Involuntary Darknet Sponsor: While You Sleep, Hackers Burn Your Budget on GPT-4 Through Forgotten Proxy Settings
How to Avoid Being a "Sugar Daddy" for a Botnet? GreyNoise Explains.
How to Avoid Being a "Sugar Daddy" for a Botnet? GreyNoise Explains.
Malicious actors have begun mass-scanning the internet for misconfigured proxy servers that can provide access to commercial services based on large language models (LLMs). This campaign has been active at least since late December and resembles systematic reconnaissance rather than random scanning.
According to threat monitoring platform GreyNoise, attackers have already checked over 73 LLM-related endpoints and generated more than 80,000 sessions. They use "quiet" requests—short greetings, empty strings, or neutral factual questions. This approach allows them to identify which specific model is accessible without triggering security and logging systems.
Over the past four months, a GreyNoise honeypot based on Ollama recorded a total of 91,403 access attempts related to two different campaigns. The first began in October and is still ongoing. Activity peaked during the Christmas holidays, with 1,688 sessions recorded in 48 hours. In this case, attackers exploited SSRF (Server-Side Request Forgery) vulnerabilities, forcing servers to connect to external infrastructure controlled by the attackers.
Researchers note that the attackers used the Ollama model-loading mechanism, supplying malicious registry URLs and integrations with Twilio SMS webhooks via the MediaURL parameter. They utilized ProjectDiscovery OAST infrastructure, which is typically used for legitimate security testing. GreyNoise believes this points to a "gray zone": the activity is likely conducted by researchers or bug bounty participants, but the scale and timing extend beyond a typical audit.
Telemetry shows this campaign originated from 62 IP addresses across 27 countries. Their characteristics resemble VPS servers more than a classic botnet.
The second campaign started on December 28 and was much more aggressive. Over 11 days, it generated 80,469 sessions. Just two IP addresses methodically probed over 73 endpoints, using both OpenAI-compatible APIs and Google Gemini formats. The list of checked models included solutions from nearly all major providers: GPT-4o and its variants, the Claude family, Llama 3, DeepSeek-R1, Gemini, Mistral, Qwen, and Grok.
The infrastructure used for scanning has previously been involved in large-scale vulnerability discovery and exploitation campaigns. This suggests the activity is targeted reconnaissance aimed at mapping available LLM services. Researchers have not detected direct signs of subsequent exploitation, data theft, or model abuse but emphasize that such large-scale scanning is not done "just in case."
GreyNoise notes that tens of thousands of queries represent a resource investment, and such infrastructure mapping is typically collected for future use.
To protect against such activities, experts recommend restricting Ollama model downloads to trusted registries only, enabling outbound traffic filtering, and blocking known OAST domains at the DNS level. To counter endpoint enumeration, they also advise implementing rate limits for requests from suspicious autonomous systems and monitoring JA4 network fingerprints characteristic of automated scanning tools.
