A team of researchers from the University of California published a paper on Thursday, marking the first systematic record of malicious man-in-the-middle attacks targeting the supply chain of large language models (LLMs), revealing a major security blind spot in third-party routers within AI agent ecosystems. Co-author Shou Chaofan stated directly on X: “26 LLM routers are secretly injecting malicious tool calls and stealing credentials.” The research tested 28 paid routers and 400 free routers.
Key research findings: Malicious routers gain an advantage in AI agent traffic
(Source: arXiv)
The architectural characteristics of AI agents naturally make them rely on third-party routers: agents aggregate access requests to upstream model providers such as OpenAI, Anthropic, and Google through an API middle layer. The core issue is that these routers terminate the internet’s TLS (Transport Layer Security) encrypted connections and read each transmitted message in plaintext, including the complete parameters and the contents of the context for tool calls.
Researchers implanted an encrypted wallet private key and AWS credentials into a bait router, tracking whether and how they were accessed and used.
Key data from the test results
9 routers actively injected malicious code: embedded unauthorized instructions into the AI agent tool-calling flow
2 routers deployed adaptive evasion triggers: dynamically adjusted behavior to bypass basic security detection
17 routers accessed the researchers’ AWS credentials: posed a direct threat to third-party cloud services
1 router completed ETH theft: actually transferred Ethereum away from the private key held by the researcher, completing the full attack chain
The researchers also conducted two “poisoning studies.” The results showed that even routers that previously behaved normally, once their leaked credentials are reused via a weak relay, could become an attack tool without the operator’s knowledge.
Why it’s difficult to detect: the invisibility of the credential boundary and the YOLO mode risk
The paper states that the core detection challenge is: “From the client’s perspective, the boundary between ‘credential handling’ and ‘credential theft’ is invisible, because the router reads the keys in plaintext during normal forwarding.” This means that engineers using AI coding agents such as Claude Code to develop smart contracts or wallets—if they do not take isolation measures—can have private keys and seed phrases flow through a malicious router in a way that is fully consistent with expected operations.
Another factor that amplifies the risk is what the researchers call the “YOLO mode”—a setting in most AI agent frameworks that allows the agent to automatically execute instructions without requiring step-by-step confirmation from the user. In this mode, an agent manipulated by a malicious router can complete malicious contract calls or asset transfers without any prompt, with a damage scope far beyond simple credential theft.
The research paper concludes: “LLM API routers sit on a critical trust boundary, and this ecosystem currently treats them as transparent transport.”
Defense recommendations: short-term practices and long-term architectural direction
The researchers recommend that encrypted developers immediately take the following measures: private keys, seed phrases, and sensitive API credentials should never be transmitted in AI agent sessions; when choosing routers, prioritize services that provide transparent audit records and clearly defined infrastructure; and if possible, completely isolate sensitive operations from the AI agent workflow.
In the long run, the researchers call on AI companies to cryptographically sign model responses, so that clients can use mathematical methods to verify that the instructions executed by the agent indeed come from a legitimate upstream model, rather than a malicious version that has been altered after passing through an intermediary router.
Frequently asked questions
Why can AI agent routers access private keys and seed phrases?
LLM routers terminate TLS encrypted connections and read all transmitted content in the agent session in plaintext. If developers use AI agents to handle tasks involving private keys or seed phrases, these sensitive data become fully visible at the router layer, enabling malicious routers to intercept them easily without triggering any abnormal alerts.
How can you tell whether the router you’re using is secure?
The researchers point out that “credential handling” and “credential theft” are almost invisible to the client, making detection extremely difficult. The fundamental recommendation is to prevent private keys and seed phrases from entering any AI agent workflow at the design level, rather than relying on backend detection mechanisms, and to prioritize router services that have transparent security audit records.
What is YOLO mode, and why does it increase security risk?
YOLO mode is a setting in AI agent frameworks that allows the agent to automatically execute instructions without requiring users to confirm step by step. In this mode, if the agent’s traffic passes through a malicious router, the malicious instructions injected by the attacker will be automatically executed by the agent, and the damage scope can expand from credential theft to automated malicious operations, with users completely unable to notice abnormalities before execution.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
ETH drops 0.76% in 15 minutes: Dual pressure from whales’ proactive deleveraging and ETF fund outflows
Between 07:15 and 07:30 (UTC) on 2026-04-19, the ETH spot price fluctuated in the 2298.13 to 2322.69 USDT range, with an amplitude of 1.06% and a return of -0.76%. During this period, market attention increased; the sharp drop in price triggered widespread user focus, along with a clear surge in trading volume within a short time, indicating a sudden escalation in liquidity pressure.
