Cyber: Hackers Hijack Exposed Llm Endpoints In Bizarre Bazaar Operation

A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure.

Over a period of 40 days, researchers at Pillar Security recorded more than 35,000 attack sessions on their honeypots, which led to discovering a large-scale cybercrime operation that monetizes and exploits access to exposed or poorly authenticated AI endpoints.

They call the campaign 'Bizarre Bazaar' and highlight that it is one of the first examples of ‘LLMjacking’ attacks attributed to a specific threat actor.

In a report shared with BleepingComputer, Bizarre Bazaar involves unauthorized access to weakly protected LLM infrastructure endpoints to:

Common attack vectors include self-hosted LLM setups, exposed or unauthenticated AI APIs, publicly accessible MCP servers, and development or staging AI environments with public IP addresses.

Typically, attackers exploit misconfigurations such as unauthenticated Ollama endpoints on port 11434, OpenAI-compatible APIs on port 8000, and unauthenticated production chatbots.

The researchers note that the attacks begin within hours of a misconfigured endpoint appearing in Shodan or Censys internet scans.

"The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities," Pillar Security says.

At the beginning of the month, a report from GreyNoise highlighted similar activity, where attackers targeted commercial LLM services, mainly for enumeration.

Pillar Security’s findings indicate a criminal supply chain involving three threat actors who likely work together as part of the same operation.

Source: BleepingComputer