Bizarre Bazaar: attackers monetizing exposed LLM & MCP endpoints (LLMjacking)

2026-01-30 • Category: Security

• What happened: Researchers observed a campaign targeting exposed LLM service endpoints (and, increasingly, MCP endpoints) and turning access into a commodity.
• Observed scale: The report cites tens of thousands of attack sessions seen in honeypots over ~40 days.
• Monetization: Abuse includes stealing compute (inference is expensive), reselling API access, and mining value from prompts/conversation history.
• Target surface: self-hosted LLM servers, OpenAI-compatible APIs, development/staging environments with public IPs, and publicly reachable MCP servers.
• Typical weak points: no auth, weak auth, missing network segmentation, permissive CORS/proxying, and “it’s just a dev box” deployment habits.
• Timing: Attackers reportedly move quickly after endpoints appear in internet scanners (Shodan/Censys).
• Not just cost-fraud: MCP exposure turns LLM endpoint compromise into a path for lateral movement (shell commands, Kubernetes interactions, cloud access), depending on how tools are wired.

Why it matters

• New perimeter: “LLM endpoints” are becoming production infrastructure, but many orgs still protect them like a demo. Attackers are adapting faster than governance.
• High blast radius: Even without classic RCE, prompt logs + tool integrations can expose secrets, internal docs, and operational context.
• Billing risk is real: A single abused endpoint can generate outsized compute costs, especially if you proxy to paid providers.

What to do

1. Inventory: list every LLM/MCP endpoint (prod + staging + dev) and who can reach it.
2. Close the internet: default to private networking (VPN, VPC-only). If it must be public, enforce auth (mTLS/OAuth/API keys) + rate limits + WAF rules.
3. Separate tools: don’t run “LLM gateway” and “privileged tools” in the same trust zone. Treat MCP servers as sensitive backends.
4. Log & alert: track unusual request volume, unknown user agents, high token usage, and unexpected tool invocation patterns.
5. Harden defaults: ensure Ollama/OpenAI-compatible servers aren’t exposed unauthenticated; lock down reverse proxies and disable directory listings/debug routes.

Sources

• BleepingComputer: Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation
• Pillar Security: Operation Bizarre Bazaar (attributed LLMjacking campaign)
• GreyNoise (related): Hackers target misconfigured proxies to access paid LLM services