A recent investigation by SentinelOne SentinelLABS and Censys uncovered a significant “unmanaged, publicly accessible layer of AI compute infrastructure” created by open-source AI deployments. This infrastructure includes 175,000 unique Ollama hosts spread across 130 countries.
These systems, found in both cloud and residential networks globally, function without the standard security and monitoring protocols typically provided by platform vendors. Over 30% of these exposed systems are located in China, with other significant footprints in the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.
Researchers Gabriel Bernadett-Shapiro and Silas Cutler noted that almost half of the identified hosts possess tool-calling capabilities. This feature allows them to execute code, access APIs, and interact with external systems, highlighting the growing integration of Large Language Models (LLMs) into broader system operations.
Ollama is an open-source framework designed for users to easily download, run, and manage LLMs locally on Windows, macOS, and Linux. By default, the service binds to the localhost address 127.0.0[.]1:11434. However, a simple configuration change, such as binding it to 0.0.0[.]0 or a public interface, can expose it to the public internet.
Similar to the recently popular Moltbot (previously Clawdbot), Ollama’s local hosting and operation outside typical enterprise security perimeters introduce new security risks. This situation demands novel strategies for differentiating between managed and unmanaged AI computing resources, according to the researchers.
Over 48% of the identified hosts expose tool-calling capabilities through their API endpoints. When queried, these endpoints provide metadata detailing the functions they support. Tool calling, also known as function calling, allows LLMs to interact with external systems, APIs, and databases, thereby enhancing their abilities or fetching real-time information.
The researchers highlighted that “tool-calling capabilities fundamentally change the threat model.” While a text-generation endpoint might produce harmful content, a tool-enabled endpoint can perform privileged operations. They concluded that the combination of inadequate authentication and network exposure represents the “highest-severity risk in the ecosystem.”
The analysis also found hosts supporting modalities beyond text, such as reasoning and vision. Notably, 201 of these hosts were running uncensored prompt templates, effectively bypassing safety guardrails.
The public exposure of these systems makes them vulnerable to LLMjacking. In such attacks, malicious actors exploit a victim’s LLM infrastructure for their own benefit, leaving the victim to bear the costs. Potential abuses include generating spam, running disinformation campaigns, cryptocurrency mining, or reselling access to other criminal organizations.
This risk is not merely hypothetical. A recent report from Pillar Security indicates that threat actors are actively exploiting exposed LLM service endpoints to profit from AI infrastructure access. This activity is part of an LLMjacking campaign named Operation Bizarre Bazaar.
The investigation uncovered a criminal service operating with three main components: systematically scanning the internet for unauthenticated Ollama instances, vLLM servers, and OpenAI-compatible APIs; validating these endpoints based on response quality; and then selling access at reduced prices via silver[.]inc, a platform functioning as a Unified LLM API Gateway.
Researchers Eilon Cohen and Ariel Fogel stated that this “end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution.” The threat actor identified behind this operation is known as Hecker (also referred to as Sakuya and LiveGamer101).
The decentralized nature of the exposed Ollama ecosystem, spanning both cloud and residential environments, introduces significant governance challenges. It also opens new possibilities for prompt injections and the proxying of malicious traffic through compromised victim infrastructure.
The companies emphasized that “the residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure.” They advised defenders to recognize that LLMs are increasingly being deployed at the edge to convert instructions into actions. Therefore, these systems must be secured with the same authentication, monitoring, and network controls applied to any other externally accessible infrastructure.
