Researchers from Pillar Security have uncovered troubling activities where criminal networks are commandeering and reselling access to exposed AI infrastructure. This new trend, dubbed "llmjacking," involves the exploitation of unprotected large language models (LLMs) and Model Context Protocol (MCP) endpoints, like AI-powered chatbots.
According to the researchers, these threat actors are not only stealing compute resources for unauthorized usage but also reselling access through criminal marketplaces. The scale of these operations is alarming, with their honeypots capturing around 35,000 attack sessions within just a couple of weeks.
One researcher, Ariel Fogel, described the situation as a fully operational business, indicating that a small group—not a nation-state—appears to be behind the campaigns. Their objectives include not just unauthorized use of computational resources but also exfiltrating sensitive data and gaining access to internal systems.
Two specific campaigns have emerged: the first, "Operation Bizarre Bazaar," targets unprotected LLMs, and the second aims at MCP endpoints. The criminals leverage common tools like Shodan and Censys to identify vulnerable targets, exposing weaknesses like unauthenticated API access and unsecured development environments.
Security experts warn that organizations utilizing self-hosted LLM infrastructure, such as Ollama and vLLM, are particularly at risk. Misconfigurations often exploited in these attacks include:
- OpenAI-compatible APIs exposed on standard internet ports.
- Development or staging environments available on the public internet.
- MCP servers lacking adequate access controls.
George Gerchow from Bedrock Data emphasized that the rise in llmjacking reflects a broader trend of attackers treating exposed AI infrastructure as a profitable avenue for crime. He stressed the importance of robust security measures, stating that AI services must be secured with the same diligence as APIs or databases, incorporating strong authentication and monitoring from the outset.
To mitigate these risks, the researchers recommend that organizations:
- Implement authentication on all LLM and MCP endpoints.
- Audit the exposure of MCP servers to ensure they are not directly accessible from the internet.
- Block known malicious IP ranges and reinforce firewall rules.
- Use rate limiting to prevent sudden bursts of exploitation attempts.
- Protect production chatbots with appropriate security controls to thwart misuse.
Despite concerns about AI vulnerabilities, experts stress that abandoning AI is not the answer. Instead, organizations should establish stringent controls and foster an informed AI usage culture among employees. Training on the risks associated with AI, coupled with proactive feedback mechanisms from users, can help ensure safe and beneficial implementations.
For further reading on the subject, refer to the full report on Operation Bizarre Bazaar, which outlines the tactics used by these criminals and additional recommendations for organizations to shore up their defenses.
