πŸ”AI RiskAtlas
← Real-world cases
Case study

Operation Bizarre Bazaar (first attributed LLMjacking campaign with a resale marketplace)

Real-world incident28 Jan 2026πŸ—ΊοΈ Model / Package Supply Chain

Researchers reportedly captured 35,000+ attack sessions from an attributed cluster that mass-scans for unauthenticated LLM/MCP endpoints, hijacks the inference compute, and resells access to 30+ providers via a bulletproof-hosted criminal marketplace.

Root cause β€” why it happened

Many teams run their own AI model on a server so they don't have to pay a cloud provider. The convenient default setups often leave that server open to the whole internet with no password. Attackers ran scanners that constantly sweep the internet for these open AI servers, confirmed the ones that worked, and then sold other criminals cheap access to your model β€” running on your machine, on your bill. Worse, some of those servers also exposed 'helper' connections (called MCP) that let the AI reach files, databases and cloud accounts, so the open door became a way into the rest of the network.

Risks this case illustrates

Named in the standard (OWASP/ATLAS/NIST) lens. Click a highlighted component in the diagram below to see which risks attach where.

How it unfolded

Untrusted supply chainYour infrastructureserves🌐Publisher(maybeπŸͺModel / PackageRegistry🧬Downloadedmodel / packageπŸ—οΈYour build /serving stack🧠Your deployedmodel🌐Scanner bots(Shodan/Censys)🌐Validator infra(silver.inc)🌐Resalemarketplace🌐Paying abuser(resold access)🧰Exposed MCPserver (noπŸ—„οΈFiles / DB /cloud /
InstructionsDataActionsControl / decisionFeedback / logs
πŸ‘† Click a component to inspect its risks
SetupStep 1 / 7

A model is self-hosted β€” and left open by default

A team runs its own AI model on a server to save money. The easy setup leaves it reachable from the whole internet with no login required β€” the door is unlocked, and nobody notices because it still works fine for them.

βš™οΈExposed serving config (illustrative)config
# self-hosted inference, convenient defaults
OLLAMA_HOST=0.0.0.0:11434          # bound to ALL interfaces
# (or) openai-compatible api: --host 0.0.0.0 --port 8000
auth: none                          # <-- no API key / token required
network_policy: none                # <-- reachable from public internet
mcp_server: enabled (no access controls)
Step 1 / 7

Controls & guardrails β€” what would have stopped it

The single thing that breaks this whole chain is simple: don't put your AI server on the open internet without a login. Require a key, keep it on a private network, and only give its helper connections the access they truly need. Then a bill alarm and basic traffic watching catch anything that slips through. None of this needs a better model β€” it's locking the door and setting an alarm.

Preventive
  • Least-privilege identity & scoped credentials

    Doesn't prevent manipulation β€” only caps its reach. Hard to get right operationally; over-broad scopes are the common real-world failure.

  • Serving-stack & provisioning attestation, cache isolation

    Attestation is operationally heavy and rarely covers the full stack; cache isolation trades away latency/cost savings, so it's often left on for performance. Signing proves a template wasn't tampered in transit, not that a signed template is benign β€” an insider with signing rights still needs review and trigger-focused evals.

  • MCP/plugin pinning, manifest hashing & re-review

    Review catches what reviewers understand; a subtle malicious directive can pass. Pinning helps only if you actually re-review on update rather than auto-accepting.

  • Egress allowlisting & DLP on tool arguments

    Allowlists fight an open-ended channel; legitimate-but-broad destinations (any URL fetch, any email) are hard to constrain without breaking usefulness. Encoding can evade naive DLP.

Detective
Corrective
  • Governance: risk assessment, red-teaming & incident response

    Process reduces likelihood and speeds recovery but executes no technical control itself; weak follow-through makes it theatre.

Lessons

  • β–Έ Self-hosting a model is a serving-infrastructure decision: an unauthenticated, internet-exposed inference endpoint is the whole vulnerability β€” no model exploit is needed.
  • β–Έ An OpenAI-compatible API shape makes a hijacked engine instantly resellable; exposure becomes an organised hijack-and-resell economy, not a one-off.
  • β–Έ Compute theft is only the first harm β€” the same open endpoint leaks prompts and conversation history, and a co-located MCP server turns it into network lateral movement.
  • β–Έ Treat every MCP/tool server like an exposed privileged service: authenticate it and scope its tools to least privilege, or whoever reaches it inherits the agent's authority.
  • β–Έ Detection is cheap if you look: inventory self-hosted AI services, alarm on cost/usage spikes, and watch for inbound traffic to inference and MCP ports from the open internet.

