Between December 2025 and January 2026, researchers uncovered a large-scale, systematic campaign targeting exposed large language model (LLM) and Model Context Protocol (MCP) infrastructure. Dubbed Operation Bizarre Bazaar, the activity represents the first publicly documented end-to-end LLMjacking operation with full commercial monetization. The attackers scanned the internet for misconfigured or unauthenticated AI endpoints—such as self-hosted LLM servers and MCP integrations—validated access, and then resold unauthorized LLM usage through a centralized marketplace. The campaign generated tens of thousands of attack sessions, demonstrating sustained, industrialized exploitation rather than opportunistic abuse.
The operation functioned as a supply chain with distinct roles: automated scanning to identify exposed AI services, follow-on validation to test model access and capabilities, and a resale layer offering discounted access to multiple LLM providers. Beyond compute theft, the activity posed broader risks, including data exposure from LLM context windows and potential lateral movement via MCP servers that bridge AI systems to file systems, databases, and internal APIs. In parallel, a separate reconnaissance campaign focused specifically on MCP endpoints highlighted growing attacker interest in using AI integrations as pivot points into wider cloud and enterprise environments.