Executive Summary

Recent threat intelligence has identified a surge in cyberattacks targeting misconfigured proxy servers to illicitly access paid Large Language Model (LLM) services. Threat actors are leveraging advanced enumeration techniques, server-side request forgery (SSRF), and proxy misconfigurations to hijack access to commercial AI endpoints, including those from OpenAI, Anthropic, Meta, Google, Mistral, Alibaba, and xAI. This campaign, active since late 2025, is characterized by systematic, low-noise probing and is believed to be part of a broader reconnaissance and exploitation effort. The monetization of stolen LLM access, known as "LLMjacking," is already evident on underground forums, underscoring the urgency for organizations to secure their AI infrastructure.

Threat Actor Profile

The actors behind these campaigns exhibit a high degree of technical sophistication, utilizing virtual private server (VPS) infrastructure distributed across 27 countries. Their tactics, techniques, and procedures (TTPs) align with those of organized cybercriminal groups and advanced grey-hat operators rather than unsophisticated botnets. The attackers employ custom enumeration scripts and leverage tools such as ProjectDiscovery OAST (Out-of-band Application Security Testing) to facilitate callbacks and exfiltration. While no direct attribution to known Advanced Persistent Threat (APT) groups has been established, the infrastructure and operational security measures suggest a well-resourced and coordinated effort.

Technical Analysis of Malware/TTPs

The attack chain begins with the identification of misconfigured proxies that expose LLM endpoints. Attackers initiate low-noise, benign queries—such as greetings, empty inputs, or simple factual questions—designed to evade detection by security monitoring systems. These probes are formatted to be compatible with both OpenAI and Google Gemini API schemas, maximizing the range of accessible targets.

Once a vulnerable proxy is identified, the attackers exploit SSRF vulnerabilities to force the target server to initiate outbound connections to attacker-controlled infrastructure. For example, the Ollama model pull functionality can be abused by injecting malicious registry URLs, while Twilio SMS webhook integrations are targeted via the MediaURL parameter. The use of ProjectDiscovery OAST infrastructure enables the attackers to receive out-of-band callbacks, confirming the presence of exploitable SSRF and facilitating further exploitation.

The campaign has generated over 80,000 sessions in just 11 days, probing more than 73 distinct LLM endpoints. The attackers' infrastructure is characterized by unique JA4 network fingerprints, which are associated with automated scanning tools and are traceable to VPS providers rather than residential IP ranges. This operational pattern is consistent with previous campaigns involving widespread vulnerability exploitation.

Exploitation in the Wild

In the wild, exploitation has been observed at scale, with attackers systematically scanning for and compromising misconfigured proxies. While no major data breaches or model abuses have been publicly confirmed as of January 2026, the persistence and breadth of the reconnaissance activity indicate preparation for future, potentially more damaging exploitation. The compromised access is being monetized on underground forums, with stolen LLM credentials and API keys sold for as little as $30 per account. This practice, referred to as "LLMjacking," enables buyers to leverage paid AI services without authorization, potentially incurring significant costs and reputational damage for the legitimate account holders.

The scanning infrastructure used in these campaigns has a documented history of involvement in other high-profile vulnerability exploitation events, further elevating the risk profile for organizations operating exposed LLM endpoints.

Victimology and Targeting

The campaign is opportunistic in nature, targeting any organization or individual operating LLM endpoints that are accessible via misconfigured proxies. Telemetry from GreyNoise indicates that the attacks originate from 62 IP addresses distributed across 27 countries, with no specific industry or sector singled out. However, organizations with significant investments in AI infrastructure—such as technology firms, research institutions, and enterprises integrating LLMs into their workflows—are at heightened risk due to the potential for both financial loss and intellectual property exposure.

The targeted LLM services and their current versions include OpenAI (GPT-4o and variants), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral (public endpoints), Alibaba (Qwen), and xAI (Grok). The attacks are not limited to a single vendor’s implementation but rather exploit any instance where these models are accessible via misconfigured proxies.

Mitigation and Countermeasures

To defend against these sophisticated attacks, organizations should implement a multi-layered security strategy. Restrict LLM model pulls, such as those in Ollama, to trusted registries only, thereby minimizing the risk of unauthorized model downloads. Apply stringent egress filtering to prevent unauthorized outbound connections from internal servers to external networks. Block known OAST callback domains at the DNS level to disrupt attacker communications.

It is critical to rate-limit suspicious Autonomous System Numbers (ASNs) and monitor for JA4 network fingerprints indicative of automated scanning activity. Regularly audit proxy configurations to ensure that only authorized users and systems can access LLM endpoints, and restrict public exposure wherever possible. Continuous monitoring for unusual API usage patterns and session spikes can provide early warning of enumeration or exploitation attempts.

Organizations should also stay informed about the latest threat intelligence and update their incident response playbooks to include scenarios involving LLM endpoint abuse. Engaging in regular penetration testing and red teaming exercises focused on AI infrastructure can further enhance resilience against these emerging threats.

References

BleepingComputer: Hackers target misconfigured proxies to access paid LLM services (https://www.bleepingcomputer.com/news/security/hackers-target-misconfigured-proxies-to-access-paid-llm-services/), GreyNoise Threat Intelligence (https://www.bleepingcomputer.com/news/security/hackers-target-misconfigured-proxies-to-access-paid-llm-services/), HackRead: Hackers Monetize LLMjacking, Selling Stolen AI Access (https://hackread.com/hackers-monetize-llmjacking-selling-stolen-ai-access/), Reddit: r/SecOpsDaily - Hackers target misconfigured proxies to access paid LLM services (https://www.reddit.com/r/SecOpsDaily/comments/1q8inea/hackers_target_misconfigured_proxies_to_access/), MITRE ATT&CK: T1190, T1046, T1210, T1589, T1595 (https://attack.mitre.org/).

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to identify, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and continuous monitoring capabilities empower security teams to proactively defend against emerging threats and ensure the resilience of critical business operations. For more information or to discuss how Rescana can help secure your organization, we are happy to answer questions at ops@rescana.com.