Operation Bizarre Bazaar: Commercialized LLMjacking (Campaign)

Operation Bizarre Bazaar was a large-scale, commercialized LLMjacking campaign (Dec 2025–Jan 2026) in which attackers scanned the internet for misconfigured or unauthenticated LLM and MCP endpoints, validated model access, and resold unauthorized usage via a centralized marketplace. The activity generated tens of thousands of sessions and posed risks beyond compute theft, including exposure of sensitive data in model context windows and potential lateral movement through MCP integrations to internal systems.