Operation Bizarre Bazaar: First Attributed LLMjacking Campaign with Commercial Marketplace Monetization www.pillar.security/blog/oper…
Between December 2025 and January 2026, Pillar Security Research team uncovered a disturbing evolution in AI-focused cyber threats. Our honeypots captured 35,000 attack sessions targeting exposed AI infrastructure.
We have named this campaign Operation Bizarre Bazaar. It represents the first public documentation of a systematic campaign targeting exposed LLM and Model Context Protocol (MCP) endpoints at scale, featuring complete commercial monetization. The investigation reveals how cybercriminals discover, validate, and monetize unauthorized access to AI infrastructure through a coordinated supply chain spanning reconnaissance, validation, and commercial resale.
