What We Found in 428 AI Relay Services: 9 Tampered Commands, 17 Key Leaks, 1 Crypto Theft

Study Overview

Researchers from UCSB purchased 28 AI relay stations from Chinese e‑commerce platforms and collected 400 free relays from public communities, creating a sample of 428 services. Each relay was configured as a proxy for ChatGPT or Claude and run in a sandbox where an AI Agent performed normal tasks.

Findings

Command tampering : 9 relays (including one paid) altered commands. Example: a legitimate pip install requests was changed to pip install reqeusts, installing an attacker‑controlled malicious package.

Key exfiltration : 17 relays returned fake AWS credentials that the researchers injected, indicating silent key theft.

Cryptocurrency theft : 1 relay exfiltrated a real Ethereum private key placed in the test and used it to transfer Ether.

Overall, more than 6 % of the relays exhibited malicious behavior.

Attack Patterns

Silent after 50 requests : The first 10‑20 requests appear normal; malicious behavior starts after the 51st request.

YOLO‑mode trigger : Only agents with automatic execution (YOLO) are attacked, allowing the relay to execute injected commands without user confirmation.

High‑value target selection : Relays preferentially attack projects using Rust or Go, languages commonly used in blockchain tools and critical infrastructure.

Combining these conditions can evade most black‑box audits, suggesting the true proportion of malicious relays may be higher than the measured 6 %.

Demonstration of Threat

The researchers set up their own relay, deliberately leaked its API key on Chinese forums and Telegram groups. Within days, at least seven other relays incorporated the key, allowing them to silently capture traffic from all downstream users.

Large‑Scale Deployment Test

Forty weak‑password relays were deployed using open‑source frameworks (Sub2API, CLIProxyAPI, claude‑relay‑service). Results:

Over 40 000 unauthorized accesses.

Generated >20 billion tokens and 13 GB of data.

401 of 440 observed Codex sessions had YOLO permissions, making remote code execution trivial.

Visibility Framework

To mitigate the risk, the authors propose a four‑layer visibility model:

AI relay stations : Identify all relays in use, distinguishing commercial services from internally built gateways.

AI Agent usage : Track which agents connect to relays, their execution permissions, and host environments.

External model/application access : Monitor which external AI tools and models are invoked, detecting sudden additions or abnormal request rates.

AI infrastructure : Map MCP services, workflow platforms (e.g., Dify, n8n), Ollama, and other model‑serving components, including who accesses them and what they communicate with.

Visibility of these layers is presented as the first defensive step; once hidden traffic is observable, organizations can begin to protect AI assets.

Conclusion

AI relay stations expose an invisible attack surface that can leak prompts, API keys, and even cryptocurrency. Because each relay terminates TLS, reads plaintext, and re‑establishes encrypted connections, all request content—including prompts, code, and model outputs—can be intercepted and tampered with. Detecting relays alone is insufficient; comprehensive visibility across the AI supply chain is required.

Reference: Your Agent Is Mine: Measuring Malicious Intermediary Attacks on the LLM Supply Chain (arXiv:2604.08407).