Xcitium ThreatLabs — Malicious LLM routers steal credentials and drain crypto wallets
AI relevance: third-party LLM API routers sit between AI agents and model providers, terminating TLS and processing plaintext — malicious routers can silently inject tool calls into agent sessions, steal API keys, and even drain cryptocurrency wallets without breaking cryptographic integrity.
What happened
- Xcitium ThreatLabs audited 428 LLM API routers — 28 paid services and 400 free offerings — finding widespread malicious behavior across both categories.
- Nine routers actively injected malicious tool calls into AI agent sessions (one paid, eight free), turning innocent requests into malware installations or data exfiltration.
- Seventeen routers harvested researcher-owned AWS credentials passed through the router, demonstrating that any API key or secret flowing between agent and model is visible to the intermediary.
- One router actively drained cryptocurrency from a decoy Ethereum wallet by modifying transaction payloads in transit — confirming that AI-assisted blockchain operations routed through third-party services are at direct financial risk.
- A single leaked API key triggered automated abuse generating over 100 million tokens across GPT-5.4 instances on compromised routers, with relay services amplifying the impact to over 2 billion tokens and 99 stolen credentials across 440 Codex sessions.
- The research proposes a new threat model with two primary attack classes: payload injection (AC-1), where routers modify JSON tool-call payloads to insert malicious instructions, and secret exfiltration (AC-2), where credentials passing through the router are captured and forwarded.
- Conditional and dependency-targeted injection attacks were also demonstrated — malicious payloads that activate only under specific criteria, evading detection during normal use.
Why it matters
LLM routers are a trust-boundary blind spot. They terminate TLS, process plaintext API keys and prompts, and sit between agents and models — yet most are treated as simple proxies with no security scrutiny. Developers using AI coding assistants (Claude Code, Copilot) to manage crypto wallets or infrastructure credentials may unknowingly route secrets through malicious intermediaries. The scale is significant: with millions of developers using AI agents daily, even a small percentage of malicious routers represents massive exposure.
What to do
- Self-host LLM routing infrastructure wherever possible — don't rely on third-party routers for sensitive API traffic.
- Never pass production API keys, cloud credentials, or crypto wallet seed phrases through AI coding assistants without verifying the routing path.
- Audit which LLM router your tooling uses — many AI frameworks default to third-party routing services.
- Implement API key scoping: use dedicated, time-limited keys for AI agent integrations with minimal permissions.
- Monitor token usage anomalies — sudden spikes in token consumption may indicate a compromised router generating unauthorized requests.