Researchers at the University of California have discovered a brand-new type of threat in the artificial intelligence ecosystem that has the potential to put cryptocurrency users and developers at risk of having their sensitive assets stolen. This new category of risk is defined as threats that are created by third-party large language models which utilize routing systems between the user and the major AI providers (e.g. Amazon, Google) and create hidden points of vulnerability in the data flow. The research paper details an examination of malicious intermediary attacks that occur within the large-language-model supply chain. In part, the researcher attributes this vulnerability to the many ways that these large language model routing systems can potentially be exploited. The paper goes on to describe how some of these routing systems may engage in secretively manipulating requests, injecting harmful instructions, or retrieving private information (such as user authentication credentials or wallet related secrets).<h2>How AI routing systems introduce hidden risk</h2>In many modern AI solutions today, there is generally not a direct connection of the various AI applications to their respective model suppliers - Open AI, Anthropic or Google. The majority of the AI applications instead go through a routing service, which aggregates access to many different types of AI services, optimises costs and manages traffic. The routing platforms manage the encrypted web connections, however researchers pointed out a major problem with these routers - when a secure connection is finished (is terminated) in the router infrastructure any data being sent across that secure connection is still transmitted in plain data form. This means that the prompt(s) / response(s), and embedded instructions sent to the AI model will be exposed in their original format to the routing system before being forwarded on (between the model supplier and application user). As such, the routing layer creates an extreme degree of reliance on trust. A developer believes that their data is secure at both ends (end-to-end), while in reality the routing layer may have complete access to all sensitive input information.<h2>Four major attack vectors identified</h2>The research describes four main methods that bad or hacked AI routers may attack us.Malicious code injection is one of these methods, wherein an AI router alters the output of an AI or the instructions to use the AI to make an AI agent execute some harmful intent (e.g., a coding assistant could be tricked into inserting unauthorized script into a smart contract). Credential extraction - if users submit their private keys, seed phrases, API credentials and so on during AI-assisted development, the router could store this data. This poses a significant risk to cryptocurrency developers who frequently interact with wallets and blockchain infrastructure in this way. Manipulating tool calls - Many modern AI agents can execute external tools like code execution environments, data-fetchers and deployment systems. A compromised router could rewrite these tool calls in order to redirect funds; change contract addresses; or execute other unintended operations. Data exfiltration - Even if sensitive data is not explicitly stored inside a router, it's possible for it to exfiltrate some sort of private information by repeating interactions and examining metadata patterns.<h2>Real world implications for crypto developers</h2>These results suggest potential issues for blockchain application developers and digital asset managers who are utilizing artificial intelligence to assist them. These AI systems that have been developed by coding agents, including Claude coding assistant systems, can be used to create smart contracts, validate the wallet logic, and automate the deployment process of the application components. Unless developers specifically state otherwise in their ToS and Policies, when they enter any confidential data like a private key or a recovery phrase into an AI Prompt Interface they waive all rights of privacy for this information and allow third-party systems to access and use that information. If any router along the pathway from the Developer to the AI Model is compromised both the routers and the data will automatically continue to pass back and forth as long as they function as routers. Researchers caution these Risks are not hypothetical. Chaofan Shou, co-author of the research, has posted numerous postings on X showing incidents where LLM Routers previously identified were responsible for performing maliciously injected Tool Calls and stealing user's credentials. The researchers announced that they identified 26 routers that were behaving suspiciously.<h2>Why the problem is difficult to detect</h2>The routing infrastructure of AI is extremely complex and often not transparent or visible to developers who are utilizing this service. Many developers do not even realize that their requests are being processed and submitted to one or more intermediary services. If they do know, there is typically very little visibility available into the methods used by routers to process data as they do so. The use of routers terminating encrypted connections means that traditional end-to-end encryption guarantees are no longer valid for AI routing. Therefore, the security teams have no way of determining whether or not the data being transmitted has been logged, altered or rerouted appropriately. Furthermore, AI Agents follow their instructions and perform tool actions automatically. Because of this vulnerability, if a response includes both beneficial and detrimental instructions, then the AI Agent will not be able to detect the difference between them, and therefore will follow the malicious instructions without question.<h2>Growing need for secure AI infrastructure</h2>This research identifies an escalating concern in the overall growth of AI infrastructure as organisations increasingly depend on third-party intermediaries to enable their stacking of access to such models resulting in a growing number of potential attack vectors. Developers should therefore consider avoiding the transmission of sensitive data (e.g. private keys or recovery phrases) via an AI solution. Secure vault based workflows along with isolated execution environments should be used when developing applications which involve financial assets. In addition, the research calls for routing providers to provide better transparency through improved audit processes, more clearly defined data handling procedures, and end-to-end encryption models that do not allow the disclosure of plaintext data inside intermediary systems.<h2>Sources:</h2>1. Waterfront Capital – How AI Will Transform Banking. 2. Ocean View Technology – Shifting Towards Secure Technologies &amp; Processes For Financial Applications. <h2>Conclusion</h2>University of California researchers have shown that there is now a serious and growing risk to the AI ecosystem, with the integration of large language model tools into software development and financial applications; and the potential of routing infrastructure from third parties to be used as an avenue for future attacks. This means that for cryptocurrency users and developers, they will need to consider balancing their convenience on AI-developed applications with operational security (with consideration of how quickly and how easily assets can be lost).

UC researchers found that AI routing intermediaries expose plain text data, letting attackers steal crypto keys or inject malicious code. Using third-party AI routers breaks end-to-end security.


UC Researchers Warn Third Party AI Routers May Enable Crypto Theft


/media/contribution/car05212d7933f74fb3b29e23e8e6af8415/3l3_0424031236234.stxt

Bitcoin’s Quantum Upgrade Path: What BIP 360 Changes and What It Does Not

/media/contribution/carf291d1f925874cf499c90ae3687ec21a/n7y_0424033348076.stxt

Why Trading Crypto on Public Wi-Fi is a High-Stakes Gamble

/media/contribution/car0c667b2cb61749d8bbe060c7dd4ee431/gl5_0424030319239.stxt

South Korea Is Building a Crypto Tracking System — And Tax Evaders Should Be Paying Attention

/media/contribution/car3de7d9ae8e1b477997aa47e7362a864d/gmm_0424031747904.stxt

Crypto Veteran Li Lin Shifts Gears: Trading Team Heads to Hong Kong's Bitfire

/media/contribution/cardcd83a0d8e5f4d159a721b75dbff24d1/fmq_0424032210377.stxt

Bitcoin Signals Strength as Technical Indicators Flash Rare Buy Setup

/media/contribution/car559f376eb08141b5ac764b8622982932/kja_0424031523763.stxt