A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure.
Over a period of 40 days, researchers at Pillar Security recorded more than 35,000 attack sessions on their honeypots, which led to discovering a large-scale cybercrime operation that monetizes and exploits access to exposed or poorly authenticated AI endpoints.
They call the campaign ‘Bizarre Bazaar’ and highlight that it is one of the first examples of ‘LLMjacking’ attacks attributed to a specific threat actor.
In a report shared with BleepingComputer, Bizarre Bazaar involves unauthorized access to weakly protected LLM infrastructure endpoints to:
- Steal computing resources for cryptocurrency mining
- Resell API access on darknet markets
- Exfiltrate data from prompts and conversation history,
- Attempt to pivot into internal systems via Model Context Protocol (MCP) servers
Common attack vectors include self-hosted LLM setups, exposed or unauthenticated AI APIs, publicly accessible MCP servers, and development or staging AI environments with public IP addresses.
Typically, attackers exploit misconfigurations such as unauthenticated Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots.
The researchers note that the attacks begin within hours of a misconfigured endpoint appearing in Shodan or Censys internet scans.
“The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar Security says.
At the beginning of the month, a report from GreyNoise highlighted similar activity, where attackers targeted commercial LLM services, mainly for enumeration.
Pillar Security’s findings indicate a criminal supply chain involving three threat actors who likely work together as part of the same operation.
The first one uses bots to systematically scan the internet for LLM and MCP endpoints. The second validates the findings and tests access. The third operates a commercial service at ‘silver[.]inc’ marketed on Telegram and Discord, that resells access in exchange for cryptocurrency or PayPal payments.
SilverInc promotes a project called NeXeonAI, which is advertised as a “unified AI infrastructure” that provides access to more than 50 AI models from leading providers.
source: Pillar Security
The researchers have also attributed the operation to a specific threat actor using the aliases “Hecker,” “Sakuya,” and “LiveGamer101.”
Pillar Security reports that, while Bizarre Bazaar focuses on LLM API abuse, they track a separate campaign that focuses on MCP endpoint reconnaissance.
This targeting gives more opportunities for lateral movement via Kubernetes interactions, cloud service access, and shell command execution, which are often more valuable than resource-consumption-based monetization tactics.
This second campaign has not been linked to Bizarre Bazaar, although a connection may exist.
As of writing, the campaign is ongoing, and the SilverInc service continues to be operational. BleepingComputer has contacted the platform for a comment about Pillar’s findings, but we have not heard back by publication time.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.