Large language model (LLM) infrastructure is being actively probed and targeted by threat actors, as demonstrated by honeypot data captured by GreyNoise as recently as early January 2026.More than 91,000 attack sessions were recorded by GreyNoise’s Ollama honeypot infrastructure between October 2025 and January 2026; 80,469 of these sessions took place over the 11-day period between Dec. 28, 2025, and Jan. 8, 2026.This recent mass scanning campaign systematically targeted more than 73-plus LLM model endpoints, including OpenAI-compatible API and Google Gemini formats, GreyNoise said in a blog post Thursday.Models targeted included OpenAI’s GPT family, Anthropic’s Claude, Meta’s Llama, Google’s Gemini, DeepSeek, Mistral, Alibaba’s Qwen and xAI’s Grok.
Related reading:
The activity indicates that threat actors were probing for misconfigured servers leaking access to commercial AI APIs. The attackers tested the endpoints with text queries to see which models would respond, with the most common query being “hi,” at 32,716 occurrences, and the second most common being “How many states are there in the United States?” at 27,778 occurrences.Just two IP addresses were behind all 80,469 sessions — one U.S.-based IP address generated 49,955 sessions and another Netherlands-based address generated 30,514 sessions.These IP addresses were observed in past GreyNoise data conducting CVE exploitation campaigns for more than 200 different vulnerabilities, including React2Shell (CVE-2025-55182) and the TP-Link router flaw CVE-2023-1389.The two addresses racked up a total history of more than 4 million GreyNoise sensor hits combined.GreyNoise said the data indicates the attacker targeting LLM endpoints is a “professional threat actor conducting reconnaissance” who is “building target lists” for future exploitation of exposed AI APIs.
“If you’re running exposed LLM endpoints, you’re likely already on someone’s list,” Bob Rudis, vice president of data science at GreyNoise, wrote in the blog post.In addition to blocking the offending IP addresses, GreyNoise recommended rate-limiting suspicious autonomous system numbers (ASNs) such as those used in the campaign, monitoring for rapid requests to multiple LLM endpoints and watching for specific queries that appeared frequently in the scanning campaign, such as “How many states are there in the United States?” and “How many letter r are in the word strawberry?”
AI/ML, Threat Management, Application security, Cloud Security, Threat Intelligence, API security
Honeypots detect threat actors mass scanning LLM infrastructure

(Credit: Krot_Studio – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



