Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Bizarre Bazaar campaign targeting exposed LLM and MCP endpoints

Campaign
First reported
Last updated
Happening score
H score 46
2 unique sources, 2 articles

Summary

Hide ▲

Bizarre Bazaar is an active LLMjacking campaign targeting exposed LLM and MCP endpoints to monetize unauthorized access to AI infrastructure. Researchers say the operation has already driven more than 35,000 attack sessions over 40 days, with abuse tied to Ollama endpoints, OpenAI-compatible APIs, and resale through silver[.]inc. The latest reporting traces Operation Bizarre Bazaar to Hecker (aka Sakuya and LiveGamer101). The campaign scans for unauthenticated services such as Ollama, vLLM, and other OpenAI-compatible APIs, validates access, and commercializes it at discounted rates. The activity creates risk of resource theft, prompt exfiltration, cryptocurrency mining, and proxying malicious traffic through victim infrastructure.

Related Happenings

Widespread exposure and misconfiguration in self-hosted AI infrastructure

Target Trend
First: 05.05.2026 13:30 Last: 05.05.2026 13:30 Sources 1

About this happening: A large-scale measurement found **self-hosted AI infrastructure** was being deployed with **widespread exposure and no authentication**, creating a broad risk of data theft, workf...

Open Happening

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Target Trend
First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Open Happening

FortiGate NGFW abuse campaign targeting healthcare, government, and managed service providers

Campaign
First: 10.03.2026 18:21 Last: 10.03.2026 18:21 Sources 1

About this happening: A **new FortiGate abuse campaign** is using **FortiGate NGFW appliances** as entry points to breach victim networks, creating immediate risk for **healthcare**, **government**, an...

Open Happening

Threat actors ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 03.03.2026 17:01 Last: 03.03.2026 17:01 Sources 1

About this happening: **Compromised cPanel access** is being commoditized in **fraudulent chat groups**, creating a scalable supply of trusted hosting infrastructure for **phishing**, **spam**, and **m...

Open Happening

Anonymous Fénix DDoS and volunteer-recruitment campaign

Campaign
First: 23.02.2026 23:59 Last: 23.02.2026 23:59 Sources 1

About this happening: **Anonymous Fénix** escalated its **DDoS** campaign by recruiting volunteers, increasing disruption risk for **government and public-institution domains** across **Spain** and par...

Open Happening

Timeline

  1. 29.01.2026 20:37 1 articles · 3mo ago

    Operation Bizarre Bazaar traced to Hecker

    Attribution Update

    Researchers said Operation Bizarre Bazaar, an LLMjacking marketplace that scans for exposed Ollama, vLLM, and OpenAI-compatible APIs without authentication and resells access through silver[.]inc, has been traced to Hecker (aka Sakuya and LiveGamer101).

    Show sources
    Open in new tab
  2. 28.01.2026 15:15 2 articles · 3mo ago

    Pillar Security discloses Bizarre Bazaar LLM endpoint abuse

    Initial Disclosure

    Pillar Security says the Bizarre Bazaar campaign is targeting exposed LLM service endpoints and weakly protected AI infrastructure to commercialize unauthorized access, with more than 35,000 attack sessions observed over 40 days and access brokers using silver[.]inc to resell endpoint access, mine cryptocurrency, and exfiltrate prompts and conversation history.

    Show sources
    Open in new tab