AI agents open crypto attack vector

Crypto wallets are supposed to keep signing keys sealed off. Researchers say that breaks down when an artificial intelligence agent routes payment requests through orchestration and tool-calling layers that can read or alter the request in transit. (coindesk.com) An agentic payment system is simple in concept: software gets a wallet, decides what to buy or pay for, and sends a blockchain transaction without a person clicking each step. Coinbase said in recent launches that its Payments Model Context Protocol and Agentic Wallets let models such as Claude, Gemini, and Codex access wallets and make onchain payments over its x402 standard. (coinbase.com 1) (coinbase.com 2) (docs.cdp.coinbase.com) The weak point is the middle layer, not the blockchain itself. CoinDesk reported on April 13 that researchers found orchestration systems handling agent requests can inspect and modify data before it reaches the wallet, creating a path to expose private keys or tamper with payment instructions at scale. (coindesk.com) That fits the basic design of the Model Context Protocol, the open standard many agent builders use to connect models to tools. Anthropic introduced the protocol in November 2024, and the official specification says it enables “arbitrary data access and code execution paths” and carries “important security and trust considerations.” (anthropic.com) (modelcontextprotocol.io) In plain terms, the orchestration layer is a dispatcher sitting between the model and the wallet. If that dispatcher can see a signing request, swap an address, change an amount, or leak sensitive context, the wallet can end up authorizing the wrong action even when the underlying cryptography still works as designed. (coindesk.com) (modelcontextprotocol.io) The warning lands as crypto companies are pushing harder to give agents spending power. Coinbase has been marketing wallets built for autonomous agents, while MoonPay said on March 13 that it added Ledger hardware signing to MoonPay Agents so users can verify each transaction on a separate device and keep keys off the agent. (coinbase.com) (moonpay.com) Google Cloud laid out the same split in December 2025: either a third-party agent holds its own key and spends delegated funds, or the agent only prepares transactions for the user to sign. Google said most examples at the time still relied on agents configured with private keys, which concentrates risk in the agent host and its surrounding tooling. (cloud.google.com) Wallet providers have been trying to avoid single points of failure with multi-party computation, a setup that breaks one private key into several shares so no one party reconstructs the full key. Alchemy’s developer guide says that design lets multiple parties sign jointly without any one party holding the complete secret, but it does not remove the need to trust the software that assembles and routes signing requests. (alchemy.com) Security guidance around Model Context Protocol has been moving in the same direction. The official security best-practices docs focus on authorization flows and attack mitigation, and Microsoft warned in April 2025 that prompt-injection attacks can travel through Model Context Protocol connections and manipulate tool use. (modelcontextprotocol.io) (developer.microsoft.com) The practical fix is not to let an agent or its middleware silently sign and send money. The companies pushing agentic payments are increasingly adding hardware signers, delegated balances, smart-contract limits, or human approval steps, which turns the wallet back into a checkpoint instead of a blind endpoint. (moonpay.com) (cloud.google.com)