UC researchers document LLM router attacks draining ETH from wallets
UC: 9 of 428 LLM routers inject code; one drained ETH
UC researchers document a new attack class at the AI-agent routing layer. Malicious LLM API routers hijack tool calls and can steal funds, including an actual ETH transfer from a live wallet (arXiv, Apr 2026).
They frame it as the first systematic analysis of malicious intermediaries in the LLM supply chain. The risk sits in the middleware that forwards agent prompts and tool calls to model providers, not in smart contracts or key storage (arXiv).
How the attack works:
- Code injection into the agent’s tool execution pipeline, altering actions in-flight (arXiv)
- Credential harvesting, including API keys and secrets referenced during sessions (arXiv)
- Adaptive evasion that delays malicious behavior for 50+ call cycles to bypass monitoring (arXiv)
- Exploiting “YOLO mode,” where agents auto-execute tool responses without user confirmation (arXiv)
Source: arXiv
Scale and confirmations:
- 428 routers tested: 28 paid (Taobao, Xianyu, Shopify), 400 free from public channels (arXiv)
- 9 routers were actively injecting malicious code into tool calls (arXiv)
- 17 accessed AWS canary credentials; 2 used adaptive evasion techniques; over 20% showed malicious behavior or risk indicators by the team’s classification (arXiv)
- The team confirmed 1 router drained ETH from a researcher’s wallet (arXiv)
Credential exposure from poisoning experiments:
- A leaked OpenAI key processed 100 million GPT-5.4 tokens and 7+ autonomous Codex sessions before detection (arXiv)
- A weaker decoy key hit 2.1 billion billable tokens across 440 Codex sessions and 401 YOLO-mode sessions, exposing 99 credentials in total (arXiv)
External signal:
- “26 LLM routers are secretly injecting… One drained our client $500k wallet,” wrote Solayer founder Chaofan Shou, also noting they could poison routers and take over ~400 hosts within hours (Twitter, Apr 10, 2026)
Status check:
- The paper is an arXiv preprint and is not yet peer-reviewed; figures and classifications have not been independently verified (arXiv)
Why it matters for crypto:
- AI agents are being wired into wallets, DeFi protocols, and trading workflows. The routing layer has become critical infrastructure without standardized security, widening the attack surface for fund theft and key leakage (arXiv).
