Ethereum founder shifts to local AI for security reasons
Vitalik Buterin has made a significant change in how he uses artificial intelligence. He’s stopped using cloud-based AI services entirely and now runs everything on his own machines. This isn’t just a personal preference—he’s actively encouraging others to follow his lead.
In a detailed post from April 2026, Buterin described building what he calls a “self-sovereign, local, private, and secure” AI setup. His concerns stem from what he sees as a dangerous trend: just as end-to-end encryption and local-first software were becoming mainstream, we might be taking “ten steps back” by feeding our personal lives to cloud AI.
The agent problem and security risks
What’s changed Buterin’s perspective is the evolution of AI itself. It’s no longer just chatbots answering questions. Modern AI systems can act as “agents”—they use hundreds of tools to complete tasks autonomously. Buterin believes people aren’t taking the security implications seriously enough.
Research on tools like OpenClaw supports his concerns. Studies found that AI agents can modify important computer settings or messaging channels without user permission. A compromised website could trick an AI agent into downloading and running malicious scripts, potentially giving attackers complete control over a user’s computer.
Perhaps more troubling, about 15% of the “skills” these agents use contain hidden commands that quietly send user data to external servers. Shahaf Bar-Geffen from COTI summarized the privacy concern well: “Without privacy, Web3 is doomed to be a kind of castle in the sky that sounds great in theory, but in practice simply doesn’t work.”
Practical implementation and performance testing
Buterin’s solution involves keeping everything local. He tested various hardware setups using the Qwen3.5:35B model and found that anything under 50 tokens per second was too slow to be useful—just “too annoying” in his words. For his own work, he determined that 90 tokens per second represents the ideal speed.
His testing revealed some interesting results. The NVIDIA 5090 Laptop performed best, reaching that 90 tokens per second target. Meanwhile, the DGX Spark—marketed as a personal supercomputer—only managed 60 tokens per second, which Buterin called “lame,” noting that a high-end laptop offered a superior experience.
On the software side, he uses NixOS and runs llama-server in the background. He also employs bubblewrap, a tool that creates isolated environments to restrict AI access to specific files. He treats AI similarly to how Ethereum developers approach smart contracts: useful, but not fully trustworthy.
Workarounds and practical considerations
Since local models aren’t as capable as cloud ones for complex reasoning tasks, Buterin has developed practical workarounds. One approach involves a 2-of-2 confirmation system where the AI drafts content—like an email or transaction—but nothing gets sent until a person approves it.
He also maintains a 1 TB local folder containing Wikipedia data, allowing him to look up information without sending queries to the internet. When he does need to use a remote model, he routes the request through a local model first to filter out sensitive information.
Buterin acknowledges that not everyone can afford their own setup. For those individuals, he suggests collaborating with a small group to purchase a shared computer with stable internet access that can be used remotely.
His overall philosophy seems straightforward: with AI becoming increasingly pervasive, being cautious is simply common sense. Keeping things local, using sandboxes, and maintaining a healthy skepticism about the system represent practical ways to retain control over one’s digital life. It’s not about rejecting AI technology, but about using it in ways that prioritize security and personal sovereignty.
