Vitalik Buterin warns of security risks posed by AI agents, shares his private LLM stack

April 5, 2026

In a recent blog post, Ethereum co-founder Vitalik Buterin shared insights into his decision to transition away from cloud AI services in favor of a fully localized, sandboxed artificial intelligence (AI) system. Buterin’s move comes as a response to growing concerns surrounding security and privacy issues within the AI agent space, with research indicating that 15% of AI agent skills may contain malicious instructions.

To establish his self-sovereign, local, private, and secure AI setup, Buterin relies on a laptop equipped with an Nvidia 5090 GPU boasting 24 GB of video memory. Running the open-weights Qwen3.5:35B model locally on this hardware, Buterin achieves a daily use target of 90 tokens per second. Contrastingly, alternative setups like the AMD Ryzen AI Max Pro and the DGX Spark yielded lower throughput rates, with the latter, despite being marketed as a desktop AI supercomputer, failing to impress Buterin due to its cost and performance in comparison with a high-quality laptop GPU.

Buterin further enhances the security of his AI system by leveraging the NixOS operating system, bubblewrap for sandboxing processes, and a messaging daemon that enforces a two-factor authentication rule for all outbound communications with third parties. This approach, which Buterin refers to as the “human + LLM 2-of-2” model, ensures that sensitive operations and interactions require explicit human approval, similarly applied to Ethereum wallets to safeguard against unauthorized transactions or data exfiltration.

In terms of AI research tasks, Buterin highlights the effectiveness of his own custom tools, such as Local Deep Research paired with the pi agent framework and SearXNG. By storing a local Wikipedia dump and technical documentation, Buterin minimizes reliance on external search queries, considering them a potential privacy risk. Additionally, he developed a local audio transcription daemon that operates without a GPU for primary use, feeding its output to the LLM for correction and summarization.

Looking ahead, Buterin emphasizes the importance of restricting AI agents’ access to wallets to prevent unauthorized transactions. He proposes treating the human and the LLM as distinct confirmation factors to mitigate various failure modes effectively. In scenarios where local models may fall short, Buterin outlines a privacy-preserving method for remote inference, incorporating ZK-API proposals, the Openanonymity project, mixnets for anonymizing requests, and trusted execution environments to limit data leakage during remote inference, with the acknowledgement that fully homomorphic encryption remains too slow for practical use at present.

Overall, Buterin’s AI setup represents a starting point for individuals looking to establish secure, self-sovereign AI systems. His detailed approach underscores the critical importance of prioritizing privacy, security, and user control in the development and deployment of AI technologies.