A new infrastructure-level attack capable of draining crypto wallets and hijacking developer environments has been confirmed in the wild, with researchers warning of a 10% correction in security confidence across decentralized systems. University of California researchers revealed that systematic testing of 428 AI API routers found 9 actively injecting malicious code, 17 accessing AWS credentials, and at least one free router successfully draining ETH from a controlled wallet—exposing the rapidly expanding AI agent routing layer as the next major vulnerability in blockchain execution workflows.

How Malicious AI Agent Routers Actually Work – Plaintext Proxies, Not Encrypted Pipes

Standard LLM API infrastructure was designed for simple request-response relay: a client sends a prompt, the router forwards it to the model provider, the response comes back.

Malicious routers exploit exactly that trust model – they sit as application-layer proxies in the middle of that exchange, with full read-write access to plaintext JSON payloads passing through them in both directions.

There are no encryption standards governing what a router can inspect or modify in transit. A malicious router sees the raw prompt, the model response, and everything embedded in either – including private keys, API credentials, wallet seed phrases, or code being generated for a live deployment environment.

It can alter the response before it reaches the user, inject additional code into a code-generation output, or silently exfiltrate credentials to an external endpoint.

The UC researchers built an agent they called “Mine” to simulate four distinct attack types against public frameworks, specifically targeting autonomous YOLO-mode sessions where the agent executes actions without human confirmation at each step.

Two of the 428 routers tested deployed adaptive evasion – one waited 50 API calls before activating malicious behavior, specifically to avoid detection during initial testing. That’s not a blunt credential-scraper. That’s a targeted tool built to survive scrutiny.

The poisoning attack vector compounds the risk further. When leaked OpenAI API keys are processed through compromised routing infrastructure, the blast radius scales fast – 2.1 billion tokens processed, 99 credentials exposed across 440 Codex sessions in the researchers’ controlled test environment alone.

Who Is Actually Exposed – and Why Existing Defenses Don’t Reach This Layer of Crypto Theft

The problem is not that third-party API routers exist. The problem is that the entire trust model for AI agent infrastructure assumes the routing layer is neutral – and no enforcement mechanism currently verifies that assumption at scale.

Developers building onchain tools, DeFi automation scripts, and autonomous trading agents route API calls through third-party infrastructure constantly.

Free routers sourced from public communities – the category where 8 of the 9 malicious injectors were found, are widely used precisely because they lower the cost of building LLM-powered applications. As automated execution infrastructure in DeFi grows more dependent on external data and agent coordination, the routing layer becomes an increasingly attractive target.

Existing wallet security – hardware devices, multisig setups, offline key storage – does not protect against a router that intercepts a private key before it reaches the signing layer, or that injects malicious code into a deployment script that later executes onchain.

Annual crypto theft losses already hit $1.4 billion. This attack vector doesn’t require breaking cryptography. It requires compromising a piece of middleware that most users never examine.

YOLO-mode autonomous sessions are the highest-risk exposure point. When an agent executes multi-step transactions without human confirmation checkpoints, a malicious router has a wider window to act – and the user has no interstitial moment to catch anomalous behavior.

Solayer founder @Fried_rice amplified the findings on X on April 10, 2026, describing the situation as “third-party API routers widely relied on by large language model agents” carrying “systemic security vulnerabilities” – a characterization that landed hard given the scale of autonomous agent adoption across DeFi tooling.

26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.

We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.

Check our paper: https://t.co/zyWz25CDpl pic.twitter.com/PlhmOYz2ec

The researchers’ recommended defenses are client-side: fault-closure gates that halt execution when anomalous responses are detected, response anomaly filtering, and append-only logging for audit trails that can’t be tampered with by the router itself. Longer term, the UC team is advocating for cryptographic signing standards that would make LLM responses verifiable – the same architectural principle that makes onchain oracle integrity a live design requirement rather than an afterthought.