Between December 2025 and January 2026, security researchers discovered a disturbing evolution in AI-targeted cyber threats. Honeypots recorded 35,000 attack sessions targeting exposed AI infrastructure, averaging 972 attacks per day.
The campaign, discovered by Pillar Security Research Team, was named Operation Bizarre Bazaar. It is the first public documentation of a systematic campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints at scale, with complete commercial monetization. The research reveals how cybercriminals discover, validate, and monetize unauthorized access to AI infrastructure through a coordinated supply chain.
The campaign involves three interconnected threat actors. A scanner infrastructure systematically searches for exposed AI endpoints. Infrastructure linked to silver.inc then validates the endpoints through API testing. Finally, silver.inc operates as a commercial marketplace that resells access to more than 30 LLM providers at reduced prices without legitimate authorization. The service runs on bulletproof infrastructure in the Netherlands and sells via Discord and Telegram, accepting cryptocurrency and PayPal payments.
From discovery to commercial exploitation
The volume of attacks confirms systematic targeting of exposed AI infrastructure. Common misconfigurations that are actively exploited include: Ollama running on port 11434 without authentication, OpenAI-compatible APIs on port 8000 exposed to the internet, MCP servers accessible without access controls, and production chatbot endpoints without authentication or rate limiting.
The attackers do not guess. They use Shodan and Censys to find endpoints. Once an endpoint appears in scan results, exploitation attempts begin within hours. The OWASP Top 10 for Large Language Models 2025 identifies prompt injection and sensitive information disclosure as primary risks in LLM applications.
The operation was traced to a threat actor under the alias “Hecker,” also known as Sakuya and LiveGamer101. The control panel at admin.silver.inc displays “Hiii I’m Hecker,” there is infrastructure overlap with nexeonai.com, which was previously publicly accused of DDoS attacks against competitors, shared Cloudflare nameservers and DMARC records between silver.inc and nexeonai.com, and bulletproof hosting with thousands of abuse reports.
MCP servers as lateral movement points
In addition to Operation Bizarre Bazaar, Pillar Security has identified a separate campaign targeting Model Context Protocol endpoints. By the end of January, 60 percent of total attack traffic came from MCP-targeted reconnaissance operations, representing a separate threat actor with different objectives.
MCP servers provide LLM access and connect AI to internal infrastructure. Think of file systems for reading source code and placing backdoors, databases for dumping credentials and exfiltrating customer data, and shell access for executing commands on host systems.
A single exposed MCP endpoint can therefore form a bridge to the entire internal infrastructure. The systematic MCP reconnaissance constitutes a separate campaign to prepare for lateral movement, independent of the silver.inc marketplace operation.
Risks extend beyond compute theft
LLMjacking operations pose risks beyond unauthorized API use. Compute theft means that infrastructure generates revenue for criminals. silver.inc sells access at a 40-60 percent discount, while organizations pay full retail prices for unauthorized use.
Data exfiltration via LLM context windows can include sensitive organizational data such as call history, customer information, and source code. Exposed MCP servers become entry points for attackers to use LLM integrations to navigate file systems, query databases, and access cloud APIs.
Tip: Zscaler launches AI Security Suite to secure AI applications