As part of a broad LLMjacking operation, cybercriminals are searching for, hijacking, and monetizing exposed LLM and MCP endpoints at scale, Pillar Security reports.
The campaign, dubbed Operation Bizarre Bazaar, targets exposed or unprotected AI endpoints to hijack system resources, resell API access, exfiltrate data, and move laterally to internal systems.
The attacks mainly impact self-hosted LLM infrastructure, including endpoints with exposed default ports, unauthenticated APIs, development/staging environments, and MCP servers.
“The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities,” Pillar explains.
Operation Bizarre Bazaar involves three interconnected entities: a scanner (bot infrastructure that scours the web for exposed systems), a validator (tied to silver.inc, it validates identified endpoints), and a marketplace (The Unified LLM API Gateway, controlled by silver.inc).
Identified targets are validated by silver.inc through systematic API testing within 2 to 8 hours after the scanning activity. The threat actors were seen enumerating model capabilities and assessing response quality.
The marketplace, the cybersecurity firm says, offers access to over 30 LLMs. It is hosted on bulletproof infrastructure in the Netherlands, and marketed on Discord and Telegram, with payments made via cryptocurrency or PayPal.
Pillar has observed over 35,000 attack sessions associated with the operation, at an average of 972 attacks per day.
“The sustained high-volume activity confirms systematic targeting of exposed AI infrastructure rather than opportunistic scanning,” Pillar notes.
Exploited systems include Ollama instances on port 11434 without authentication, web-exposed OpenAI-compatible APIs on port 8000, exposed MCP servers with no access control, development environments with public IPs, and production chatbots that lack authentication or rate limits.
The operation, the company notes, is run by a threat actor using the moniker Hecker, who is also known as Sakuya and LiveGamer101, and appears linked through infrastructure overlaps with the nexeonai.com service.
“These attackers target the path of least resistance—endpoints with no friction. Even publicly accessible AI services can deter opportunistic abuse through rate limiting, usage caps, and behavioral monitoring. For internal services, the calculus is simpler: if it shouldn’t be public, verify it isn’t—scan your external attack surface regularly,” Pillar notes.
Separately, the company identified a reconnaissance campaign targeting MCP servers, likely operated by a different threat actor with different objectives.
“By late January, 60% of total attack traffic came from MCP-focused reconnaissance operations,” Pillar notes.
Related: LLMs in Attacker Crosshairs, Warns Threat Intel Firm
Related: Why We Can’t Let AI Take the Wheel of Cyber Defense
Related: Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls
Related: WormGPT 4 and KawaiiGPT: New Dark LLMs Boost Cybercrime Automation
