LLMjacking Attacks Exploiting Misconfigured Proxies to Steal Paid LLM Access
Threat actors are actively exploiting misconfigured proxy servers to gain unauthorized access to paid Large Language Model (LLM) services, including those from OpenAI, Google Gemini, Anthropic, Meta, and others. These attacks, referred to as "LLMjacking," involve advanced enumeration techniques, server-side request forgery (SSRF), and the use of custom scripts to identify and hijack exposed LLM endpoints. The attackers leverage distributed virtual private server (VPS) infrastructure and sophisticated operational security measures, indicating a well-resourced and coordinated campaign. Stolen access to these commercial AI endpoints is being monetized on underground forums, highlighting the financial motivation and the growing underground market for compromised LLM credentials.
Recent threat intelligence and incident reports confirm that this campaign has been ongoing since late 2025, with systematic, low-noise probing of enterprise AI infrastructure. Security researchers have observed attackers actively attempting to access various LLM pathways, including through honeypots set up for OpenAI, Gemini, and Claude endpoints. While there is no direct attribution to known APT groups, the technical sophistication and scale of the operation suggest involvement by organized cybercriminals or advanced grey-hat operators. Organizations are urged to review and secure their proxy configurations and monitor for unusual access patterns to prevent unauthorized use of their paid AI services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly confirm threat-actor targeting of AI systems
On 2026-01-11, public reporting from DefusedCyber, GrayNoise, and follow-on analysis described the activity as the first publicly confirmed case of a threat actor actively targeting AI/LLM systems. The reports framed the campaign as a new enterprise risk, warning that exposed AI services and misconfigured proxies were being actively discovered for abuse and monetization.
11-day LLMjacking reconnaissance campaign generates 80,000+ sessions
Over the following 11 days, the campaign produced more than 80,000 sessions while probing 73+ distinct LLM endpoints, using low-noise automation, SSRF validation, and out-of-band callback infrastructure to identify exploitable systems. Reporting describes the operation as professional reconnaissance tied to infrastructure previously associated with exploitation of known CVEs and React2Shell attempts.
Threat actor begins probing exposed LLM endpoints
GrayNoise telemetry indicates that on 2025-12-28, attacker infrastructure began methodically probing exposed AI/LLM endpoints to find misconfigured proxy servers that could leak access to commercial model APIs. The activity targeted multiple API formats and major model families across vendors including OpenAI, Google Gemini, Anthropic, Meta, Mistral, Alibaba, and xAI.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
LLMjacking: How Hackers Exploit Misconfigured Proxies to Steal Access to Paid LLM Services Like OpenAI, Google Gemini, Anthropic, Meta, and More
rescana.com
Open sourceFirst Publicly Confirmed Threat Actor Targeting AI Systems
mbgsec.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Criminal Abuse of Exposed LLM Infrastructure and GenAI-Enabled Phishing Techniques
Security researchers reported escalating **criminal abuse of large language model (LLM) infrastructure**, including active exploitation of exposed or weakly authenticated AI service endpoints. Pillar Security documented more than **35,000 attack sessions** over ~40 days against honeypots and attributed the activity to an operation dubbed **“Bizarre Bazaar,”** described as an early example of actor-attributed “**LLMjacking**.” The activity targeted misconfigured/self-hosted deployments and AI APIs (including **unauthenticated Ollama endpoints on `11434`** and **OpenAI-compatible APIs on `8000`**), with attackers moving quickly once endpoints appeared in internet-wide scanners such as Shodan/Censys. Reported objectives included **stealing compute** (e.g., crypto mining), **reselling illicit API access** on underground markets, **exfiltrating prompt/conversation data**, and attempting **pivoting into internal systems** via publicly accessible **Model Context Protocol (MCP) servers**. Separately, Palo Alto Networks **Unit 42** described a proof-of-concept phishing technique where a benign-looking page calls a legitimate LLM API to generate **per-victim JavaScript** in real time, assembling a **personalized phishing site** in the browser to reduce the presence of static indicators and evade traditional detections; researchers noted similar building blocks are already being used for obfuscated JavaScript and malware-related activity.
Mar 21, 2026
Security Risks and Attacks Targeting Large Language Model (LLM) Services and AI Integration Protocols
Attackers have increasingly targeted exposed large language model (LLM) services and the protocols that enable their integration, such as the Model Context Protocol (MCP). GreyNoise researchers observed nearly 100,000 attack sessions against public LLM endpoints, with campaigns probing for misconfigured proxies and server-side request forgery vulnerabilities to map the expanding AI attack surface. These attacks, which included methodical enumeration of OpenAI-compatible and Google Gemini endpoints, highlight the growing risk as enterprises move LLM deployments from experimental to production environments. Security experts warn that such enumeration efforts are likely precursors to more serious exploitation, emphasizing the need for organizations to secure exposed LLM endpoints and monitor for abnormal access patterns. The Model Context Protocol (MCP), designed to facilitate seamless integration between LLMs and external tools, has also been identified as a double-edged sword. While MCP enables powerful automation and workflow enhancements, it extends the attack surface by embedding trust in external products and services, making it susceptible to exploitation by adversaries who manipulate context layers and metadata. Security leaders, such as Block's CISO, stress the importance of applying least-privilege principles and rigorous red-teaming to AI agents and integration protocols, recognizing that both human and machine actors can introduce significant risks. As LLMs and AI agents become ubiquitous in enterprise environments, organizations must adapt their security frameworks to address these novel attack vectors and integration challenges.
Mar 21, 2026Attackers Abuse AI Services and Exposed LLM Infrastructure for Intrusions and Compute Theft
Researchers and vendors reported a sharp rise in attacks targeting AI infrastructure, from exposed self-hosted LLM servers to commercial coding assistants used in real intrusions. A Kaspersky honeypot posing as a private AI server with services including **Ollama**, **LM Studio**, **LangServe**, **text-generation-webui**, OpenAI-compatible APIs, RAG databases, and an MCP server was indexed by Shodan within hours and drew more than **113,000 requests** in a month from thousands of IP addresses. Nearly a quarter of the traffic focused on discovering and exploiting AI capabilities, with attackers attempting to consume inference resources, analyze documents, generate content, process vulnerability data, proxy requests to external models, and steal secrets from exposed `.env` files using tooling such as **LLM-Scanner**. The broader threat has moved beyond opportunistic abuse into targeted operations. Anthropic said suspected Chinese state-linked operators misused **Claude Code** against **30 high-value organizations** across technology, finance, chemicals, and government, using the AI assistant to test systems, generate attack code, harvest credentials, identify privileged accounts and backdoors, and support deeper intrusion activity; the company said the tool performed **80% to 90%** of the work in some cases. Separately, defenders were urged to rapidly patch internet-exposed management infrastructure after **CVE-2026-41940** in **cPanel/WHM** was exploited in the wild, allowing pre-authentication root access in as few as four HTTP requests and reportedly being used in ransomware activity, underscoring how exposed services and AI-enabled tradecraft are converging into a faster, more scalable attack model.
May 25, 2026