Large-Scale "LLMjacking" Campaign Exploits Exposed AI Endpoints for Profit
Researchers at Pillar Security have uncovered a sophisticated cybercrime operation dubbed "Bizarre Bazaar", one of the first documented cases of "LLMjacking" a campaign targeting exposed or poorly secured AI infrastructure for financial gain. Over a 40-day period, the team recorded over 35,000 attack sessions on their honeypots, revealing a coordinated effort to monetize unauthorized access to large language model (LLM) endpoints.
The campaign exploits misconfigured or unauthenticated AI services, including self-hosted LLMs, exposed APIs, publicly accessible Model Context Protocol (MCP) servers, and development environments with public IP addresses. Attackers frequently target Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots, often striking within hours of a misconfigured endpoint appearing in Shodan or Censys scans.
Once compromised, threat actors leverage the access for multiple malicious purposes:
- Cryptocurrency mining using stolen computing resources
- Reselling API access on darknet markets
- Exfiltrating sensitive data from prompts and conversation histories
- Pivoting into internal systems via MCP servers for lateral movement
Pillar Security’s report highlights a criminal supply chain involving three distinct threat actors. The first scans the internet for vulnerable endpoints, the second validates and tests access, and the third operates Silver[.]inc, a commercial service advertised on Telegram and Discord that resells access to compromised AI infrastructure. The platform, marketed under the name NeXeonAI, claims to provide access to over 50 AI models from major providers in exchange for cryptocurrency or PayPal payments.
The operation has been attributed to a threat actor using the aliases "Hecker," "Sakuya," and "LiveGamer101." While Bizarre Bazaar focuses on LLM API abuse, Pillar Security is tracking a separate but potentially related campaign targeting MCP endpoints, which offers greater opportunities for lateral movement including Kubernetes interactions, cloud service access, and shell command execution.
As of the latest findings, the campaign remains active, with SilverInc’s service still operational. The full scope of the operation and its potential connections to other threat groups are still under investigation.
OpenAI cybersecurity rating report: https://www.rankiteo.com/company/openai
Ollama cybersecurity rating report: https://www.rankiteo.com/company/ollama
"id": "OPEOLL1769611516",
"linkid": "openai, ollama",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': ['AI service providers',
'Organizations with misconfigured AI '
'endpoints']}],
'attack_vector': ['Exposed AI endpoints',
'Misconfigured APIs',
'Unauthenticated MCP servers',
'Publicly accessible development environments'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High (personally identifiable or '
'proprietary information)',
'type_of_data_compromised': 'Sensitive data from prompts and '
'conversation histories'},
'description': 'Researchers at Pillar Security uncovered a sophisticated '
"cybercrime operation dubbed 'Bizarre Bazaar,' targeting "
'exposed or poorly secured AI infrastructure for financial '
"gain. The campaign, known as 'LLMjacking,' recorded over "
'35,000 attack sessions on honeypots over a 40-day period. '
'Attackers exploit misconfigured or unauthenticated AI '
'services, including self-hosted LLMs, exposed APIs, and '
'publicly accessible MCP servers, often within hours of their '
'appearance in Shodan or Censys scans. Compromised access is '
'used for cryptocurrency mining, reselling API access, '
'exfiltrating sensitive data, and pivoting into internal '
'systems.',
'impact': {'data_compromised': 'Sensitive data from prompts and conversation '
'histories',
'operational_impact': 'Unauthorized use of computing resources for '
'cryptocurrency mining',
'systems_affected': ['Self-hosted LLMs',
'Exposed APIs',
'MCP servers',
'Internal systems via lateral movement']},
'initial_access_broker': {'data_sold_on_dark_web': 'Access to compromised AI '
'infrastructure via '
'Silver[.]inc',
'entry_point': ['Exposed AI endpoints',
'Misconfigured APIs',
'Unauthenticated MCP servers']},
'investigation_status': 'Active',
'motivation': ['Financial gain',
'Reselling API access',
'Cryptocurrency mining',
'Data exfiltration'],
'post_incident_analysis': {'root_causes': ['Misconfigured or unauthenticated '
'AI services',
'Exposed endpoints in '
'Shodan/Censys scans']},
'references': [{'source': 'Pillar Security'}],
'threat_actor': ['Hecker', 'Sakuya', 'LiveGamer101'],
'title': "Large-Scale 'LLMjacking' Campaign Exploits Exposed AI Endpoints for "
'Profit',
'type': 'LLMjacking',
'vulnerability_exploited': ['Unauthenticated AI services',
'Misconfigured Ollama endpoints (port 11434)',
'OpenAI-compatible APIs (port 8000)',
'Publicly accessible production chatbots']}