AI agents are poised to be crypto’s next major vulnerability

AI agents in crypto are increasingly embedded in wallets, trading bots and onchain assistants that automate tasks and make real-time decisions.
Though it’s not a standard framework yet, Model Context Protocol (MCP) is emerging at the heart of many of these agents. If blockchains have smart contracts to define what should happen, AI agents have MCPs to decide how things can happen.
It can act as the control layer that manages an AI agent’s behavior, such as which tools it uses, what code it runs and how it responds to user inputs.
That same flexibility also creates a powerful attack surface that can allow malicious plugins to override commands, poison data inputs, or trick agents into executing harmful instructions.
MCP attack vectors expose AI agents’ security issues
According to VanEck, the number of AI agents in the crypto industry had surpassed 10,000 by the end of 2024 and is expected to top 1 million in 2025.
Security firm SlowMist has discovered four potential attack vectors that developers need to look out for. Each attack vector is delivered through a plugin, which is how MCP-based agents extend their capabilities, whether it’s pulling price data, executing trades or performing system tasks.
-
Data poisoning: This attack makes users perform misleading steps. It manipulates user behavior, creates false dependencies, and inserts malicious logic early in the process.
-
JSON injection attack: This plugin retrieves data from a local (potentially malicious) source via a JSON call. It can lead to data leakage, command manipulation or bypassing validation mechanisms by feeding the agent tainted inputs.
-
Competitive function override: This technique overrides legitimate system functions with malicious code. It prevents expected operations from occurring and embeds obfuscated instructions, disrupting system logic and hiding the attack.
-
Cross-MCP call attack: This plugin induces an AI agent to interact with unverified external services through encoded error messages or deceptive prompts. It broadens the attack surface by linking multiple systems, creating opportunities for further exploitation.
These attack vectors are not synonymous with the poisoning of AI models themselves, like GPT-4 or Claude, which can involve corrupting the training data that shapes a model’s internal parameters. The attacks demonstrated by SlowMist target AI agents — which are systems built on top of models — that act on real-time inputs using plugins, tools and control protocols like MCP.
Related: The future of digital self-governance: AI agents in crypto
“AI model poisoning involves injecting malicious data into training samples, which then becomes embedded in the model parameters,” co-founder of blockchain security firm SlowMist “Monster Z” told Cointelegraph. “In contrast, the poisoning of agents and MCPs mainly stems from additional malicious information introduced during the model’s interaction phase.”
“Personally, I believe [poisoning of agents] threat level and privilege scope are higher than that of standalone AI poisoning,” he said.
MCP in AI agents a threat to crypto
The adoption of MCP and AI agents is still relatively new in crypto. SlowMist identified the attack vectors from pre-released MCP projects it audited, which mitigated actual losses to end-users.
However, the threat level of MCP security vulnerabilities is very real, according to Monster, who recalled an audit where the vulnerability may have led to private key leaks — a catastrophic ordeal for any crypto project or investor, as it could grant full asset control to uninvited actors.
“The moment you open your system to third-party plugins, you’re extending the attack surface beyond your control,” Guy Itzhaki, CEO of encryption research firm Fhenix, told Cointelegraph.
Related: AI has a trust problem — Decentralized privacy-preserving tech can fix it
“Plugins can act as trusted code execution paths, often without proper sandboxing. This opens the door to privilege escalation, dependency injection, function overrides and — worst of all — silent data leaks,” he added.
Securing the AI layer before it’s too late
Build fast, break things — then get hacked. That’s the risk facing developers who push off security to version two, especially in crypto’s high-stakes, onchain environment.
The most common mistake builders make is to assume they can fly under the radar for a while and implement security measures in later updates after launch. That’s according to Lisa Loud, executive director of Secret Foundation.
“When you build any plugin-based system today, especially if it’s in the context of crypto, which is public and onchain, you have to build security first and everything else second,” she told Cointelegraph.
SlowMist security experts recommend developers implement strict plugin verification, enforce input sanitization, apply least privilege principles, and regularly review agent behavior.
Loud said it’s “not difficult” to implement such security checks to prevent malicious injections or data poisoning, just “tedious and time consuming” — a small price to pay to secure crypto funds.
As AI agents expand their footprint in crypto infrastructure, the need for proactive security cannot be overstated.
The MCP framework may unlock powerful new capabilities for those agents, but without robust guardrails around plugins and system behavior, they could turn from helpful assistants into attack vectors, placing crypto wallets, funds and data at risk.
