Hackers Hijack Exposed LLM Endpoints in Bizarre Bazaar Operation

The rapid adoption of large language models has outpaced security best practices, leaving many deployments exposed to the public internet. Pillar Security’s investigation of the “Bizarre Bazaar” operation reveals that attackers can locate vulnerable LLM endpoints within minutes using services like Shodan and Censys, then launch automated sessions that harvest compute cycles and model outputs. Over a 40‑day window the researchers observed more than 35,000 intrusion attempts, targeting common misconfigurations such as unauthenticated Ollama ports (11434) and OpenAI‑compatible APIs (8000). This marks one of the first documented, actor‑attributed LLMjacking campaigns.

The financial lure behind hijacked AI services is multifaceted. By siphoning inference power, criminals can fuel cryptocurrency mining operations that consume significant GPU resources, while the resale of API keys on darknet platforms like silver.inc generates direct revenue in crypto or PayPal. Additionally, exfiltrated prompt data often contains proprietary information, giving threat actors leverage for extortion or competitive espionage. Pillar’s supply‑chain model—scanner bots, validation scripts, and a reseller marketplace—demonstrates a mature criminal ecosystem that treats AI infrastructure as a commodity comparable to traditional botnets.

Enterprises must treat LLM endpoints as high‑value assets, enforcing strong authentication, network segmentation, and continuous monitoring. Deployments should be hidden behind zero‑trust gateways, and any public‑facing API must require API keys, rate limiting, and audit logging. Cloud providers are beginning to issue guidance and detection rules for anomalous inference traffic, but the onus remains on organizations to audit staging and development environments that often expose default ports. As AI services become integral to business workflows, the “Bizarre Bazaar” episode serves as a warning that unsecured models will increasingly attract sophisticated, profit‑driven adversaries.