top of page
Search

Op Bizarre Bazaar: New LLMjacking Campaign Targets Unprotected Models

  • Jan 30
  • 2 min read

Here is an article with concise key findings in bullet point format, with separate headers for each major point, and background information as the first point after the key findings. The headers are formatted using ## in markdown format, and the bullet points are formatted without any special formatting.


Key Findings


  • A new LLMjacking campaign named "Operation Bizarre Bazaar" was active between December 2025 and January 2026.

  • Around 35,000 attack sessions were recorded during the two-month period, suggesting hackers targeted exposed AI systems roughly 972 times every day.

  • The operation was traced back to an individual using the alias "Hecker," also known as "Sakuya" or "LiveGamer101."

  • This is the first documented case of a professional, commercial setup dedicated to stealing AI access for resale.


Background


As we know, most AI tools like chatbots run on Large Language Models (LLMs), which are incredibly expensive to maintain due to the massive amount of computer power they require. LLMjacking is when a criminal sneaks into these systems to use that power for free, similar to someone secretly tapping into a neighbor's water supply to run a commercial car wash.


Attack Flow


  • Hackers often target AI setups that have been left online without a password, such as companies using the Model Context Protocol (MCP) to link their AI to internal files without proper authentication.

  • Once an open system is found online, the hackers usually strike within hours.

  • Stolen access is then sold on a site called "silver.inc," which acts as a "Unified LLM API Gateway" for hackers, offering access to over 30 different AI providers at 40% to 60% off the official price.


Threat Remains Active


  • The threat remains active, and the attack infrastructure is still online.

  • To stay safe, the report suggests that companies must "enable authentication on all LLM endpoints" and block the 204.76.203.0/24 internet range, which is directly linked to the silver.inc operation.


Sources


  • https://hackread.com/operation-bizarre-bazaar-llmjacking-unprotected-models/

  • https://www.linkedin.com/posts/dlross_op-bizarre-bazaar-new-llmjacking-campaign-activity-7422843520517849088-WMOJ

  • https://x.com/HackRead/status/2016932469514076222

  • https://x.com/Cyber_O51NT/status/2017120503912165792

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page