Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization

Pillar Security Research captures 35,000 attack sessions, revealing the first organized criminal operation monetizing AI infrastructure vulnerabilities

Between December 2025 and January 2026, Pillar Security Research honeypot mimicking exposed AI infrastructure observed real-world attack patterns. Over 40 days, we identified 35,000 attack sessions from multiple threat actors—including the first public documentation of a named and attributed LLMjacking marketplace operation (Operation Bizarre Bazaar) and a separate MCP reconnaissance campaign.

This investigation reveals how cybercriminals discover, validate, and monetize unauthorized access to AI infrastructure through a coordinated supply chain spanning reconnaissance, validation, and commercial resale.

What is LLMjacking?

LLMjacking refers to the unauthorized access and exploitation of Large Language Model (LLM) infrastructure. Similar to how cryptojacking operations steal compute resources to mine cryptocurrency, LLMjacking operations target exposed or weakly authenticated AI endpoints to:

• Steal compute resources for unauthorized LLM inference requests
• Resell API access at discounted rates through criminal marketplaces
• Exfiltrate data from LLM context windows and conversation history
• Pivot to internal systems via compromised Model Context Protocol (MCP) servers and traditional Cloud and Application Security vulnerabilities exploitation.

Organizations running self-hosted LLM infrastructure (Ollama, vLLM, local AI implementations) or deploying MCP servers for AI integrations face active targeting. Common attack vectors include:

• Exposed endpoints on default ports of common LLM inference services
• Unauthenticated API access without proper access controls
• Development/staging environments with public IP addresses
• MCP servers connecting LLMs to file systems, databases, and internal APIs

The threat differs from traditional API abuse because compromised LLM endpoints can generate significant costs (inference is expensive), expose sensitive organizational data, and provide lateral movement opportunities.

Operation Bizarre Bazaar: The silver.inc Supply Chain

Operation Bizarre Bazaar represents a complete LLMjacking supply chain operated by threat actor "Hecker" through silver.inc infrastructure:

Reconnaissance: The operation relies on public scanning services (Shodan, Censys) and distributed scanning infrastructure to identify exposed AI endpoints. Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication get cataloged and targeted.

Validation: Infrastructure tied to silver.inc (204.76.203.125) validates discovered endpoints through systematic API testing. During concentrated operational windows, the attacker tests placeholder API keys (sk-test-1234, dev-token), enumerates model capabilities via /api/tags and /v1/models endpoints, and assesses response quality.

Monetization: silver.inc operates as "The Unified LLM API Gateway"—a commercial marketplace reselling discounted access to 30+ LLM providers without legitimate authorization. Hosted on bulletproof infrastructure in the Netherlands (204.76.203.0/24), the service markets on Discord and Telegram while accepting cryptocurrency and PayPal payments.

This end-to-end operation—from reconnaissance to commercial resale—represents the first documented LLMjacking marketplace with complete attribution.

Attack Volume and Targeting Patterns

During our investigation, we captured 35,000 attack sessions—averaging 972 attacks per day. The sustained high-volume activity confirms systematic targeting of exposed AI infrastructure rather than opportunistic scanning.

Common misconfigurations under active exploitation:

• Ollama running on port 11434 without authentication
• OpenAI-compatible APIs on port 8000 exposed to the internet
• MCP servers accessible without access controls
• Development/staging AI infrastructure with public IPs
• Production chatbot endpoints (customer support, sales bots) without authentication or rate limiting

The attackers aren't guessing. They're using Shodan and Censys to find you. Once your endpoint appears in scan results, exploitation attempts begin within hours.

Attribution: Meet "Hecker"

We traced the operation to a threat actor operating under the alias "Hecker" (also known as Sakuya, LiveGamer101). The evidence is direct:

• The administrative panel at admin.silver.inc displays: "Hiii I'm Hecker"
• Infrastructure overlap with nexeonai.com, a service publicly accused of DDoS attacks against competitors
• Shared Cloudflare nameservers and DMARC records between silver.inc and nexeonai.com
• Bulletproof hosting with thousands of abuse reports

Timing analysis reveals that silver.inc validation attempts follow public scanning activity by 2-8 hours on average—indicating the operation monitors public scan results (Shodan, Censys) or operates its own reconnaissance infrastructure to identify targets for commercial resale.

Organizational Risk: Beyond Compute Theft

LLMjacking operations present risks beyond unauthorized API usage:

Compute Theft: Your infrastructure generates revenue for criminals. silver.inc resells access at steep discounts while you pay full retail for unauthorized usage.

