- GreyNoise recorded 91,000 attack sessions against exposed AI systems between October 2025 and January 2026.
- The campaigns included tricking servers into “calling home” and conducting mass polls to map AI models.
- Malicious actors attacked misconfigured proxy servers and tested OpenAI, Gemini, and other LLM APIs at scale.
Experts have warned that hackers are targeting misconfigured proxy servers to see if they can get into the underlying Large Language Model (LLM) service.
GreyNoise researchers recently installed a fake and exposed AI system to see who would try to interact with it.
Between October 2025 and January 2026, they recorded more than 91,000 attack sessions that exposed two attack campaigns.
A systematic approach
In the first campaign, they saw a threat actor attempting to trick AI servers into connecting to a server under their control. They tried to abuse features like model downloads or webhooks, forcing the server to “call home” without the owner knowing. Attackers would then look at the callbacks to confirm whether the underlying system is vulnerable.
In the second campaign, GreyNoise saw two IP addresses attacking exposed AI endpoints tens of thousands of times. The goal was not to jump right in, but to map which AI models were accessible and what their configurations were. They sent very simple questions like “How many states are there in the US?” to determine which AI model is being used, without triggering any alarms?
They systematically tested OpenAI-style APIs, Google Gemini formats, and dozens of major model families, looking for proxies or gateways that accidentally expose internal or paid AI access.
GreyNoise also wanted to make sure this wasn’t the work of an amateur or cybersecurity researcher. The fact that the infrastructure used in the second campaign has a long history of real-world vulnerability exploitation, and that the campaign peaked during the Christmas holidays, confirmed that it was, in fact, the work of a malicious actor.
“OAST callbacks are standard vulnerability investigation techniques. But the scale and timing suggest that gray hat operations push the boundaries,” GreyNoise confirmed.
Additionally, researchers said the same servers were seen before scanning for hundreds of CVEs.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
