Researchers Uncover Coordinated LLMjacking Campaign Targeting Unsecured AI Infrastructure

CyberDefender 4 mins0

Security researchers have uncovered what appears to be the first major, systematic campaign of its kind targeting exposed large language model (LLM) servers and related infrastructure. Between December 2025 and January 2026, specially set-up honeypots recorded about 35,000 attack attempts, averaging nearly 1,000 probes per day against unsecured AI endpoints.

Dubbed Operation Bizarre Bazaar by the Pillar Security research team, the campaign illustrates how cybercriminals are probing the internet for poorly configured LLM services and turning unauthorized access into profit.

How the Attack Chain Works

The operation isn’t random — it’s a coordinated effort involving multiple groups playing different roles:

  • Scanners continuously sweep for exposed AI services.
  • Once a vulnerable endpoint is found, infrastructure linked to a group called silver.inc tests and validates access.
  • silver.inc then resells that access — without permission — to over 30 models from various providers via Discord and Telegram, accepting payments in cryptocurrency and PayPal. This marketplace runs on so-called “bulletproof” hosting in the Netherlands.

Many of the exploited systems are insecure simply because they were left open: self-hosted LLMs like Ollama running on default ports with no authentication, OpenAI-compatible APIs exposed to the public internet, and Model Context Protocol (MCP) servers without access controls. Once these show up in internet scanning tools like Shodan or Censys, attackers move in within hours.

A Closer Threat Than You Might Think

The research didn’t just stop at cataloging the attacks — it traced the operation back to a threat actor using the alias “Hecker” (also seen as Sakuya and LiveGamer101). The attack infrastructure overlaps with another site (nexeonai.com) previously accused of abusive activity, and shared infrastructure details suggest a broader pattern of misuse.

More Than Just Hijacking AI Compute

Another related trend uncovered by the researchers focuses on MCP servers, which are often used to connect LLMs with internal systems and data. By scanning and probing these endpoints, attackers could potentially use them to move laterally inside networks — reading files, dumping credentials, or accessing databases. A single unsecured MCP server could become a gateway into an organization’s deeper infrastructure.

Risks Go Beyond Stolen Compute

This isn’t just about cheap AI compute being stolen. The campaign raises wider concerns:

  • Unauthorized usage costs — criminals profit off expensive model usage while victims pay full price.
  • Data leakage — context data processed by the AI (like customer info or internal prompts) could be exfiltrated.
  • Internal access through insecure integrations could expose sensitive systems beyond just the LLM itself.

If you’re running AI infrastructure, this serves as a wake-up call: unsecured LLM and MCP endpoints not only waste compute and money — they can put your systems and data at serious risk

CyberDefender