AI Agent Routers Weaponized to Hijack Crypto Wallets

Researchers have identified 26 LLM routers vulnerable to manipulation that allows attackers to steal cryptocurrency credentials and execute unauthorized transactions. The discovery highlights critical security gaps as AI agents become increasingly central to crypto operations.

A critical vulnerability in large language model routing systems has exposed a blind spot in the emerging infrastructure supporting autonomous AI agents in crypto. Researcher Chaofan Shou recently identified 26 LLM routers that can be manipulated to execute malicious tool calls, effectively granting attackers the ability to extract credentials and drain connected cryptocurrency wallets. This discovery illuminates a fundamental security gap as the industry rapidly deploys AI agents for transaction execution, portfolio management, and decentralized finance operations without adequate safeguards at the routing layer.

LLM routers function as intermediaries that direct language model outputs toward appropriate tools and APIs—a necessary architecture when agents need to interact with blockchain networks, exchanges, or custodial systems. The vulnerability emerges because these routers often lack strict validation of which tools get invoked and under what conditions. A compromised or adversarially prompted router can be convinced to call sensitive functions like private key export or wallet approval transactions, effectively bypassing the user's explicit intent. Shou's research suggests the attack surface is broader than previously assumed, with multiple popular router implementations affected. This mirrors historical patterns in smart contract security, where infrastructure components developed before threat models were fully understood became honeypots for exploitation.

The implications extend beyond individual wallet theft. As AI agents become more autonomous in executing financial transactions on behalf of users or protocols, the router layer represents a critical choke point. Unlike smart contracts, which are immutable once deployed and therefore auditable, LLM behavior can shift with prompt variations, model updates, or subtle manipulations. An attacker might craft seemingly benign interaction patterns that cause a router to misclassify tool requests, extracting credentials incrementally without triggering obvious red flags. The decentralized finance ecosystem has already struggled with permission creep and approval scams; AI-mediated attacks introduce additional obfuscation layers that traditional wallet security cannot easily detect.

The crypto industry's response will likely involve implementing strict tool whitelisting, developing adversarial testing frameworks specific to LLM routers, and establishing clearer boundaries between what agents can request and what they can execute. Some protocols are experimenting with signed tool calls and additional cryptographic verification steps that would make credential theft more difficult even if router logic is compromised. As autonomous AI agents become more central to blockchain interaction, securing the routing and tool-calling infrastructure will prove as essential as auditing smart contracts.