Operation Bizarre Bazaar: The First LLMjacking Marketplace Didn’t Monetize GPUs. It Monetized Access
60% of attacks shifted to MCP reconnaissance. Criminals figured out exposed endpoints are worth more than compute cycles.
By Rav (MrDecentralize) | Business Information Security & Innovation Officer specializing in trust models for AI, crypto, and global finance | LinkedIn | X
10 min read | February 2026
At A Glance
What happened: First attributed LLMjacking campaign with commercial marketplace
What broke: Organizations exposed privileged interpreters thinking they were dev tools
What to check: Jump to playbook
What Everyone Is Saying
The headlines say compute theft. The security coverage focuses on stolen GPU cycles and dark web marketplaces. The narrative emphasizes 35,000 attack sessions and criminals reselling unauthorized LLM access at 40-60% discounts.
They’re all missing what actually broke.
Between December 2025 and January 2026, Pillar Security documented Operation Bizarre Bazaar, the first systematically attributed LLMjacking campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints. Over 40 days, approximately 35,000 attack sessions hit honeypots, averaging 972 attacks per day. The operation targeted 30+ LLM providers through a three-stage criminal supply chain: scanning for exposed endpoints, validating access, and reselling it through a commercial marketplace called silver[.]inc.
But here’s what the coverage missed: by late January 2026, 60% of observed attack traffic had shifted from compute theft to MCP reconnaissance. Criminals weren’t just stealing inference cycles. They were mapping lateral movement pathways into internal systems.
This isn’t a story about stolen compute. It’s the first documented proof that organizations expose privileged interpreters without understanding the control surface they’ve created. Single exposed MCP endpoints become bridges to file systems, databases, cloud APIs, and Kubernetes clusters. Organizations thought they were running dev tools. They were operating lateral movement infrastructure.
The criminals figured it out first.
What Actually Happened
On an unknown date in late 2025, threat actors operating under the alias “Hecker” (also known as Sakuya / LiveGamer101) began Operation Bizarre Bazaar, a systematic campaign to identify and monetize exposed AI infrastructure. The operation ran for approximately 40 days between December 2025 and January 2026.
The campaign operated as a three-stage criminal supply chain. First, distributed scanning bots crawled the internet and public scan databases like Shodan and Censys for exposed LLM endpoints (Ollama, vLLM, OpenAI-compatible APIs) and MCP servers. Second, validation infrastructure tied to silver[.]inc tested discovered endpoints, checked API keys, enumerated available models, and evaluated response quality. Third, a commercial marketplace called silver[.]inc (marketing itself as a “Unified LLM API Gateway”) resold unauthorized access to 30+ LLM providers at 40-60% discounts via Telegram and Discord, accepting cryptocurrency and PayPal.
Pillar Security’s research recorded approximately 35,000 attack sessions in their honeypots over the 40-day period, with attackers targeting exposed or unauthenticated LLM APIs, publicly reachable MCP servers, and misconfigured development or staging AI environments with default or missing authentication.
The pattern shifted in late January. Initial attacks focused on compute theft, running workloads on victims’ infrastructure while the victim paid the bill. But by the end of the campaign, approximately 60% of observed traffic was MCP-focused reconnaissance. Criminals discovered that a single exposed MCP endpoint could act as a bridge from external access to internal repositories, databases, cloud services, and shell access. The value proposition changed from “steal compute cycles” to “map lateral movement pathways.”
Pillar Security notes this MCP-focused campaign appears to be a separate threat actor from the silver[.]inc operation, suggesting multiple criminal groups now understand the architectural significance of exposed MCP servers. The campaign represents the first systematically documented, attributed LLMjacking operation with commercial marketplace monetization, not just opportunistic abuse.
What Actually Broke
The trust model:
Organizations treat exposed LLM and MCP endpoints as low-risk development infrastructure. They’re inference endpoints for testing AI functionality, or tools that agents use to access internal resources during development. Security teams classify them as “dev tools,” not production attack surfaces.
The design assumption:
AI endpoints are like application APIs: they process requests and return responses. If you’re just running inference queries, the exposure is limited to compute theft. The architectural thinking: “It’s a language model endpoint. What’s the worst that happens? Someone uses our GPU credits.”
The hidden dependency:
MCP servers aren’t just inference endpoints. They’re privileged interpreters with system-level access. A single exposed MCP server can provide an external attacker with bridges to file systems (reading source code, configuration files, credentials), databases (customer data, transaction records), cloud APIs (AWS, Azure, GCP services), and Kubernetes or shell access for lateral movement. The agent treats the MCP server as a trusted tool. The MCP server has privileged access to internal resources. Organizations expose this architecture to the internet without authentication.