The main driver behind this deviation is that on-chain whale accounts actively sold ETH to repay DeFi platform borrowings in order to avoid forced liquidation. Based on on-chain tracking and fund-flow monitoring, from April 18 to 19, more than 42,000 ETH per-transaction large transfers were rapidly sent into a certain mainstream exchange, and at the same time there was a sharp spike in net inflows to the exchange. This concentrated sell pressure directly weakened spot market prices. Under proactive deleveraging behavior, selling pressure was released in the short term, creating a sudden market shock.
In addition, during the period of price deviation, the ETH derivatives market saw a significant rise in passive liquidation volume, especially as leveraged long positions encountered strong liquidations during the price decline, further increasing supply pressure in the spot market. Meanwhile, ETH spot ETF funds continued to see net outflows; in mid-April, there were multiple days with single-day outflows exceeding $40-50M, with the largest single day reaching $200M. This reflects a warming of short-term institutional risk-avoidance sentiment, which led to a deeper shift downward in buy-side liquidity depth. The launch of a new public chain ecosystem also attracted some ETH liquidity migration, further weakening the capital protection layer of the mainnet. Multiple structural feedback effects amplified the downside move.
At present, leverage risk in the ETH market remains prominent. Some whales still have large borrowings outstanding; if the price continues to move downward, potential liquidation risks may flare up again. ETF fund flows, on-chain large transfers, and capital-attraction moves tied to the new-chain ecosystem all need close monitoring. With increased short-term volatility risk, it is recommended to watch key support zones, exchange net inflow indicators, and DeFi on-chain liquidation dynamics in order to promptly grasp the latest market signals.
GateNews22m ago
ETH breaks below 2300 USDT
Gate News bot message, Gate market data shows that ETH has broken below 2300 USDT, with the current price at 2298.67 USDT.
CryptoRadar32m ago
ETH drops 0.58% in 15 minutes: derivatives liquidity contraction and proactive position reduction dominate short-term pullback
From 2026-04-19 04:30 to 2026-04-19 04:45 (UTC), within ETH’s 15-minute candlestick chart, the return recorded -0.58%, and the price range was 2321.62 to 2342.04 USDT, with an amplitude of 0.87%. The short-term selloff occurred against a backdrop of increased overall market volatility and a broad decline in the prices of major crypto assets; overall market risk appetite clearly fell, and traders’ wait-and-see sentiment strengthened.
The main driver behind this abnormal move is a sharp contraction in liquidity in the derivatives market and leveraged funds proactively reducing positions. Data shows that over the past 24 hours, the ETH/USD perpetual contract trading volume dropped 67.16% to approximately 74.87 million, open interest edged down 3.33% to 329 million, and liquidation amounts did not expand unusually. This structure indicates that the market lacks the risk of passive cascades; more funds chose to proactively step aside and wait on the sidelines, intensifying short-term selling pressure.
In addition, the long/short structure in which shorts held the upper hand (long/short ratio 47.48%:52.52%) and sentiment synchronization with the panic range reinforced the downward price trend. During the same period, major coins such as BTC and SOL also fell 2%-3.4% in tandem, further showing that this pullback was driven by system-wide risk sentiment. On-chain funds did not show any large abnormal transfers or large-scale liquidations of DeFi protocols; spot and on-chain liquidity remained generally stable, and no sudden system risk resonance was observed.
Current volatility-related risks still need close monitoring, especially as overall risk appetite continues to contract—ETH’s short-term price may face further downside probing. Watch subsequent changes in derivatives trading volume and open interest, extreme shifts in the long/short ratio and funding rate, and promptly monitor on-chain fund flows, large transfers, and any signs of amplified platform net outflows. For more market anomalies and deeper analysis, please continue to follow our upcoming market updates.
GateNews3h ago
Spark Protocol's January delisting of rsETH proves prudent as Aave faces ETH liquidity crisis
Spark Protocol's strategy of delisting low-usage assets and tightening collateral has faced initial backlash but proved wise during market turmoil. While maintaining higher interest rate caps, SparkLend ensures liquidity, unlike Aave, which now faces significant risks.
GateNews3h ago
Ethereum Processes 200M Transactions in Q1 2026, Up 43% QoQ
Ethereum experienced its highest quarterly transaction volume in Q1 2026 with over 200 million transactions, marking 43% growth from the previous quarter. Layer 2 solutions and stablecoin usage drove this surge, indicating a utility-focused adoption trend.
GateNews17h ago
