Article Details

Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation. A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure. Over a period of 40 days, researchers at Pillar Security recorded more than 35,000 attack sessions on their honeypots, which led to discovering a large-scale cybercrime operation that monetizes and exploits access to exposed or poorly authenticated AI endpoints. They call the campaign 'Bizarre Bazaar' and highlight that it is one of the first examples of ‘LLMjacking’ attacks attributed to a specific threat actor. In a report shared with BleepingComputer, Bizarre Bazaar involves unauthorized access to weakly protected LLM infrastructure endpoints to: Common attack vectors include self-hosted LLM setups, exposed or unauthenticated AI APIs, publicly accessible MCP servers, and development or staging AI environments with public IP addresses. Typically, attackers exploit misconfigurations such as unauthenticated Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots. The researchers note that the attacks begin within hours of a misconfigured endpoint appearing in Shodan or Censys internet scans. "The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities," Pillar Security says. At the beginning of the month, a report from GreyNoise highlighted similar activity, where attackers targeted commercial LLM services, mainly for enumeration. Pillar Security’s findings indicate a criminal supply chain involving three threat actors who likely work together as part of the same operation. The first one uses bots to systematically scan the internet for LLM and MCP endpoints. The second validates the findings and tests access. The third operates a commercial service at ‘silver[.]inc’ marketed on Telegram and Discord, that resells access in exchange for cryptocurrency or PayPal payments. SilverInc promotes a project called NeXeonAI, which is advertised as a "unified AI infrastructure" that provides access to more than 50 AI models from leading providers. The researchers have also attributed the operation to a specific threat actor using the aliases “Hecker,” “Sakuya,” and “LiveGamer101.” Pillar Security reports that, while Bizarre Bazaar focuses on LLM API abuse, they track a separate campaign that focuses on MCP endpoint reconnaissance. This targeting gives more opportunities for lateral movement via Kubernetes interactions, cloud service access, and shell command execution, which are often more valuable than resource-consumption-based monetization tactics. This second campaign has not been linked to Bizarre Bazaar, although a connection may exist. As of writing, the campaign is ongoing, and the SilverInc service continues to be operational. BleepingComputer has contacted the platform for a comment about Pillar’s findings, but we have not heard back by publication time. Secrets Security Cheat Sheet: From Sprawl to Control Whether you're cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start. Get the cheat sheet and take the guesswork out of secrets management.