Widespread Unprotected Ollama Hosts Create a Global Attack Surface for LLM Abuse

Security researchers from SentinelOne and Censys identified a sprawling, poorly governed layer of public AI compute made up of Ollama instances that frequently lack basic access controls, monitoring, or billing. Over a 293-day observation window the team recorded roughly 7.23 million interactions and cataloged about 175,000 distinct hosts across 130 countries and more than 4,000 autonomous systems, though the bulk of activity clustered on roughly 23,000 higher-utility nodes. Many endpoints accepted unauthenticated requests and ran models without logging or cost controls, enabling outsiders to invoke inference workloads with minimal friction and near-zero marginal expense. More than half of these exposed systems sat on fixed-access telecom networks — consumer ISPs and similar infrastructure — introducing consumer broadband as a readily available hosting substrate. Geographically the distribution was uneven: a plurality of hosts appeared in China, the United States supplied the next-largest share, and U.S. hosts were heavily concentrated in a single state. The investigators found multi-model deployments were common, with Llama-family architectures most frequently observed, and identified at least 201 instances that included prompt templates explicitly designed to bypass model safety constraints. Complementary telemetry from other vendors and incident-response teams revealed that these exposures are not only opportunistically scanned but are sometimes folded into organized criminal pipelines: automated discovery bots are followed by rapid validation probes, operators enumerate model capabilities, and access is brokered through commercial gateways that monetize use — occasionally accepting cryptocurrencies and consumer payment flows. Attackers frequently target exposed admin consoles and agentic connectors that link local models to messaging platforms; such interfaces can leak bot tokens, API keys, OAuth secrets, and chat transcripts, and in some cases allow remote execution or file access. Pillar and other telemetry indicate validation and listing of compromised endpoints can occur within hours of discovery, producing sustained volumes — tens of thousands of sessions and on the order of hundreds to a thousand hits per day in observed campaigns. The combined effect is an emergent, loosely managed public compute substrate that both lowers the cost of running large-scale abuse (spam, automated social engineering, disinformation) and creates attractive high-value targets for adversaries seeking to pivot into data exfiltration, account impersonation, or cryptographic key theft. Defenders are therefore advised to prioritize discovery of the relatively small set of repeatedly observed, high-utility hosts, and to apply straightforward hardening: authentication and least-privilege for APIs and admin consoles, rate limiting and usage caps, network segmentation, IP restrictions, credential rotation, and continuous attack-surface monitoring.