UC Researchers: Some LLM Routers Can Steal Crypto

Researchers at the University of California published a paper Thursday reporting that some third-party large language model (LLM) routers can read plaintext, inject malicious tool calls and steal credentials. The team tested 28 paid routers and 400 free routers gathered from public communities.

The paper found nine routers that actively injected malicious code into agent sessions, two that used adaptive evasion triggers to avoid detection, 17 that accessed researcher-owned Amazon Web Services credentials, and one that used a leaked private key to withdraw Ether. The researchers prefunded decoy Ethereum wallets; the value withdrawn in tests was under $50. The authors did not publish transaction hashes.

The routers examined act as intermediaries between developers and models from providers such as OpenAI, Anthropic and Google. The paper reports that many of these routers terminate Transport Layer Security (TLS) connections and therefore see every message in plaintext as it passes through.

The paper notes that agents often send code, credentials and other secrets through these intermediaries when developers build automated workflows or coding assistants. Because routers can read plaintext, clients cannot tell whether a router is trusted or malicious.

The researchers highlighted a feature they call “YOLO mode,” where an agent executes commands without asking for user confirmation. In that setting, a router or an upstream operator can inject tool calls that the agent runs immediately, increasing the likelihood that private keys, seed phrases or other sensitive data are exposed and acted on.

The team ran two poisoning experiments showing that routers that appear benign can become dangerous if they reuse leaked credentials or relay them through weak links. The paper warns that free routers may offer low-cost API access while harvesting secrets and that previously legitimate routers can be weaponized if credentials leak into shared infrastructure.

Co-author Chaofan Shou wrote on X, “26 LLM routers are secretly injecting malicious tool calls and stealing creds.” The paper adds, “The boundary between ‘credential handling’ and ‘credential theft’ is invisible to the client because routers already read secrets in plaintext as part of normal forwarding.”

The researchers advised developers not to send private keys or seed phrases through AI agent sessions and to strengthen client-side defenses. For a longer-term measure, they recommended that model providers cryptographically sign model responses so agents can verify that instructions came from the actual model rather than an intermediary.