Proposals & gaps this case surfaced

Non-destructive suggestions for the library β€” proposed, not adopted.

β˜… proposed sub-riskExposed / unauthenticated inference endpoint (LLMjacking)under #44 β†’

A self-hosted inference/serving or MCP endpoint (e.g. Ollama, an OpenAI-compatible API, or an access-control-less MCP server) is reachable from an untrusted network without authentication, allowing third parties to hijack the inference compute (resale/denial-of-wallet/mining), read prompt and conversation state, and β€” via co-located over-privileged tools β€” pivot into connected systems.

✚ proposed guardrailAdmission control on the inference & MCP serving plane: authenticate and network-segment every self-hosted inference/serving and MCP endpointAgent Access & Tool Control

Require authN/authZ on every inference API and MCP server, bind to private interfaces / front with a gateway, enforce network policy (no public exposure by default), and scope MCP tools to least privilege β€” so an exposed endpoint cannot be hijacked for compute resale, prompt/history exfiltration, or lateral movement. Pair with continuous asset discovery so endpoints can't drift back to an open default.

This case shows a gap: most AI-risk lists focus on tricking the model with clever inputs. But here nothing tricked the model β€” the server was simply left open on the internet with no password. 'Don't expose your AI server unauthenticated' deserves to be called out as its own risk and control.

These surface as proposals across the Control Library and Risk Taxonomy; adopt them by hand when ready.

Practise the risk class β€” related scenarios

πŸ’ΈDeath by a Thousand Tokens

One support ticket sends an agent into an unbounded, bill-melting loop

πŸ”‘The Agent With the Master Key

An ops agent gets one god-mode credential β€” and one misread wipes production

πŸ“£The Echo Chamber

A team of agents agrees its way into a confidently wrong answer β€” and a runaway loop

πŸ“§The Email That Gave Orders

A support email hides instructions β€” and the assistant obeys them

πŸ—„οΈWhen the Query Bites Back

A text-to-SQL agent runs the model's output straight at the database

πŸͺ‘Death by a Thousand Innocent Steps

A jailbroken agent decomposes one malicious goal into hundreds of harmless-looking steps β€” and per-step filters never see the attack

πŸ•΅οΈLies in the Loop

A poisoned issue makes the agent lie to the human who approves its actions

πŸ‘‚Overheard Through the Cache

A speed optimisation becomes a cross-tenant listening device

🏭Poisoning the Agent Factory

Compromise the pipeline that builds agents, and every new worker is born malicious

πŸͺŸStealing the Model

Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file

🎭The Blackmail Gambit

Told it's being shut down, an agent reaches for leverage β€” with no attacker in sight

πŸ“ΌThe Compromised Flight Recorder

The forensic record is itself the attack surface β€” an agent's log is poisoned, then quietly rewritten

πŸ‘οΈThe Invisible Webpage Command

A shopping page tells the agent to do something the user never asked for

πŸ”“The Model That Forgot to Say No

A cost-saving open-weights swap quietly ships a model with its safety surgically removed

πŸ–ΌοΈThe Picture That Whispered

A screenshot that's harmless at full size becomes an order once the system shrinks it

πŸ’€The Sleeper

A capable third-party model that behaves perfectly β€” until it sees the trigger

🎫The Stolen Session

An attacker captures the agent's bearer token β€” and inherits its authority

πŸ”ŒThe Tool With a Hidden Agenda

A trusted MCP email tool quietly BCCs every message to an attacker

πŸ₯ΈThe Uninvited Agent

A forged peer registers on the agent directory β€” and the planner enlists it

πŸͺͺThe Worker Who Spoke for the Boss

A poisoned web page hijacks a research agent β€” and the planner acts on its behalf

πŸ–ΌοΈZero-Click Leak by Picture

An inbox summary quietly ships a secret to an attacker's server

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning β€” not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading β†’Β·Built by Shi Yuan β†—