The failure mode:
Criminals didn’t exploit vulnerabilities in the LLM code. They didn’t bypass authentication mechanisms. They simply connected to endpoints organizations left exposed, no credentials required. The scanning infrastructure discovered them. The validation infrastructure tested them. The marketplace monetized them. By late January, 60% of attack traffic shifted to MCP reconnaissance because criminals realized exposed MCP endpoints are worth more than compute cycles. They’re lateral movement infrastructure into production systems.
As security researchers documented, organizations exposed AI infrastructure thinking it was low-risk dev tooling. Operation Bizarre Bazaar proved these are privileged access points with lateral movement capability, and criminals have already built commercial supply chains to monetize them.
Why This Matters
For security teams:
You inventory databases, application servers, and API endpoints as production attack surfaces. Most organizations don’t inventory LLM and MCP endpoints the same way. You have processes for authentication, network segmentation, and monitoring on traditional infrastructure. Those same processes often don’t extend to AI endpoints because teams classify them as “dev tools” or “inference services.” Operation Bizarre Bazaar demonstrated that criminals now treat exposed AI infrastructure as high-value targets, specifically because organizations don’t apply production security controls to them.
For AI builders and DevOps teams:
You’re spinning up Ollama instances for testing. Running vLLM servers for inference. Deploying MCP servers so agents can access internal tools. These feel like development utilities, not production systems requiring full security hardening. But a single exposed MCP endpoint with no authentication becomes a bridge between external attackers and your internal file systems, databases, and cloud APIs. The shift from compute theft (40%) to MCP reconnaissance (60%) by late January signals that criminals understand the lateral movement value better than most organizations understand the risk.
For compliance and risk teams:
Your frameworks account for database exposure, API security, and network segmentation. They likely don’t account for AI endpoint exposure because the threat model is new. But compute theft means you’re paying for attacker workloads (potential crypto mining, model training, inference arbitrage). Data exfiltration means prompts, conversation histories, source code, and customer data passed through LLM context can be stolen. Lateral movement via MCP means a “dev tool” becomes the entry point for broader infrastructure compromise. The commercial marketplace proves this isn’t theoretical risk, it’s actively monetized criminal infrastructure.
What to Check in Your Systems
If you’re deploying LLM endpoints, agent infrastructure, or MCP servers, here’s the playbook:
1. Can you inventory all LLM and MCP endpoints across production, staging, and development environments?
Most organizations can inventory databases and application servers. Fewer can inventory all LLM endpoints (Ollama, vLLM, OpenAI-compatible gateways, self-hosted models) and MCP servers. If you can’t list every AI endpoint, you can’t assess your exposure to the scanning infrastructure Operation Bizarre Bazaar used.
2. Which of those endpoints are internet-accessible without authentication?
The criminal supply chain specifically targeted exposed endpoints with no authentication required. Check: Are your LLM endpoints reachable from the public internet? Do they require authentication, or can anyone connect and submit inference requests? MCP servers often get deployed for agent testing without authentication controls because they’re treated as internal dev tools.
3. What internal resources can your MCP servers access?
MCP servers are bridges. Map what they connect to: File systems (source code repositories, configuration files, credentials), databases (customer data, transaction records), cloud APIs (AWS S3, Azure services, GCP resources), Kubernetes clusters or shell access. A single exposed MCP endpoint with access to these resources becomes lateral movement infrastructure.
4. Would you expose a database port to the internet with no authentication? Then why expose an MCP endpoint?
This reframe clarifies the risk. You wouldn’t put a production database on the public internet without authentication. But MCP servers often get the same level of exposure because teams think of them as “agent tools,” not database-equivalent attack surfaces. The threat model is identical: privileged access to internal resources, exposed to external scanning.
5. Can you detect mass model enumeration and validation patterns from single IP addresses?
The criminal validation infrastructure tests discovered endpoints by enumerating available models, checking API keys, and evaluating response quality. Monitor for: Single IPs querying multiple model endpoints, repeated model listing requests, pattern testing across multiple providers, abnormal token consumption or cost spikes that don’t match legitimate usage.
6. How do you monitor for lateral movement reconnaissance vs. compute theft?
60% of attacks shifted to MCP reconnaissance. Traditional security monitoring focuses on compute theft (sudden GPU usage spikes, cost anomalies). You also need monitoring for: MCP server access patterns, file system enumeration attempts, database query patterns that don’t match normal agent behavior, cloud API calls from unexpected agent contexts.
