AI/ML, Threat Management, Application security, Cloud Security, Threat Intelligence, API security

Honeypots detect threat actors mass scanning LLM infrastructure

(Credit: Krot_Studio – stock.adobe.com)

Large language model (LLM) infrastructure is being actively probed and targeted by threat actors, as demonstrated by honeypot data captured by GreyNoise as recently as early January 2026.

More than 91,000 attack sessions were recorded by GreyNoise’s Ollama honeypot infrastructure between October 2025 and January 2026; 80,469 of these sessions took place over the 11-day period between Dec. 28, 2025, and Jan. 8, 2026.

This recent mass scanning campaign systematically targeted more than 73-plus LLM model endpoints, including OpenAI-compatible API and Google Gemini formats, GreyNoise said in a blog post Thursday.

Models targeted included OpenAI’s GPT family, Anthropic’s Claude, Meta’s Llama, Google’s Gemini, DeepSeek, Mistral, Alibaba’s Qwen and xAI’s Grok.


Related reading:


The activity indicates that threat actors were probing for misconfigured servers leaking access to commercial AI APIs. The attackers tested the endpoints with text queries to see which models would respond, with the most common query being “hi,” at 32,716 occurrences, and the second most common being “How many states are there in the United States?” at 27,778 occurrences.

Just two IP addresses were behind all 80,469 sessions — one U.S.-based IP address generated 49,955 sessions and another Netherlands-based address generated 30,514 sessions.

These IP addresses were observed in past GreyNoise data conducting CVE exploitation campaigns for more than 200 different vulnerabilities, including React2Shell (CVE-2025-55182) and the TP-Link router flaw CVE-2023-1389.

The two addresses racked up a total history of more than 4 million GreyNoise sensor hits combined.

GreyNoise said the data indicates the attacker targeting LLM endpoints is a “professional threat actor conducting reconnaissance” who is “building target lists” for future exploitation of exposed AI APIs.



“If you’re running exposed LLM endpoints, you’re likely already on someone’s list,” Bob Rudis, vice president of data science at GreyNoise, wrote in the blog post.

In addition to blocking the offending IP addresses, GreyNoise recommended rate-limiting suspicious autonomous system numbers (ASNs) such as those used in the campaign, monitoring for rapid requests to multiple LLM endpoints and watching for specific queries that appeared frequently in the scanning campaign, such as “How many states are there in the United States?” and “How many letter r are in the word strawberry?”

Separate campaign spiked over Christmas

GreyNoise’s blog post also highlighted a separate campaign that ran from October 2025 and January 2026, which spiked over Christmas, generating 1,688 sessions over a 48-hour period.

This campaign abused Ollama’s model pull functionality to exploit server-side request forgery (SSRF) vulnerabilities by injecting malicious registry URLs. The attackers were observed using ProjectDiscovery’s Out-of-band Application Security Testing (OAST) infrastructure to confirm exploitation success.

GreyNoise noted that this campaign coincided with another targeting Twilio SMS webhook integrations, which manipulated MediaUrl parameters to achieve outbound connections to the attacker’s server.

The vast majority of attacks (99%) shared the same JA4H signature despite being spread across 62 different IP addresses spanning 27 countries. This pattern points to the attackers potentially using a virtual private server (VPS) along with a shared automation tool such as ProjectDiscovery’s Nuclei to conduct their activity, Greynoise noted.

The researchers ultimately assessed that this campaign likely originated from security researchers or bug bounty hunters but potentially crossed over into grey-hat activity due to the unusually high volume of attacks over the Christmas holiday.

To defend against such SSRF campaigns targeting Ollama deployments, GreyNoise recommends configuring Ollama so that only models from trusted registries can be pulled, blocking OAST at the domain name system (DNS) layer and monitor for JA4 fingerprints indicating automated tooling such as that used in the observed campaign.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds