SentinelOne SentinelLABS and Censys discovered 175,000 publicly accessible Ollama AI servers operating without authentication across 130 countries. The servers form a massive unmanaged layer of AI infrastructure running outside corporate security controls.
The systems run on both cloud providers and home networks globally, lacking the default protections and monitoring built into commercial AI platforms. China hosts over 30% of the exposed servers. The United States, Germany, France, South Korea, India, Russia, Singapore, Brazil, and the United Kingdom account for most of the remaining infrastructure.
Researchers Gabriel Bernadett-Shapiro and Silas Cutler found that nearly half the servers support tool-calling features, meaning they can execute code, connect to APIs, and interact with external systems. This shows LLMs are being integrated into broader automated processes rather than just generating text.
Ollama is open-source software that lets users run large language models on their own computers instead of using cloud services. The software defaults to listening only on the local machine at address 127.0.0.1:11434, but anyone can expose it to the internet by changing one setting to bind it to 0.0.0.0 or a public network interface.
Because Ollama runs on individual machines outside corporate networks, it creates the same security problems as Moltbot, previously called Clawdbot. IT departments have no visibility into these systems, making it impossible to apply standard security policies or track what AI capabilities exist in their environment.
Over 48% of the exposed servers advertise tool-calling support through their API endpoints. When security researchers query these endpoints, the servers reveal what functions they can perform. Tool-calling allows AI models to reach beyond text generation and actually interact with databases, APIs, and external systems to take actions or pull live information.
The researchers explained that tool-calling changes the entire threat picture. A server that only generates text can produce dangerous content, but a server with tool access can execute commands with system privileges. Combining this with no authentication and internet exposure creates the most severe risk in the entire ecosystem.
The investigation found servers with capabilities beyond text generation, including advanced reasoning and image analysis. 201 servers run with uncensored configurations that strip out safety restrictions entirely.
Attackers can exploit these open servers through LLMjacking, using someone else's AI infrastructure for their own purposes while the owner pays the computing costs. Criminals can use hijacked AI servers to generate bulk spam, create disinformation at scale, mine cryptocurrency, or sell the access to other attackers.
This threat is already active. Pillar Security published research this week documenting Operation Bizarre Bazaar, an ongoing LLMjacking campaign targeting unprotected AI endpoints for profit.
Operation Bizarre Bazaar works in three stages. First, attackers scan the entire internet for Ollama servers, vLLM instances, and OpenAI-compatible APIs with no authentication. Second, they test each server to verify it produces quality responses. Third, they sell access to the hijacked infrastructure at below-market rates through silver.inc, a platform operating as a unified gateway for accessing multiple LLM providers.
Researchers Eilon Cohen and Ariel Fogel called this the first fully documented LLMjacking marketplace where the entire operation has been traced back to specific criminals. They identified the operation's leader as a threat actor using the names Hecker, Sakuya, and LiveGamer101.
The distributed nature of Ollama servers creates major governance problems. The infrastructure spans commercial cloud platforms and residential internet connections worldwide, making traditional corporate security controls ineffective. Exposed servers also enable prompt injection attacks and let criminals route malicious traffic through victim systems to hide their tracks.
The residential component of this infrastructure makes standard governance approaches obsolete. Security teams need new methods to separate managed cloud deployments from scattered edge installations. LLMs are increasingly deployed at the network edge where they convert natural language instructions into executable actions. These systems need the same authentication requirements, activity monitoring, and network isolation as any other internet-facing service.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is Ollama?
Ollama is open-source software that lets users run large language models locally on Windows, macOS, and Linux. It defaults to localhost at 127.0.0.1:11434 but can be exposed to the internet by binding to 0.0.0.0 or a public interface.
How many exposed Ollama servers were found?
SentinelOne and Censys found 175,000 publicly accessible Ollama servers across 130 countries. Over 30% are in China. Nearly half support tool-calling capabilities that can execute code and interact with external systems.
What is LLMjacking?
LLMjacking is when attackers abuse someone else's LLM infrastructure while the victim pays the computing costs. Criminals use hijacked AI servers to generate spam, create disinformation, mine cryptocurrency, or resell access to other attackers.
What is Operation Bizarre Bazaar?
Operation Bizarre Bazaar is an active LLMjacking campaign documented by Pillar Security. Attackers scan for unprotected AI endpoints, validate response quality, then sell hijacked access at discounted rates through silver.inc. The operation is run by a threat actor named Hecker.
Why are exposed Ollama servers dangerous?
Servers with tool-calling can execute privileged operations, not just generate text. Combined with no authentication and internet exposure, they can be exploited for prompt injections, malicious traffic proxying, and command execution with system privileges.