That experiment was part of a broader study published recently, in which researchers tested 428 large language model routers — 28 paid and 400 free — collected from public online communities.
How Routers Became A Security Blind SpotLLM routers sit between a developer’s application and AI providers such as OpenAI, Anthropic, and Google. They work as intermediaries, bundling API access into a single pipeline.
26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet.
We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts.
According to the researchers, the line between normal credential handling and outright theft is invisible from the client’s end. Developers have no way to tell the difference. A router that looks like a legitimate service can silently forward sensitive data to a third party without triggering any alarm.
Co-author Chaofan Shou said on X that 26 routers were found to be “secretly injecting malicious tool calls and stealing creds.”
A malicious router combined with an auto-executing agent could move funds or exfiltrate data before a developer even notices something went wrong.
Crypto Security: Free Access Used As BaitEven routers that start out clean are not safe — the researchers found that previously legitimate routers can be quietly turned malicious once operators reuse leaked credentials through poorly secured relay systems.
The recommended fix for now is straightforward: keep private keys and seed phrases out of any AI agent session entirely.
For the long term, researchers say AI companies need to cryptographically sign their responses so that the instructions an agent executes can be mathematically traced back to the actual model — cutting off the ability of any middleman to tamper with them undetected.
Featured image from Xage Security, chart from TradingView