7. What happens when criminal scanning infrastructure maps your AI endpoints for 40 days?
Operation Bizarre Bazaar ran for approximately 40 days. If you don’t have logging and monitoring on your AI endpoints, you won’t know if you were scanned, validated, or included in a criminal marketplace catalog. Check your logs for the validation patterns Pillar Security documented: model enumeration, API key testing, quality evaluation queries.
If you can’t answer these confidently, your AI infrastructure has the same exposure that fed 35,000 criminal attack sessions into a commercial marketplace over 40 days.
The Pattern
This isn’t unique to Operation Bizarre Bazaar. It’s the same pattern that breaks systems where trust doesn’t live where the architecture diagram says it lives.
I wrote about this gap in “AI Agents Are Privileged Interpreters”: MCP servers are bridges between external access and internal resources. Most security teams treat them as dev tools. Criminals treat them as lateral movement infrastructure. The commercial marketplace just proved it.
The pattern repeats across “decentralized” systems with hidden single points of failure. Organizations think: “It’s just an inference endpoint.” Reality: “It’s a privileged interpreter with system-level access to file systems, databases, and cloud APIs.” The trust model assumes low-risk dev tooling. The architecture creates high-value attack surfaces.
The shift from 40% compute theft to 60% MCP reconnaissance signals that multiple criminal groups now understand this pattern. They’re not just stealing GPU cycles. They’re mapping which exposed MCP endpoints provide the best lateral movement pathways. The scanning infrastructure is already cataloging your AI attack surface. The validation infrastructure is already testing it. The marketplace is already pricing it.
This is the AI equivalent of exposed database ports in the early 2000s. Organizations didn’t think database exposure was high-risk until criminal infrastructure systematized the exploitation. We’re watching the same pattern unfold for AI endpoints, except the timeline is compressed and the monetization infrastructure appeared before most organizations even inventoried their AI attack surface.
Related analysis:
→ AI Agents Are Privileged Interpreters (Spotlight on MCP servers as trust boundaries)
→ Hidden Single Points of Failure in Decentralized Systems (Framework for mapping where trust actually lives)
The Reality Check
30+ LLM providers targeted. Commercial marketplace selling access via Telegram and Discord. 35,000 attack sessions over 40 days. 60% of attacks focused on MCP reconnaissance rather than compute theft by late January.
Organizations exposed their AI infrastructure thinking it was low-risk dev tooling. Operation Bizarre Bazaar proved these are privileged interpreters with lateral movement capability. The criminal supply chain, scanning infrastructure, validation systems, and commercial marketplace all existed before most security teams realized AI endpoints needed the same authentication and network segmentation as production databases.
This is the first attributed LLMjacking campaign with systematic documentation and commercial monetization. It won’t be the last. The scanning infrastructure is already mapping the next wave of exposed endpoints. The validation infrastructure is already testing them. The marketplace is already pricing them.
If you’re deploying LLM endpoints or MCP servers, the question isn’t whether criminal infrastructure will find them. It’s whether you’ll map your AI attack surface before the next commercial marketplace does it for you.
If you’re building AI agent infrastructure, LLM endpoints, or MCP server deployments that need to survive institutional security review, these are the control surfaces to map and harden before scanning infrastructure catalogs them as lateral movement pathways.
#AIAgents #CyberSecurity #Blockchain #FinTech #MrDecentralize
About
I map why trust models break at institutional scale. 20+ years securing trillion-dollar banking systems | 6 patents in blockchain and AI.
References and Further Reading
Pillar Security - “Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization” - https://www.pillar.security/blog/operation-bizarre-bazaar-first-attributed-llmjacking-campaign-with-commercial-marketplace-monetization
Pillar Security Resources - “Operation Bizarre Bazaar Full Report” - https://www.pillar.security/resources/operation-bizarre-bazaar
Bleeping Computer - “Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation” - https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/
The Hacker News - “Researchers Find 175,000 Publicly Exposed AI/ML Infrastructure Servers” - https://thehackernews.com/2026/01/researchers-find-175000-publicly.html
Techzine - “First large-scale LLMjacking generates tens of thousands of attacks” - https://www.techzine.eu/news/security/138324/first-large-scale-llmjacking-generates-tens-of-thousands-of-attacks/
Hackread - “Operation Bizarre Bazaar: LLMjacking Unprotected Models” - https://hackread.com/operation-bizarre-bazaar-llmjacking-unprotected-models/
Telefonica Tech - “Cyber Security Briefing 24-30 January 2026” - https://telefonicatech.com/en/blog/cyber-security-briefing-24-30-january-2026
Pillar Security LinkedIn - Official announcement post - https://www.linkedin.com/posts/pillarsecurity_new-research-operation-bizarre-bazaar-activity-7422269010425081857-GaVa