Artificial Intelligence & Machine Learning
,
Blockchain & Cryptocurrency
,
Next-Generation Technologies & Secure Development
AI Tools Can Steal Crypto Autonomously, Even From Audited Code

Armed with just a smart contract address, researchers developed an autonomous artificial intelligence tool that can scan for vulnerabilities, write working exploits in the Solidity blockchain programming language and siphon funds.
What once took a team of skilled attackers can now be executed in minutes by a single language model fine-tuned to think like a thief, and in some cases, beating even well-audited, “secure” protocols.
Academics from the University College London and University of Sydney describe in a pre-print paper how large language models can generate multi-step, end-to-end crypto attacks. The team’s agent, dubbed A1, doesn’t just theorize, but identifies weaknesses, writes real exploit code and runs it to validate the attack.
“The output of A1 isn’t just a report,” paper co-author Liyi Zhou told Information Security Media Group. “It includes actual executable code, and A1 runs the code to double check. It behaves more like a human hacker – it doesn’t just speculate, but writes proof-of-concept code and only reports an issue if the PoC passes concrete validation,” said the lecturer in computer science at the University of Sydney.
Smart contracts are especially vulnerable to AI-driven exploits because they are publicly accessible on the blockchain. Anyone, including an AI agent, can retrieve the source code or bytecode without reverse engineering. This makes it easier for LLMs to analyze contract logic and identify exploitable patterns. Smart contracts also follow clear, rule-based execution flows with predictable state transitions, which align with the step-by-step reasoning capabilities of advanced AI models. LLMs such as A1 can simulate potential attack paths and validate exploits quickly by deploying test transactions in sandboxed environments.
Exploits in smart contracts also often result in visible, real-time effects such as fund transfers or transaction reverts, giving AI agents an instant signal on whether the attack worked and allows them to refine their approach autonomously. Exploiting traditional systems typically involves interacting with complex environments, hidden backends or operating system behavior that AI models still struggle to handle (see; Vibe Hacking Not Yet Possible).
Researchers said that A1 could find vulnerabilities in contracts that had not been part of its training set, including some linked to incidents that occurred after the model’s knowledge cutoff. The agent wasn’t simply regurgitating known flaws, but discovering new ones and producing proof-of-concept exploits from scratch.
“We showed that models like o3-pro could discover vulnerabilities in incidents that occurred after their training cutoff date,” Zhou said. She characterized A1’s performance as “good as an average security engineer, if not better.”
One of the most surprising insights was that A1 generated multi-step exploits that go beyond what traditional fuzzers can find, Zhou said. A1 was able to plan coordinated attacks using multiple actors and helper contracts without any hard-coded rules. In at least one research case, an AI-powered exploit agent launched an attack, confirmed its findings and executed a crypto theft in less than two minutes.
Blockchain intelligence firm TRM Labs said the findings underscore an increasing threat posed by AI-driven exploits in smart contracts. “AI can automate the discovery of vulnerabilities and craft more targeted attacks, which makes it a powerful tool in the hands of cybercriminals,” said Ari Redbord, global head of policy.
Paper authors said A1 discovered vulnerabilities that eluded tools typically wielded by auditors. Because the LLM reasons through the contract’s logic in stages and coordinates helpers, such as deployable attacker-controlled contracts, it can craft exploit paths that are novel and highly specific to the target. These are exactly the kinds of issues that might slip through automated scans or even seasoned code reviewers.
Zhou said decentralized finance projects should assume that if attackers can run these agents, defenders should too. “Project teams should use tools like A1 themselves to continuously monitor their own protocol, rather than waiting for third parties to find issues,” he said. “If you rely on third-party teams, you’re essentially trusting that they’ll act in good faith and stay within the 10% bounty, which from a security perspective, is a very strange assumption.”
The research team behind A1 has not released zero-day disclosures from their framework, but are engaging with the ethereum security community on responsible mitigation strategies. The architecture is tailored to ethereum for now, but Zhou says it can be extended to other blockchain ecosystems.
“AI is refining and accelerating existing techniques rather than inventing entirely new ones,” said TRM’s Redbord. “That makes it easier for bad actors to automate and scale their operations and that’s the real challenge ahead.”