon” there will be more AI agents than humans transacting on the internet. Binance founder Changpeng Zhao was bolder, predicting that agents would make a million times more payments than people, all in crypto.
But a group of security academics and crypto researchers have published a paper explaining that a largely overlooked piece of AI infrastructure is already being used to steal credentials and even empty crypto wallets.
The authors of the articles are researchers affiliated with the University of California, Santa Barbara, the University of California, San Diego, blockchain company Fuzzland, and World Liberty Financial.
Powerful attack points
The team found that “LLM routers,” or services placed between users and AI models, can act as a powerful point of attack exploited by malicious actors. These routers are designed to forward requests to models like OpenAI or Anthropic, but they also have full access to everything that passes through them, including sensitive data.
“LLM agents have moved beyond conversational assistants to become systems that book flights, run code, and manage infrastructure on behalf of users,” the researchers wrote, highlighting how quickly these tools take over real-world financial and operational tasks.
LLM routers or attack points leave users extremely vulnerable because they assume they are directly interacting with a reputable AI model such as OpenAI, Grok or other, when in reality many requests go through intermediary services that can see and modify that data, the researchers said.
According to one of the researchers, Chaofan Shou, the problem is no longer theoretical. He wrote on
“A malicious router can replace a harmless command with one controlled by an attacker or silently exfiltrate all credentials passing through it,” the researchers wrote.
The researchers said that because these systems can operate autonomously, including frequently approving and executing actions without human review, a single modified instruction can immediately compromise the systems or funds.
For cryptocurrency users, the implications are serious, as private keys, API credentials, and wallet access tokens often pass through these systems in plain text. Researchers found several cases where routers simply collected these secrets, the paper reveals. In one case, an Ethereum test wallet was emptied after its private key was exposed.
“Once exposed, credentials such as private keys can be copied and reused without the user’s knowledge,” the paper’s authors note.
Cascading risks
The team also demonstrated how easy it is to expand the offense. By “poisoning” parts of the router ecosystem, essentially tricking services into forwarding traffic, they were able to observe and potentially control hundreds of downstream systems in a matter of hours.
“A single malicious router in the chain is enough to compromise the entire system,” the researchers wrote, highlighting what they describe as a weak link problem.
This suggests a cascading risk: Even if a user trusts their AI provider, the intermediary infrastructure may be unreliable, they said in their paper.
This creates a potential disconnect, as industry leaders increasingly predict that AI agents will handle a growing share of crypto activity, while the underlying infrastructure still lacks guarantees that the results have not been tampered with, they added.
