Operation Bizarre Bazaar: First LLMjacking Marketplace Monetizes Stolen AI Infrastructure Access

Security researchers have documented the first fully attributed criminal operation dedicated to hijacking and reselling unauthorized access to AI infrastructure at scale.

Dubbed Operation Bizarre Bazaar, the campaign represents a complete LLMjacking supply chain—from initial reconnaissance to commercial marketplace monetization—operated by a threat actor known as "Hecker" through the silver.inc platform.

What is LLMjacking?

LLMjacking refers to the unauthorized access and exploitation of Large Language Model infrastructure. Similar to cryptojacking operations that steal compute resources for cryptocurrency mining, LLMjacking operations target exposed or weakly authenticated AI endpoints to steal expensive inference compute, resell API access through criminal marketplaces, exfiltrate data from conversation histories, and pivot to internal systems via compromised integrations.

35,000 Attack Sessions in 40 Days

Between December 2025 and January 2026, Pillar Security Research deployed honeypots mimicking common AI infrastructure misconfigurations. Over 40 days, they captured 35,000 attack sessions—averaging 972 attacks per day—confirming systematic targeting rather than opportunistic scanning.

Common misconfigurations under active exploitation include Ollama instances on port 11434 without authentication, OpenAI-compatible APIs on port 8000 exposed to the internet, MCP servers accessible without access controls, and production chatbot endpoints lacking rate limiting.

The silver.inc Supply Chain

Operation Bizarre Bazaar operates through three distinct phases:

Reconnaissance: The operation leverages public scanning services like Shodan and Censys to identify exposed AI endpoints. Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication get cataloged for targeting.

Validation: Infrastructure tied to silver.inc (204.76.203.125) validates discovered endpoints through systematic API testing, checking placeholder API keys like "sk-test-1234" and "dev-token," enumerating model capabilities via /api/tags and /v1/models endpoints, and assessing response quality.

Monetization: silver.inc operates as "The Unified LLM API Gateway"—a commercial marketplace reselling discounted access to over 30 LLM providers without legitimate authorization. The service markets on Discord and Telegram while accepting cryptocurrency and PayPal payments.

Attribution: Meet "Hecker"

Researchers traced the operation to a threat actor operating under aliases including "Hecker," "Sakuya," and "LiveGamer101." Evidence includes an administrative panel at admin.silver.inc displaying "Hiii I'm Hecker," infrastructure overlap with nexeonai.com (previously accused of DDoS attacks against competitors), shared Cloudflare nameservers and DMARC records, and bulletproof hosting in the Netherlands (204.76.203.0/24) with thousands of abuse reports.

Timing analysis reveals silver.inc validation attempts follow public scanning activity by 2-8 hours on average, indicating the operation monitors Shodan and Censys results to identify fresh targets.

Separate MCP Reconnaissance Campaign

In addition to Operation Bizarre Bazaar, researchers observed a distinct campaign targeting Model Context Protocol (MCP) endpoints. By late January, 60% of total attack traffic came from MCP-focused reconnaissance operations.

MCP servers present elevated risk because they connect AI systems directly to internal infrastructure including file systems, databases, shell access, and API integrations. A single exposed MCP endpoint can bridge to an organization's entire internal environment.

Researchers have not established a confirmed connection between Operation Bizarre Bazaar and the MCP reconnaissance campaign, suggesting organizations face multiple independent threats.

Organizational Impact

Beyond compute theft, compromised LLM endpoints expose organizations to data exfiltration from context windows containing sensitive information, lateral movement through MCP integrations, and supply chain compromise where AI bridges to repositories, databases, and internal APIs become entry points.

Indicators of Compromise

Network Indicators:

• 204.76.203.125 (silver.inc validation infrastructure)
• 204.76.203.0/24 subnet (bulletproof hosting)
• AS135377 ranges (MCP reconnaissance campaign)

Behavioral Indicators:

• Authentication attempts using sk-test, test-token, dev-key patterns
• Enumeration of /api/tags and /v1/models endpoints
• Multi-provider framework scanning from single IPs

Recommendations

1. Enable authentication on all LLM endpoints—Ollama, vLLM, and similar services should require valid credentials
2. Audit MCP server exposure and ensure they are never directly accessible from the internet
3. Block 204.76.203.0/24 and AS135377 ranges
4. Implement rate limiting and WAF rules for AI-specific traffic patterns
5. Monitor for placeholder API key authentication attempts
6. Enumerate all AI endpoints in production and development environments

The Threat Continues

silver.inc remains operational. The scanner infrastructure maintains consistent targeting. Organizations running self-hosted LLM infrastructure or deploying MCP servers face active, ongoing exploitation attempts.