Between October 2025 and January 2026, security researchers discovered over 91,000 attack sessions that targeted AI infrastructure, revealing organized attacks against major language model deployments.

During this time, 91,403 attack sessions were recorded by GreyNoise’s Ollama honeypot infrastructure, exposing two different threat campaigns. The results support and expand on earlier Defused research on AI system targeting.

The initial campaign forced servers to establish outgoing connectivity with infrastructure under attacker control by taking advantage of server-side request forging vulnerabilities.

Attackers used Twilio SMS webhook MediaUrl parameters manipulation and malicious registry URL injection to target Ollama’s model pull feature.

The program, which ran from October 2025 to January 2026, had a sharp increase during Christmas, with 1,688 sessions in only 48 hours.

Attackers verified effective exploitation through callback validation using ProjectDiscovery’s OAST infrastructure.

A single JA4H signature was found in 99% of attacks by fingerprinting, suggesting that shared automation tools were probably based on Nuclei.

Consistent fingerprints indicate VPS-based infrastructure rather than a botnet, despite the observation of 62 source IPs distributed across 27 countries.

Although the scope and timeliness pose ethical questions, GreyNoise evaluates this as likely a grey-hat operation by bug bounty hunters.

Two IPs began methodically probing 73+ LLM model endpoints on December 28, 2025, and in eleven days, they generated 80,469 sessions.

The goal of this methodical investigation was to find misconfigured proxy servers that could provide access to business APIs.

Every significant model family, including OpenAI GPT-4o, Anthropic Claude, Meta Llama 3.x, DeepSeek-R1, Google Gemini, Mistral, Alibaba Qwen, and xAI Grok, was tested in the attacks.

Professional threat actors are indicated by the infrastructure: 49,955 sessions at 45.88.186.70 (AS210558, 1337 Services GmbH) 30,514 sessions on 204.76.203.125 (AS51396, Pfcloud UG)

With more than 4 million sensor hits spanning more than 200 vulnerabilities, including CVE-2025-55182 and CVE-2023-1389, both IPs have a long history of exploiting CVEs.