Criminal Abuse of Exposed LLM Infrastructure and GenAI-Enabled Phishing Techniques
Security researchers reported escalating criminal abuse of large language model (LLM) infrastructure, including active exploitation of exposed or weakly authenticated AI service endpoints. Pillar Security documented more than 35,000 attack sessions over ~40 days against honeypots and attributed the activity to an operation dubbed “Bizarre Bazaar,” described as an early example of actor-attributed “LLMjacking.” The activity targeted misconfigured/self-hosted deployments and AI APIs (including unauthenticated Ollama endpoints on 11434 and OpenAI-compatible APIs on 8000), with attackers moving quickly once endpoints appeared in internet-wide scanners such as Shodan/Censys.
Reported objectives included stealing compute (e.g., crypto mining), reselling illicit API access on underground markets, exfiltrating prompt/conversation data, and attempting pivoting into internal systems via publicly accessible Model Context Protocol (MCP) servers. Separately, Palo Alto Networks Unit 42 described a proof-of-concept phishing technique where a benign-looking page calls a legitimate LLM API to generate per-victim JavaScript in real time, assembling a personalized phishing site in the browser to reduce the presence of static indicators and evade traditional detections; researchers noted similar building blocks are already being used for obfuscated JavaScript and malware-related activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
SentinelOne and Censys identify 175,000 exposed Ollama servers worldwide
A joint investigation by SentinelOne SentinelLABS and Censys found about 175,000 publicly exposed Ollama hosts across 130 countries. Researchers warned that many lacked authentication, nearly half advertised tool-calling capabilities, and some used uncensored prompt templates, creating significant risk of abuse including LLMjacking.
Researchers link Bizarre Bazaar to specific aliases and resale infrastructure
Pillar Security assessed Bizarre Bazaar as a three-actor criminal supply chain and linked the activity to the aliases Hecker, Sakuya, and LiveGamer101. The campaign's resale infrastructure was tied to silver[.]inc and a promoted project called NeXeonAI, while the service remained operational at the time of reporting.
Pillar Security observes large-scale 'Bizarre Bazaar' LLMjacking campaign
Pillar Security reported an active campaign dubbed 'Bizarre Bazaar' targeting exposed or weakly authenticated LLM endpoints, with more than 35,000 attack sessions observed over a 40-day period. The operation abused misconfigured self-hosted LLM services to steal compute, resell API access, exfiltrate prompt data, and probe for internal pivoting opportunities via MCP servers.
Unit 42 describes GenAI-powered dynamic phishing website proof of concept
Palo Alto Networks Unit 42 warned that generative AI could be used to build highly personalized phishing pages on the fly. In the proof-of-concept, a benign-looking page calls a legitimate LLM API to generate victim-specific JavaScript that assembles the phishing content in the browser, reducing static artifacts that defenders typically detect.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries
thehackernews.com
Open source‘Bizarre Bazaar’ campaign exploits exposed LLM endpoints | SC Media
scworld.com
Open sourceHackers hijack exposed LLM endpoints in Bizarre Bazaar operation
bleepingcomputer.com
Open sourceGenAI could power dynamic, personalized phishing websites, Unit 42 warns | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LLMjacking Attacks Exploiting Misconfigured Proxies to Steal Paid LLM Access
Threat actors are actively exploiting misconfigured proxy servers to gain unauthorized access to paid Large Language Model (LLM) services, including those from OpenAI, Google Gemini, Anthropic, Meta, and others. These attacks, referred to as "LLMjacking," involve advanced enumeration techniques, server-side request forgery (SSRF), and the use of custom scripts to identify and hijack exposed LLM endpoints. The attackers leverage distributed virtual private server (VPS) infrastructure and sophisticated operational security measures, indicating a well-resourced and coordinated campaign. Stolen access to these commercial AI endpoints is being monetized on underground forums, highlighting the financial motivation and the growing underground market for compromised LLM credentials. Recent threat intelligence and incident reports confirm that this campaign has been ongoing since late 2025, with systematic, low-noise probing of enterprise AI infrastructure. Security researchers have observed attackers actively attempting to access various LLM pathways, including through honeypots set up for OpenAI, Gemini, and Claude endpoints. While there is no direct attribution to known APT groups, the technical sophistication and scale of the operation suggest involvement by organized cybercriminals or advanced grey-hat operators. Organizations are urged to review and secure their proxy configurations and monitor for unusual access patterns to prevent unauthorized use of their paid AI services.
Mar 21, 2026Attackers Abuse AI Services and Exposed LLM Infrastructure for Intrusions and Compute Theft
Researchers and vendors reported a sharp rise in attacks targeting AI infrastructure, from exposed self-hosted LLM servers to commercial coding assistants used in real intrusions. A Kaspersky honeypot posing as a private AI server with services including **Ollama**, **LM Studio**, **LangServe**, **text-generation-webui**, OpenAI-compatible APIs, RAG databases, and an MCP server was indexed by Shodan within hours and drew more than **113,000 requests** in a month from thousands of IP addresses. Nearly a quarter of the traffic focused on discovering and exploiting AI capabilities, with attackers attempting to consume inference resources, analyze documents, generate content, process vulnerability data, proxy requests to external models, and steal secrets from exposed `.env` files using tooling such as **LLM-Scanner**. The broader threat has moved beyond opportunistic abuse into targeted operations. Anthropic said suspected Chinese state-linked operators misused **Claude Code** against **30 high-value organizations** across technology, finance, chemicals, and government, using the AI assistant to test systems, generate attack code, harvest credentials, identify privileged accounts and backdoors, and support deeper intrusion activity; the company said the tool performed **80% to 90%** of the work in some cases. Separately, defenders were urged to rapidly patch internet-exposed management infrastructure after **CVE-2026-41940** in **cPanel/WHM** was exploited in the wild, allowing pre-authentication root access in as few as four HTTP requests and reportedly being used in ransomware activity, underscoring how exposed services and AI-enabled tradecraft are converging into a faster, more scalable attack model.
May 25, 2026
Malicious Use of AI and LLMs for Evasion and C2 in Cyberattacks
Cybercriminals are increasingly leveraging large language models (LLMs) and AI-driven techniques to enhance their attack capabilities and evade detection. Recent research highlights the operationalization of LLM-in-the-loop tradecraft, where malware dynamically generates host-specific PowerShell commands for reconnaissance and data collection, frequently rewriting itself to bypass static and machine learning-based security detections. Attackers are also exploiting stolen API keys and enterprise AI connectors to establish covert command-and-control (C2) channels, disguising malicious activity as legitimate AI traffic. These tactics are being used to target critical infrastructure, with a focus on IT systems that can impact operational technology environments through identity abuse, weak segmentation, and ransomware attacks. In parallel, threat actors are attempting to manipulate AI-based security tools directly. A malicious npm package, `eslint-plugin-unicorn-ts-2`, was discovered embedding a prompt intended to influence the decision-making of AI-driven scanners, while also exfiltrating sensitive environment variables via a post-install script. This approach signals a new trend where attackers not only evade traditional detection but also actively seek to undermine the effectiveness of AI-powered defenses. The emergence of underground markets for malicious LLMs further underscores the growing sophistication and commercialization of AI-enabled cybercrime.
Mar 21, 2026