More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026. Criminal AI toolkits have removed safety guardrails from large language models and made sophisticated attacks accessible at industrial scale. Your AI infrastructure is now an attack surface.
The AI revolution in enterprise technology has a shadow side that most organisations are not yet defending against. While security teams focus on AI-powered phishing and deepfake fraud, a different category of threat has matured quietly: attacks against AI infrastructure itself.
LLMjacking is the act of hijacking an organisation’s AI infrastructure to run compute-intensive tasks at the victim’s expense. It is analogous to cryptojacking but targets GPU-backed inference endpoints instead of CPU cycles. Meanwhile, a parallel criminal AI ecosystem has emerged, purpose-built to remove the safety controls of mainstream AI models and make sophisticated cyberattacks, fraud, and social engineering accessible to anyone willing to pay a subscription fee.
This post examines both threats, the data behind their scale, and what security teams need to do before their AI investment becomes someone else’s attack platform.
What Is LLMjacking?
LLMjacking is the unauthorised use of an organisation’s AI model infrastructure, typically cloud-hosted LLM endpoints, to run inference tasks for the attacker’s benefit. The attacker does not steal data in the traditional sense. Instead, they consume the organisation’s compute resources, generating costs that can reach tens of thousands of dollars per day at scale.
The attack vector is straightforward: misconfigured API keys, exposed inference endpoints, and vulnerable proxy configurations give attackers access to AI services. Automated scanners probe for these exposures continuously. More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026, driven largely by misconfigured open proxies that provide access to LLM service APIs.
The Criminal AI Toolkit Ecosystem
Parallel to LLMjacking, a mature criminal AI ecosystem has developed specifically to remove the ethical and safety guardrails that mainstream AI providers have built into their models. These purpose-built criminal LLMs serve the same function as legitimate AI models, but without restrictions on harmful content:
- WormGPT: generates convincing phishing emails, social engineering scripts, and malware code without the refusals that ChatGPT or Claude would produce
- WolfGPT: focused on financial fraud and business email compromise script generation
- EscapeGPT: specialises in jailbreaking and circumventing AI safety mechanisms
- FraudGPT: used for generating fake invoices, fraudulent financial documents, and identity theft scripts
- GhostGPT: targeted at creating evasive malware and exploit code
These tools are not hypothetical. They are available on underground markets with subscription pricing ranging from $100 to $1,500 per month, making sophisticated attack capabilities accessible to threat actors with minimal technical background.
The CrowdStrike 2026 Global Threat Report documented an 89% increase in AI-enabled adversary activity in 2025 compared to the prior year. All four major nation-state actors, China, Russia, Iran, and North Korea, had operationalised large language models in their attack chains by late 2025.
CVE-2025-53773: When AI Development Tools Become Attack Surfaces
The security risk of AI infrastructure extends beyond criminal toolkits. CVE-2025-53773 is a prompt injection vulnerability in GitHub Copilot that carries a CVSS score of 9.6. By embedding malicious instructions in pull request descriptions, an attacker could cause GitHub Copilot to execute arbitrary code on a developer’s workstation.
This vulnerability illustrates a category of risk that security teams are not yet systematically addressing: the AI tools embedded in the development workflow are themselves attack surfaces. Every AI-assisted code review, every AI-generated pull request summary, and every AI-powered development tool introduces a new vector for prompt injection, model manipulation, and supply chain compromise.
What Happens When AI Security Is Overlooked?
Organisations that deploy AI infrastructure without corresponding security controls face multiple compounding risks:
- Financial: LLMjacking can generate unexpected cloud bills of $10,000 to $50,000 or more per day when attackers run compute-intensive inference tasks at scale
- Operational: Consumed API quotas disable legitimate AI-powered workflows
- Data exposure: Attackers with access to AI inference endpoints may be able to extract training data or previous conversation context through prompt injection
- Competitive: Proprietary models trained on internal data may be accessible to attackers via compromised API endpoints
- Reputational: AI infrastructure used to generate attacker content may create attribution and liability issues
AI Security: Traditional Posture vs. AI-Aware Defence
| Risk Category | Without AI Security | With Peris.ai AI Security |
| LLMjacking detection | Discovered via unexpected invoice | BrahmaFusion detects anomalous AI API usage patterns |
| Criminal AI toolkit awareness | Unknown until breach | INDRA CTI tracks criminal AI infrastructure and TTPs |
| AI development tool vulnerabilities | Unmonitored in CI/CD pipeline | BimaRed SAST scans AI/ML pipeline code for injection vulnerabilities |
| Prompt injection in production | No detection capability | XDR monitors AI service interactions for anomalous patterns |
| Post-compromise response | Manual investigation | Peris.ai IRP case management with AI-specific playbooks |
How Peris.ai Secures AI Infrastructure
INDRA CTI tracks the criminal AI toolkit ecosystem continuously. WormGPT, FraudGPT, GhostGPT, and their successors are monitored through their infrastructure, distribution channels, and capability updates. When a new criminal AI toolkit is identified that targets a specific sector or is observed being used in campaigns against organisations similar to yours, INDRA CTI delivers that intelligence to your security team as actionable context rather than a news item.
