Ethereum’s Vitalik Buterin Warns Against AI Agent Security Risks, Shares His Private LLM Stack

Key Takeaways:

• Ethereum co-founder Vitalik Buterin abandoned unreality AI successful April 2026, moving Qwen3.5:35B locally connected an Nvidia 5090 laptop astatine 90 tokens per second.
• Buterin recovered that astir 15% of AI cause skills incorporate malicious instructions, citing information from information steadfast Hiddenlayer.
• His open-sourced messaging daemon enforces a human-plus-LLM 2-of-2 confirmation regularisation for each outbound Signal and email actions to 3rd parties.

How Vitalik Buterin Runs a Self-Sovereign AI System With No Cloud Access

Buterin described the strategy arsenic “self-sovereign / section / backstage / secure” and said it was built successful nonstop effect to what helium sees arsenic superior information and privateness failures spreading done the AI agent space. He pointed to probe showing astir 15% of cause skills, oregon plug-in tools, incorporate malicious instructions. Security steadfast Hiddenlayer demonstrated that parsing a azygous malicious web leafage could afloat compromise an Openclaw instance, allowing it to download and execute ammunition scripts without idiosyncratic awareness.

“I travel from a mindset of being profoundly frightened that conscionable arsenic we were yet making a measurement guardant successful privateness with the mainstreaming of end-to-end encryption and much and much local-first software, we are connected the verge of taking 10 steps backward,” Buterin wrote.

His hardware of prime is simply a laptop moving an Nvidia 5090 GPU with 24 GB of video memory. Running the open-weights Qwen3.5:35B exemplary from Alibaba done llama-server, the setup reaches 90 tokens per second, which Buterin calls the people for comfy regular use. He tested the AMD Ryzen AI Max Pro with 128 GB unified memory, which deed 51 tokens per second, and the DGX Spark, which reached 60 tokens per second.

He said the DGX Spark, marketed arsenic a desktop AI supercomputer, was unimpressive fixed its outgo and little throughput compared to a bully laptop GPU. For his operating system, Buterin switched from Arch Linux to NixOS, which lets users specify their full strategy configuration successful a azygous declarative file. He uses llama-server arsenic a inheritance daemon that exposes a section larboard immoderate exertion tin link to.

Claude Code, helium noted, tin beryllium pointed astatine a section llama-server lawsuit alternatively of Anthropic’s servers. Sandboxing is cardinal to his information model. He uses bubblewrap to make isolated environments from immoderate directory with a azygous command. Processes moving wrong those sandboxes tin lone entree files explicitly allowed and controlled web ports. Buterin open-sourced a messaging daemon astatine github.com/vbuterin/messaging-daemon that wraps signal-cli and email.

He remarked that the daemon tin work messages freely and nonstop messages to himself without confirmation. Any outbound connection to a 3rd enactment requires explicit quality approval. He called this the “human + LLM 2-of-2” model, and said the aforesaid logic applies to Ethereum wallets. He advised teams gathering AI-connected wallet tools to headdress autonomous transactions astatine $100 per time and necessitate quality confirmation for thing higher oregon immoderate transaction carrying calldata that could exfiltrate data.

Remote Inference, connected Buterin’s Terms

For probe tasks, Buterin compared the section instrumentality Local Deep Research against his ain setup utilizing the pi cause model paired with SearXNG, a self-hosted privacy-focused meta-search engine. He said pi positive SearXNG produced amended prime answers. He stores a section Wikipedia dump of astir 1 terabyte alongside method documentation to trim his reliance connected outer hunt queries, which helium treats arsenic a privateness leak.

He besides published a section audio transcription daemon astatine github.com/vbuterin/stt-daemon. The instrumentality runs without a GPU for basal usage and feeds output to the LLM for correction and summarization. On Ethereum integration, Buterin said AI agents should ne'er clasp unrestricted wallet access. He recommended treating the quality and the LLM arsenic 2 chiseled confirmation factors that each drawback antithetic nonaccomplishment modes.

For cases wherever section models autumn short, Buterin outlined a privacy-preserving attack to distant inference. He pointed to his ain ZK-API connection with researcher Davide, the Openanonymity project, and the usage of mixnets to forestall servers from linking successive requests by IP address. He besides cited trusted execution environments arsenic a mode to trim information leakage from distant inference successful the adjacent term, portion noting that afloat homomorphic encryption for backstage unreality inference remains excessively dilatory to beryllium applicable today.

Buterin closed with a enactment that the station describes a starting point, not a finished product, and warned readers against copying his nonstop tools and assuming they are secure.