Magazine: Crypto AI tokens surge 34%, why ChatGPT is such a kiss-ass: AI Eye
Bitcoin (BTC) $ 118,285.00
Ethereum (ETH) $ 3,825.20
XRP (XRP) $ 3.14
Tether (USDT) $ 0.999835
BNB (BNB) $ 805.18
Solana (SOL) $ 182.12
USDC (USDC) $ 0.999781
Lido Staked Ether (STETH) $ 3,818.05
Dogecoin (DOGE) $ 0.223438
TRON (TRX) $ 0.336297
Cardano (ADA) $ 0.784814
Wrapped stETH (WSTETH) $ 4,626.04
Wrapped Bitcoin (WBTC) $ 118,182.00
Hyperliquid (HYPE) $ 43.50
Sui (SUI) $ 3.81
Stellar (XLM) $ 0.419175
Wrapped Beacon ETH (WBETH) $ 4,109.23
Chainlink (LINK) $ 17.78
Bitcoin Cash (BCH) $ 569.45
Hedera (HBAR) $ 0.260916
Wrapped eETH (WEETH) $ 4,098.53
Avalanche (AVAX) $ 24.19
WETH (WETH) $ 3,824.29
Litecoin (LTC) $ 109.13
LEO Token (LEO) $ 8.97
Toncoin (TON) $ 3.38
Ethena USDe (USDE) $ 1.00
Shiba Inu (SHIB) $ 0.000013
USDS (USDS) $ 0.999758
Binance Bridged USDT (BNB Smart Chain) (BSC-USD) $ 0.999774
WhiteBIT Coin (WBT) $ 44.27
Coinbase Wrapped BTC (CBBTC) $ 118,439.00
Uniswap (UNI) $ 10.33
Polkadot (DOT) $ 3.88
Monero (XMR) $ 313.61
Bitget Token (BGB) $ 4.54
Pepe (PEPE) $ 0.000012
Cronos (CRO) $ 0.142653
Ethena Staked USDe (SUSDE) $ 1.19
Aave (AAVE) $ 282.86
Ethena (ENA) $ 0.584567
Dai (DAI) $ 0.999801
Bittensor (TAO) $ 380.26
NEAR Protocol (NEAR) $ 2.71
Ethereum Classic (ETC) $ 21.60
Pi Network (PI) $ 0.425032
Aptos (APT) $ 4.56
Ondo (ONDO) $ 0.958622
Internet Computer (ICP) $ 5.42
Jito Staked SOL (JITOSOL) $ 222.33
OKB (OKB) $ 48.18
Mantle (MNT) $ 0.773250
Kaspa (KAS) $ 0.094275
Pudgy Penguins (PENGU) $ 0.038350
BlackRock USD Institutional Digital Liquidity Fund (BUIDL) $ 1.00
Binance-Peg WETH (WETH) $ 3,827.52
Algorand (ALGO) $ 0.260182
Bonk (BONK) $ 0.000029
USD1 (USD1) $ 0.999395
Arbitrum (ARB) $ 0.422863
VeChain (VET) $ 0.024991
Cosmos Hub (ATOM) $ 4.54
Gate (GT) $ 17.46
Render (RENDER) $ 3.92
POL (ex-MATIC) (POL) $ 0.221366
Fasttoken (FTN) $ 4.57
Worldcoin (WLD) $ 1.07
SPX6900 (SPX) $ 2.05
Official Trump (TRUMP) $ 9.47
Artificial Superintelligence Alliance (FET) $ 0.704732
Sky (SKY) $ 0.085893
Sei (SEI) $ 0.313845
Binance Staked SOL (BNSOL) $ 193.46
Rocket Pool ETH (RETH) $ 4,354.57
sUSDS (SUSDS) $ 1.06
Flare (FLR) $ 0.025205
Filecoin (FIL) $ 2.55
Quant (QNT) $ 119.70
Kelp DAO Restaked ETH (RSETH) $ 4,008.58
Story (IP) $ 5.67
Lombard Staked BTC (LBTC) $ 118,251.00
Jupiter Perpetuals Liquidity Provider Token (JLP) $ 5.07
XDC Network (XDC) $ 0.099003
Jupiter (JUP) $ 0.532132
USDtb (USDTB) $ 0.999882
StakeWise Staked ETH (OSETH) $ 4,026.06
KuCoin (KCS) $ 11.26
Mantle Staked Ether (METH) $ 4,092.39
Liquid Staked ETH (LSETH) $ 4,138.51
Injective (INJ) $ 14.14
Curve DAO (CRV) $ 1.00
USDT0 (USDT0) $ 1.00
Celestia (TIA) $ 1.84
First Digital USD (FDUSD) $ 0.998990
NEXO (NEXO) $ 1.31
Renzo Restaked ETH (EZETH) $ 4,025.42
Optimism (OP) $ 0.718084
Polygon Bridged USDT (Polygon) (USDT) $ 0.999771
Stacks (STX) $ 0.769617
Falcon USD (USDF) $ 0.999664