Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access

A persistent criminal operation has been mapped that systematically identifies and commandeers poorly secured AI endpoints, then monetizes access and leverages compromise to move laterally. The adversary chain combines automated discovery bots, an automated validation layer, and a commercial gateway that brokers access to multiple models, with payments routed through cryptocurrencies and consumer payment services. Targets are primarily self-hosted LLM stacks and management/control plane servers that expose APIs or ports without authentication, including development and staging instances left reachable from the public internet. In many cases, exposed admin interfaces and agentic connectors that bridge local models to messaging platforms are discovery targets; these interfaces can reveal bot tokens, API credentials, OAuth secrets, and full chat transcripts, and in some deployments allow the agent to run commands and access files. The actors exercise the compromised endpoints to run inference workloads—an activity that generates direct financial costs for victims—while also dumping or interrogating responses to extract sensitive information. Pillar’s telemetry shows the validation stage often follows discovery within a matter of hours, indicating an orchestrated pipeline rather than opportunistic scanning. Observed tooling specifically probes for common exposed ports and OpenAI-compatible endpoints, and operators enumerate model capabilities to assess value before listing. Attribution points to an individual and overlapping infrastructure tied to nexeonai.com, although reconnaissance against model control plane servers appears to be conducted by at least one additional actor with a different objective set. Volume metrics—tens of thousands of sessions and nearly a thousand hits per day on average—underscore that this is a sustained, economical campaign built to scale. Beyond immediate billing fraud, the presence of agentic systems and admin consoles among targets amplifies consequences: attackers can pivot from data exfiltration to account impersonation, command execution across integrated services, and rapid extraction of cryptographic keys via prompt-injection or credential exposure. Effective mitigations are straightforward in principle—authentication, least-privilege defaults, rate limits, usage caps, network segmentation, IP filtering, rotating exposed credentials, and external attack-surface monitoring—but require disciplined application across development, staging, and production environments. The operation illustrates how misconfigurations in emerging AI infrastructure create high-value attack surfaces that attract specialized criminal marketplaces. Organizations running self-hosted models, agent frameworks, or private MCPs should treat those endpoints like any other critical API and system: inventory deployments, assume that exposure invites rapid automated exploitation, remove unnecessary shell-level privileges for agents, rotate keys and tokens, and apply hardened defaults. Without prompt remediation and continuous monitoring, the combined financial, operational, and data-exfiltration risks will continue to reward low-effort, high-scale abuse.