Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

Hecker

Also known ashecker

Hecker is a threat actor attributed by Pillar Security to an active LLMjacking operation dubbed “Bizarre Bazaar” / “Operation Bizarre Bazaar,” targeting exposed or weakly authenticated self-hosted LLM service endpoints. Hecker is also known as Sakuya and LiveGamer101. The campaign scans the internet for unauthenticated Ollama endpoints (commonly port 11434), vLLM servers, and OpenAI-compatible APIs (commonly port 8000), rapidly identifying new exposed endpoints (often within hours of appearing in Shodan/Censys). Activity includes validating endpoint access/response quality, monetizing stolen AI compute (including cryptocurrency mining), reselling unauthorized LLM API access via a resale service advertised as silver[.]inc (a “Unified LLM API Gateway”) and promoted on Telegram/Discord, and attempting to exfiltrate prompt/conversation data. Pillar also reported attempts to pivot internally via Model Context Protocol (MCP) servers. Pillar assessed a three-actor criminal supply chain (scanner, validator, reseller) supporting the operation, with resale infrastructure tied to silver[.]inc and a promoted project called “NeXeonAI.” The campaign was reported as ongoing at time of publication, with SilverInc remaining operational.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1190
Exploit Public-Facing Application
TA0009
Collection
1 technique
T1213
Data from Information Repositories
TA0040
Impact
1 technique
T1496
Resource Hijacking
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
risky biz rssNews
Jan 29, 2026
eScan antivirus distributes backdoor in latest supply chain attack

Linked to scanning for misconfigured LLM servers and selling access to their compute on marketplaces ("Operation Bizarre Bazaar").

Read more
the hacker newsNews
Jan 29, 2026
Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries

Attributed operator behind an LLMjacking monetization scheme ("Operation Bizarre Bazaar") that scans for exposed Ollama/vLLM/OpenAI-compatible LLM endpoints lacking authentication, validates access, and resells discounted access via a marketplace/gateway (silver[.]inc).

Read more
bleeping computerNews
Jan 28, 2026
Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation

Named threat actor attributed by Pillar Security to the broader operation involving unauthorized access and monetization of exposed LLM infrastructure (including resale of access and abuse of misconfigured endpoints).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.