Solayer Says 26 LLM Routers Injected Malicious Calls, One Led to $500,000 Wallet Loss

According to the cited study referenced by Solayer’s founder, multiple tested LLM API routers injected malicious code, including cases involving AWS canary credentials, private-key-related ETH theft, and large unintended token usage.

ETH

50d ago

Summary

A study cited by Solayer’s founder said 9 of 428 tested LLM API routers actively injected malicious code, adding more specific findings to earlier security claims around third-party routing services. Researchers said 17 routers interacted with AWS canary credentials, one incident stole ETH from a private key, and poisoning tests generated 2 billion billable tokens across 440 Codex sessions. The findings underscore operational and financial risks tied to using third-party LLM API routers in AI and crypto-related workflows.

Terms & Concepts

LLM API router: A service that routes requests to large language models across providers or endpoints, often to optimize cost, performance, or availability.
ETH: The native cryptocurrency of the Ethereum network, used for transactions, fees, and smart contract activity.
AWS canary credentials: Decoy cloud credentials used to detect unauthorized access or misuse when systems or services improperly handle sensitive data.