First large-scale LLMjacking generates tens of thousands of attacks

First large-scale LLMjacking generates tens of thousands of attacks

Briefly

"Between December 2025 and January 2026, security researchers discovered a disturbing evolution in AI-targeted cyber threats. Honeypots recorded 35,000 attack sessions targeting exposed AI infrastructure, averaging 972 attacks per day. The campaign, discovered by Pillar Security Research Team, was named Operation Bizarre Bazaar. It is the first public documentation of a systematic campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints at scale, with complete commercial monetization."

"The campaign involves three interconnected threat actors. A scanner infrastructure systematically searches for exposed AI endpoints. Infrastructure linked to silver.inc then validates the endpoints through API testing. Finally, silver.inc operates as a commercial marketplace that resells access to more than 30 LLM providers at reduced prices without legitimate authorization. The service runs on bulletproof infrastructure in the Netherlands and sells via Discord and Telegram, accepting cryptocurrency and PayPal payments."

"Common misconfigurations that are actively exploited include: Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000 exposed to the internet, MCP servers accessible without access controls, and production chatbot endpoints without authentication or rate limiting. The attackers do not guess. They use Shodan and Censys to find endpoints. Once an endpoint appears in scan results, exploitation attempts begin within hours. The OWASP Top 10 for Large Language Models 2025 identifies prompt injection and sensitive information disclosure as primary risks in LLM applications."