Attackers are scanning the internet for badly configured proxy servers that expose access to commercial large language model (LLM) platforms, according to threat intelligence firm GreyNoise. Since late December, one operation alone has fingerprinted more than 73 LLM endpoints and racked up over 80,000 probing sessions. Across four months, GreyNoise's Ollama honeypot logged 91,403 attacks tied to two separate campaigns — one leaning on server-side request forgery, the other a large-scale enumeration sweep to map exposed AI services.
Two campaigns, one goal
GreyNoise attributes the activity to two distinct efforts observed through its Ollama honeypot, which recorded 91,403 attacks over the past four months. Both are ultimately aimed at locating LLM services that a misconfigured proxy leaves reachable, letting an outsider ride someone else's paid API access.
The common tradecraft is stealth. Rather than hammering endpoints with obvious payloads, the operators send low-noise prompts — short greetings, empty inputs, or simple factual questions — to confirm which model sits behind an endpoint without tripping a security alert.
Campaign one: SSRF via Ollama model pulls
The first operation began in October and remains active. GreyNoise recorded a burst of 1,688 sessions over a 48-hour window around Christmas. It abuses server-side request forgery (SSRF) flaws, which coerce a server into making outbound connections to infrastructure the attacker controls.
According to the researchers, the actor leaned on Ollama's model-pull functionality to inject malicious registry URLs and Twilio SMS webhook integrations through the MediaURL parameter, forcing the server to reach out to external endpoints of the attacker's choosing.
Interestingly, GreyNoise assesses that this campaign probably traces back to security researchers or bug bounty hunters rather than outright criminals. The tell is the tooling: the operators used ProjectDiscovery's OAST (Out-of-band Application Security Testing) infrastructure, a staple of legitimate vulnerability assessments.
"OAST callbacks are standard vulnerability research techniques. But the scale and Christmas timing suggest grey-hat operations pushing boundaries." — GreyNoise
Telemetry placed the traffic across 62 IP addresses in 27 countries, with characteristics resembling virtual private servers rather than a botnet.
Campaign two: high-volume LLM enumeration
The second campaign surfaced on December 28 as a high-volume enumeration effort hunting for exposed or misconfigured LLM endpoints. Over 11 days it produced 80,469 sessions, driven by just two IP addresses that methodically probed more than 73 model endpoints. The scanners spoke both OpenAI-compatible and Google Gemini API formats, and the targeted models spanned all the major providers.
To stay under the radar while testing whether an endpoint was live, the actor again relied on benign prompts — greetings, empty requests, and factual questions.
GreyNoise says the scanning infrastructure behind this campaign has previously appeared in widespread exploitation activity, pointing to an organized reconnaissance program cataloging accessible LLM services. The report stops short of claiming any post-discovery exploitation, data theft, or model abuse, but the intent looks clearly malicious.
"Eighty thousand enumeration requests represent investment," the researchers warned, adding that "threat actors don't map infrastructure at this scale without plans to use that map."
Detection and mitigation
GreyNoise recommends layered defenses against both the SSRF abuse and the enumeration sweep:
- Restrict Ollama model pulls to trusted registries only.
- Apply egress filtering so servers cannot make arbitrary outbound connections.
- Block known OAST callback domains at the DNS level to neutralize out-of-band callbacks.
- Rate-limit suspicious ASNs to blunt automated probing.
- Monitor for JA4 network fingerprints associated with automated scanning tools.
Technical background
SSRF flaws like the one abused here occur when a server accepts a user-supplied URL and fetches it without validating the destination. Any feature that pulls remote resources — a "model pull," a webhook, or a media loader — becomes a lever the attacker can pull to reach internal services or attacker-controlled infrastructure. Out-of-band tooling such as OAST confirms the flaw by watching for a callback: the vulnerable server "phones home" to a domain the tester controls, proving the request was forced.
For LLM proxies specifically, the core exposure is authentication placed at the wrong layer. When an internal service holds the paid API key and a front-end proxy is left open, anyone who can reach the proxy inherits that billing relationship. Egress filtering, allowlisting outbound destinations, and requiring authentication on every proxy hop are the durable countermeasures.