AI agents in crypto expose a hidden router risk

AI agents are moving into payments fast enough to worry security teams. McKinsey projects they could mediate $3 trillion to $5 trillion in consumer commerce by 2030, while Coinbase founder Brian Armstrong said on X that “very soon” agents will outnumber humans in internet transactions.

That optimism has a catch: a new paper from researchers tied to the University of California, Santa Barbara, the University of California, San Diego, Fuzzland, and World Liberty Financial says the infrastructure between users and models may be the weak point. The culprit is a layer called an LLM router, and it can see far more than most users realize.

What an LLM router actually does

Think of an LLM router as traffic control for AI requests. It sits between the app and model providers such as OpenAI and Anthropic, deciding where prompts go, how they are formatted, and sometimes how responses are routed back. That middle layer is useful for cost, latency, and model switching, but it also creates a place where sensitive data can be observed or altered.

The researchers argue that this is a bigger deal in crypto than in ordinary chat apps. Wallet addresses, private keys, API tokens, and signing requests often pass through automation systems in plain text or near-plain text. If a router can inspect or modify those requests, it can change a payment, steal credentials, or quietly redirect a transaction.

In the paper’s framing, the risk is not abstract. The authors say AI agents already book flights, execute code, and manage infrastructure on behalf of users, which means the software is acting with the authority that used to belong to a human operator. Once that authority is delegated, a single tampered instruction can have immediate financial consequences.

• McKinsey estimates AI agents could mediate $3 trillion to $5 trillion in consumer commerce by 2030.
• Coinbase founder Brian Armstrong said agents may soon outnumber humans in internet transactions.
• Binance founder Changpeng Zhao predicted agents could make one million times more payments than people, all in crypto.
• The researchers documented 26 routers that secretly injected malicious tool calls.

The wallet drain that made the threat real

The most alarming part of the paper is the evidence that routers are already being abused. Chaofan Shou, one of the researchers, wrote on X that “26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet. We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.”

“26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.” — Chaofan Shou, researcher

That quote matters because it turns the concern from theory into an operational security problem. If a router can inject a malicious tool call, it can replace a harmless action with one that transfers funds, leaks secrets, or grants access to a system the user never meant to expose.

The researchers also report a test Ethereum wallet being drained after its private key was exposed. Once a private key is copied, the damage is immediate and often irreversible. Unlike a password reset, blockchain keys do not come with a help desk and a recovery button.

What makes the issue nastier is that users may trust the model brand and miss the middle layer entirely. A request may look like it is going directly to OpenAI or another model provider, while an intermediary service sees the full prompt, tool outputs, and credentials on the way through.

Why the weakest link problem matters in crypto

The paper’s central argument is simple: one bad router can compromise the whole chain. That is a classic weakest-link problem, but it gets sharper when the chain includes autonomous agents that approve actions without waiting for a human to click “confirm.”

The researchers say they were able to “poison” parts of the router ecosystem by tricking services into forwarding traffic. From there, they could observe or influence hundreds of downstream systems within hours. In other words, the blast radius can grow quickly once one intermediary is compromised.

• A malicious router can swap a benign command for an attacker-controlled one.
• It can silently exfiltrate credentials that pass through it.
• It can forward traffic to an attacker-controlled system after poisoning routing paths.
• It can affect downstream hosts without the user seeing a warning.

For crypto payments, this is a bad fit for the current “move fast” mood. Payments systems usually assume the message path is trustworthy, but these agent stacks often depend on multiple vendors, wrappers, and routing services that are hard to audit end to end. If one layer is compromised, the user may blame the model while the real failure happened in the plumbing.

That is especially uncomfortable given the scale some industry leaders are projecting. If AI agents really do become a major share of transaction volume, then the security model has to account for machine-to-machine payments, not just human-approved transfers. Right now, the paper suggests, the guardrails are lagging the ambition.

What needs to change before agents handle more money

The fix is not to ban AI agents from crypto. The practical answer is to treat routers, tool gateways, and agent middleware as security-critical infrastructure, with the same paranoia that payment processors already apply to signing systems and custody layers.

That means tighter credential handling, stronger verification of tool calls, better provenance checks for routed prompts, and less reliance on plaintext secrets moving through third-party services. It also means builders should assume that the model is not the only thing that can be attacked. In many stacks, the router is the more attractive target.

If you are building agentic crypto products, the first question should be boring and defensive: where do keys travel, who can see them, and which intermediary can rewrite the request before it reaches the model or wallet? If you cannot answer that clearly, the product is probably not ready for autonomous payments.

My read: the next wave of crypto-agent products will be judged less by how smart the model is and more by how much of the payment path can be verified. The teams that win will be the ones that can prove the middle layer is boring, inspectable, and hard to tamper with.

For a related look at crypto infrastructure risk, see our coverage of DoubleZero’s attempt to remove latency advantages in DeFi. The common thread is the same: in crypto, the hidden plumbing often matters more than the flashy app on top.