Data Exfiltration: LLM context windows may contain sensitive organizational data. Conversation history, customer information, source code—all accessible through compromised endpoints.

Lateral Movement (Separate MCP Campaign): Exposed MCP servers targeted by the separate reconnaissance campaign become pivot points for lateral movement. While not confirmed as part of Operation Bizarre Bazaar, MCP-focused attackers can use LLM integrations to navigate file systems, query databases, and access cloud APIs.

Supply Chain Compromise (MCP Risk): MCP servers bridge AI systems to internal infrastructure. Any MCP integration—whether connecting to repositories, databases, or internal APIs—becomes a potential entry point when exposed.

Recommended Mitigation Actions

Immediate Actions (Critical Priority)

Enable authentication on all LLM endpoints. Requiring authentication eliminates opportunistic attacks from commercial operations like silver.inc. Organizations should verify that Ollama, vLLM, and similar services require valid credentials for all requests.

Audit MCP server exposure. MCP servers must never be directly accessible from the internet. Verify firewall rules, review cloud security groups, confirm authentication requirements. Note: MCP targeting represents a separate campaign from Operation Bizarre Bazaar.

Block known malicious infrastructure. Add the 204.76.203.0/24 subnet (silver.inc/Operation Bizarre Bazaar) to your deny lists. For the separate MCP reconnaissance campaign, block AS135377 ranges. Complete IOCs for both campaigns available in the full report.

Implement rate limiting. Stop burst exploitation attempts. Deploy WAF/CDN rules for AI-specific traffic patterns.

Audit production chatbot exposure. Every customer-facing chatbot, sales assistant, and internal AI agent must implement security controls to prevent abuse.

Short-Term Actions (High Priority)

Monitor for placeholder API key patterns. Alert on authentication attempts using sk-test, test-token, dev-key patterns.

Deploy behavioral detection. Alert on multi-provider enumeration—single IPs attempting to access multiple LLM frameworks.

Conduct security audits. Enumerate all AI endpoints in production and development. Verify authentication. Confirm firewall rules.

Protecting Public AI Endpoints

These attackers target the path of least resistance—endpoints with no friction. Even publicly accessible AI services can deter opportunistic abuse through rate limiting, usage caps, and behavioral monitoring. The goal isn't perfect security; it's making your infrastructure less attractive than the next target. For internal services, the calculus is simpler: if it shouldn't be public, verify it isn't—scan your external attack surface regularly.

A Separate Threat: MCP Reconnaissance Campaign

In addition to Operation Bizarre Bazaar, we observed a distinct campaign targeting Model Context Protocol (MCP) endpoints. By late January, 60% of total attack traffic came from MCP-focused reconnaissance operations—representing a separate threat actor with different objectives.

Why does this matter? MCP servers don't just provide LLM access—they connect AI to your infrastructure:

• File systems - Read source code, plant backdoors
• Databases - Dump credentials, exfiltrate customer data
• Shell access - Execute commands on host systems
• API integrations - Access Slack, GitHub, cloud providers
• Kubernetes - Pod execution, secret extraction

A single exposed MCP endpoint can bridge to your entire internal infrastructure. The systematic MCP reconnaissance we observed represents a distinct campaign focused on lateral movement preparation, separate from the silver.inc marketplace operation.

Important: While both campaigns target AI infrastructure, we have not established a confirmed connection between Operation Bizarre Bazaar (silver.inc) and the MCP reconnaissance campaign. Organizations must defend against both threats independently.

The Threat is Active and Ongoing

silver.inc continues to operate. The scanner infrastructure maintains consistent targeting. The attack infrastructure remains online.

We're releasing this research because transparency accelerates defense. Security teams need to understand the threat landscape, implement appropriate controls, and share intelligence with industry partners.

Pillar Security Research continues to monitor this operation. We'll provide updates as the threat evolves.

About This Research

Pillar Security deployed a deliberate honeypot mimicking common AI infrastructure misconfigurations. Over 40 days, we captured 35,000 attack sessions from three coordinated threat actors. This investigation represents the first public documentation of a systematic campaign targeting exposed LLM and MCP endpoints in the wild with full threat actor attribution, commercial marketplace operations, and systematic MCP targeting—revealing how cybercriminals discover, validate, and monetize unauthorized AI infrastructure access at scale.

For additional threat intelligence, indicators of compromise, or to report related activity: research@pillar.security

Pillar Security provides AI security solutions for enterprise organizations deploying LLM infrastructure. Our platform discovers shadow AI, enforces governance policies, validates security posture through adversarial testing, and protects runtime AI operations with adaptive guardrails. Learn more at pillar.security.