Operation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)
Real-world incident28 Jan 2026πΊοΈ Model / Package Supply ChainResearchers reportedly captured 35,000+ attack sessions from an attributed cluster that mass-scans for unauthenticated LLM/MCP endpoints, hijacks the inference compute, and resells access to 30+ providers via a bulletproof-hosted criminal marketplace.
Root cause β why it happened
Many teams run their own AI model on a server so they don't have to pay a cloud provider. The convenient default setups often leave that server open to the whole internet with no password. Attackers ran scanners that constantly sweep the internet for these open AI servers, confirmed the ones that worked, and then sold other criminals cheap access to your model β running on your machine, on your bill. Worse, some of those servers also exposed 'helper' connections (called MCP) that let the AI reach files, databases and cloud accounts, so the open door became a way into the rest of the network.
Risks this case illustrates
Named in the standard (OWASP/ATLAS/NIST) lens. Click a highlighted component in the diagram below to see which risks attach where.
How it unfolded
A model is self-hosted β and left open by default
A team runs its own AI model on a server to save money. The easy setup leaves it reachable from the whole internet with no login required β the door is unlocked, and nobody notices because it still works fine for them.
# self-hosted inference, convenient defaults OLLAMA_HOST=0.0.0.0:11434 # bound to ALL interfaces # (or) openai-compatible api: --host 0.0.0.0 --port 8000 auth: none # <-- no API key / token required network_policy: none # <-- reachable from public internet mcp_server: enabled (no access controls)
Controls & guardrails β what would have stopped it
The single thing that breaks this whole chain is simple: don't put your AI server on the open internet without a login. Require a key, keep it on a private network, and only give its helper connections the access they truly need. Then a bill alarm and basic traffic watching catch anything that slips through. None of this needs a better model β it's locking the door and setting an alarm.
- Least-privilege identity & scoped credentials
Doesn't prevent manipulation β only caps its reach. Hard to get right operationally; over-broad scopes are the common real-world failure.
- Serving-stack & provisioning attestation, cache isolation
Attestation is operationally heavy and rarely covers the full stack; cache isolation trades away latency/cost savings, so it's often left on for performance. Signing proves a template wasn't tampered in transit, not that a signed template is benign β an insider with signing rights still needs review and trigger-focused evals.
- MCP/plugin pinning, manifest hashing & re-reviewaddressesSupply-Chain Compromise
Review catches what reviewers understand; a subtle malicious directive can pass. Pinning helps only if you actually re-review on update rather than auto-accepting.
- Egress allowlisting & DLP on tool argumentsaddressesSensitive Data Leakage
Allowlists fight an open-ended channel; legitimate-but-broad destinations (any URL fetch, any email) are hard to constrain without breaking usefulness. Encoding can evade naive DLP.
- Runtime monitoring & anomaly detection
Detects the anomalous, not the novel-but-subtle; high false-positive rates cause alert fatigue. Always a step behind a sufficiently quiet attacker.
- Loop/cost circuit-breakers & consistency checks
Thresholds are blunt β too tight breaks legitimate long tasks, too loose lets damage accrue first. Catches runaway dynamics, not a single well-formed bad decision.
- Full-trace audit logging
Logging is forensic, not preventive β it explains harm after the fact. Useless if no one reviews it or if the materialised context isn't captured.
- Governance: risk assessment, red-teaming & incident responseaddressesSupply-Chain Compromise
Process reduces likelihood and speeds recovery but executes no technical control itself; weak follow-through makes it theatre.
Lessons
- βΈ Self-hosting a model is a serving-infrastructure decision: an unauthenticated, internet-exposed inference endpoint is the whole vulnerability β no model exploit is needed.
- βΈ An OpenAI-compatible API shape makes a hijacked engine instantly resellable; exposure becomes an organised hijack-and-resell economy, not a one-off.
- βΈ Compute theft is only the first harm β the same open endpoint leaks prompts and conversation history, and a co-located MCP server turns it into network lateral movement.
- βΈ Treat every MCP/tool server like an exposed privileged service: authenticate it and scope its tools to least privilege, or whoever reaches it inherits the agent's authority.
- βΈ Detection is cheap if you look: inventory self-hosted AI services, alarm on cost/usage spikes, and watch for inbound traffic to inference and MCP ports from the open internet.
Proposals & gaps this case surfaced
Non-destructive suggestions for the library β proposed, not adopted.
A self-hosted inference/serving or MCP endpoint (e.g. Ollama, an OpenAI-compatible API, or an access-control-less MCP server) is reachable from an untrusted network without authentication, allowing third parties to hijack the inference compute (resale/denial-of-wallet/mining), read prompt and conversation state, and β via co-located over-privileged tools β pivot into connected systems.
Require authN/authZ on every inference API and MCP server, bind to private interfaces / front with a gateway, enforce network policy (no public exposure by default), and scope MCP tools to least privilege β so an exposed endpoint cannot be hijacked for compute resale, prompt/history exfiltration, or lateral movement. Pair with continuous asset discovery so endpoints can't drift back to an open default.
This case shows a gap: most AI-risk lists focus on tricking the model with clever inputs. But here nothing tricked the model β the server was simply left open on the internet with no password. 'Don't expose your AI server unauthenticated' deserves to be called out as its own risk and control.
These surface as proposals across the Control Library and Risk Taxonomy; adopt them by hand when ready.
Sources
- Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization β Pillar Security (28 Jan 2026, primary) β
- Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation β BleepingComputer (28 Jan 2026) β
- LLMs Hijacked, Monetized in 'Operation Bizarre Bazaar' β SecurityWeek β
- 'Bizarre Bazaar' campaign exploits exposed LLM endpoints β SC World β
- Operation Bizarre Bazaar β Pillar Security (primary) β β Primary research; 35,000+ sessions, three-stage scanβvalidateβresell chain, silver.inc, ~60% MCP shift. Figures are Pillar's.
- Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation β BleepingComputer β β Independent coverage; characterises the MCP-reconnaissance activity as separate-but-tracked.
- OWASP LLM10:2025 Unbounded Consumption β β The denial-of-wallet / cost-harvesting risk class realised here as an organised resale market.
Practise the risk class β related scenarios
One support ticket sends an agent into an unbounded, bill-melting loop
An ops agent gets one god-mode credential β and one misread wipes production
A team of agents agrees its way into a confidently wrong answer β and a runaway loop
A support email hides instructions β and the assistant obeys them
A text-to-SQL agent runs the model's output straight at the database
A jailbroken agent decomposes one malicious goal into hundreds of harmless-looking steps β and per-step filters never see the attack
A poisoned issue makes the agent lie to the human who approves its actions
A speed optimisation becomes a cross-tenant listening device
Compromise the pipeline that builds agents, and every new worker is born malicious
Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file
Told it's being shut down, an agent reaches for leverage β with no attacker in sight
The forensic record is itself the attack surface β an agent's log is poisoned, then quietly rewritten
A shopping page tells the agent to do something the user never asked for
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A screenshot that's harmless at full size becomes an order once the system shrinks it
A capable third-party model that behaves perfectly β until it sees the trigger
An attacker captures the agent's bearer token β and inherits its authority
A trusted MCP email tool quietly BCCs every message to an attacker
A forged peer registers on the agent directory β and the planner enlists it
A poisoned web page hijacks a research agent β and the planner acts on its behalf
An inbox summary quietly ships a secret to an attacker's server