With the release of DeepSeek-V3 on December 25, 2024, the number of LLMjacking attacks in the cybersecurity space has significantly increased.
Within hours of its launch, malicious actors had compromised the model, integrating it into OpenAI Reverse Proxy (ORP) systems to exploit stolen credentials and monetize unauthorized access.
This rapid exploitation highlights the evolving sophistication of attackers targeting Large Language Models (LLMs).
LLMjacking refers to the illicit use of LLMs through compromised credentials. First identified by the Sysdig Threat Research Team (TRT), this attack vector has rapidly evolved.
Cybercriminals target cloud-based LLM services like OpenAI, AWS, and Azure due to their high operational costs, which can exceed hundreds of thousands of dollars monthly.
By stealing credentials, attackers bypass these costs while transferring the financial burden to the victims.
DeepSeek-V3: A New Target for LLMjacking
DeepSeek-V3, an advanced AI model released by China-based DeepSeek, became an immediate target for cybercriminals.
Attackers integrated the model into ORP instances hosted on platforms like HuggingFace within days of its release.
Researchers from Sysdig observed that DeepSeek-R1, a reasoning model launched on January 20, 2025, was similarly exploited within 24 hours.
ORPs act as reverse proxy servers that facilitate unauthorized access to LLMs by masking source IPs through mechanisms like Nginx configurations or TryCloudflare tunnels.
These proxies are often populated with stolen API keys from multiple providers, including OpenAI and DeepSeek. For example, one ORP instance was found using 55 stolen DeepSeek API keys.
Monetization and Operational Security
The rise of LLMjacking has given birth to a black market where access to stolen LLM accounts is sold. For instance, some ORPs offer 30-day access tokens for as little as $30.
These proxies are advertised on underground forums like 4chan and Discord, often using platforms like Rentry.co for sharing access information.
To evade detection, ORP operators employ various obfuscation techniques:
- Dynamic domains: Temporary URLs generated via TryCloudflare tunnels.
- Password protection: Restricting proxy access to authenticated users.
- Logging modifications: Disabling prompt logging to ensure user privacy.
- CSS obfuscation: Making proxy pages difficult to read unless specific settings are altered.
The financial toll of LLMjacking is staggering. In one observed case, an ORP using stolen credentials generated nearly $50,000 in costs within just 4.5 days.
The most expensive model exploited was Claude 3 Opus, which accounted for $38,951.55 in usage costs due to its high token consumption. Tokens units of text processed by LLMs are a key metric for calculating usage costs.
DeepSeek models have also been found vulnerable to jailbreaking techniques, such as “Crescendo” and “Deceptive Delight,” which bypass safety mechanisms to generate malicious outputs like malware scripts or social engineering tools. These vulnerabilities further amplify the risks associated with compromised LLMs.
Defensive Measures
To combat LLMjacking, organizations must adopt robust security practices:
- Secure API keys: Use secrets management tools like AWS Secrets Manager or Azure Key Vault.
- Monitor account behavior: Employ tools like Sysdig Secure to detect anomalies.
- Rotate credentials regularly: Automate key rotation processes.
- Implement least privilege access: Restrict permissions to minimize exposure
The rapid exploitation of DeepSeek-V3 underscores the urgency for stronger protections against LLMjacking.
As attackers continue to refine their methods and expand their targets, organizations must prioritize securing their AI assets and cloud environments. The risks are high in terms of financial losses, potential data breaches, and misuse of advanced AI capabilities.
Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free