Bizarre Bazaar The new LLMjacking era that sells access to IA in dark markets

In recent weeks, the security of large-scale language models (LLM) has ceased to be a theoretical concern to become a real and lucrative target for organized crime. Researchers who deployed honeypots designed to simulate IA services have observed a massive volume of unauthorized access attempts, which has made it possible to uncover a criminal operation that markets access to poorly configured IA infrastructure.

The Pillar Security team documented more than 35,000 attack sessions in just 40 days, a rhythm that highlights the speed at which attackers detect and take advantage of exposed points. These findings, reported in the Pillar Security report, describe a campaign baptized as Bizarre Bazaar which analysts consider one of the first examples attributed to a particular actor of what is already called "LLMjacking": the taking and monetization of unprotected LLM endpoints. You can read the technical report of Pillar Security on your official page: Pillar Security - Operation Bizarre Bazaar.

The purpose of these accesses is not only to cause costs for inferences; the criminal business is multiple. Among the motivations identified are the use of stolen computer capacity for cryptomoneda mining, the resale of access to APIs of IA in heavily opaque markets, the theft of data contained in prompts and conversation histories, and the attempt to move laterally within corporate infrastructure through servers of the so-called Model Context Protocol (MCP). The combination of high operating expenditure, sensitive information and lateral motion vectors makes LLM endpoints a very cost-effective target as the researchers point out.

The usual technique of the attackers begins with a large-scale Internet scan to locate exposed services: self-housed model instances, OpenAI-compatible APIs that are open in common ports, publicly accessible MCP servers and development environments or stacking with public IP. The bad configured ones they detected include unauthenticated endpoints in solutions such as Olama and APis OpenAI that are exposed in typical ports; these errors are usually visible in a few minutes or hours after they appear in Internet service seekers as Shodan or Censys, which facilitates rapid exploitation.

It is not just about opportunistic attackers: Pillar describes an organized criminal chain with different roles. Some bots carry out initial exploration, others validate and test accesses, and a third manages the marketing of these accesses through a service that operates publicly in difficult-to-track messaging channels. This service promotes a platform that promises unified access to dozens of models, an attractive proposal for low-scrupulous buyers who prefer to pay with cryptomonedas or alternative methods. Researchers have associated the operation with specific aliases used by alleged operators.

In parallel, campaigns focused exclusively on the recognition of endpoints MCP, a worrying tactic because these servers can offer the door for more impact actions: interaction with Kubernetes clusters, access to cloud services and execution of commands in compromised systems. In many scenarios this type of access allows attackers to scale privileges and move laterally, with consequences that go far beyond cost per inference.

The investigation of Pillar does not arise in the vacuum: other teams have detected similar activity. At the beginning of the month, GreyNoise published analyses showing massive scans for LLM commercial services with the aim of listing available endpoints, a further sign that the public visibility of IA infrastructure has become an exploitable source. You can review the general analysis of GreyNoise on his blog: GreenNoise - Blog. In addition, specialized means such as BleepingComputer they have collected the conclusions of Pillar and have tried to contact the above-mentioned services for their explanations.

What can organizations do to protect themselves? First, treat the endpoints of LLM as sensitive and costly resources. It is essential to ensure that any exposed inference service requires robust authentication, that APIs are behind link doors that limit the use and rate of requests, and that development or staging instances are not accessible from the Internet in open mode. It is also appropriate to apply network segmentation, firewall rules that restrict IP access, key rotation and protection, and comprehensive telemetry recording to detect unusual use peaks that may indicate abuse. Early monitoring and automated response to abnormal patterns can mean the difference between a minor incident and a broad impact intrusion.

Equally important is to review the policy of retention and access to prompts and talks. Many teams store histories or examples of interaction that may contain sensitive data; in case of filtration, such information may facilitate fraud, social engineering or intellectual property filtration. Limiting what is saved, anonymizing data where possible, and auditing who and how to access such records are risk-reducing measures.

The lesson is clear: the accelerated adoption of business IA has created new attack areas that require operational maturity. Model providers, orchestration platforms and internal teams should work together to impose minimum controls and share commitment indicators. Meanwhile, massive scans and markets that resell access will continue to operate; until security and governance are incorporated into the design of IA infrastructure, campaigns like Bizarre Bazaar will find new victims.

To deepen the original sources and security recommendations, it is worth reading the Pillar Security report and consulting resources on API security and safe model deployment practices: Pillar Security report, news coverage in BleepingComputer and general documentation on the exposure of services on the Internet, Shodan and Censys. If you manage or develop IA services, it is time to audit access and assume that any publicly discovered endpoint can be attacked within hours.