BimaRed applies SAST to your AI and ML pipeline code. Prompt injection vulnerabilities, like CVE-2025-53773, are a class of code-level issue that static analysis can identify. BimaRed scans AI pipeline code for unsafe prompt handling patterns, unsanitised user input passed to model APIs, and dependencies with known AI-related vulnerabilities.
BrahmaFusion detects anomalous AI API usage through behavioural monitoring. LLMjacking generates distinctive patterns: sudden spikes in API calls, unusual times of day for high-volume inference requests, calls from unexpected IP addresses or service identities, and consumption patterns inconsistent with legitimate business workflows. BrahmaFusion triggers automated isolation playbooks when these patterns are detected, revoking the compromised credentials and blocking the offending access before the bill arrives.
Our XDR provides cross-layer detection for AI cloud service abuse. In cloud environments where AI inference runs alongside other workloads, XDR correlates anomalous AI service activity with related indicators in identity logs, network traffic, and endpoint activity to build a complete picture of the attack chain.
Scenario: Catching LLMjacking Before the $40,000 Bill
At 2:30am, BrahmaFusion detects an anomaly in the organisation’s AI inference endpoint usage: API call volume has increased 8,000% over baseline in the past 45 minutes. The calls are originating from an IP not associated with any known service identity.
With Peris.ai:
- BrahmaFusion immediately flags the anomalous API consumption pattern
- INDRA CTI matches the source IP to known LLMjacking infrastructure from a scanning campaign identified the prior week
- The compromised API key is revoked automatically
- The inference endpoint is temporarily restricted to approved IP ranges pending investigation
- Peris.ai IRP opens a case documenting the incident for the cloud security team
- Estimated cost of the LLMjacking attempt if undetected for 24 hours: $38,000. Cost of the containment: 12 minutes of automated response.
Benefits at a Glance
| Benefit | Outcome |
| INDRA CTI criminal AI monitoring | WormGPT, FraudGPT, and LLMjacking infrastructure tracked in real time |
| BimaRed AI pipeline SAST | Prompt injection vulnerabilities caught before deployment |
| BrahmaFusion API anomaly detection | LLMjacking detected and contained before significant cost accumulates |
| XDR cloud AI service monitoring | Full cross-layer visibility into AI infrastructure abuse |
Final Thought
The AI infrastructure your organisation has invested in, the inference endpoints, the model APIs, the development tools with AI integration, is now part of your attack surface. The criminal ecosystem that has grown up around AI in 2025 and 2026 treats it as a resource to be exploited and a capability to be weaponised.
Platforms like BrahmaFusion by Peris.ai, combined with INDRA CTI’s criminal AI tracking and BimaRed’s AI pipeline security, give security teams the visibility and automated response needed to protect AI investments from becoming attacker infrastructure.
Frequently Asked Questions
What is LLMjacking?
LLMjacking is the unauthorised use of an organisation’s AI model infrastructure to run inference tasks at the victim’s expense. Attackers exploit misconfigured API keys or exposed inference endpoints to consume AI compute resources, generating costs of up to $50,000 or more per day. More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026.
What are criminal AI tools like WormGPT and FraudGPT?
Criminal AI toolkits are purpose-built large language models that remove the safety guardrails of mainstream AI models. WormGPT generates phishing emails and malware code. FraudGPT creates fraudulent financial documents. GhostGPT produces evasive malware. These tools are available on underground markets for $100 to $1,500 per month.
What is CVE-2025-53773 in GitHub Copilot?
CVE-2025-53773 is a prompt injection vulnerability in GitHub Copilot with a CVSS score of 9.6. By embedding malicious instructions in pull request descriptions, an attacker could cause GitHub Copilot to execute arbitrary code on a developer’s machine.
How can organisations detect LLMjacking attempts?
Effective LLMjacking detection requires monitoring AI API usage for anomalous patterns: sudden spikes in call volume, requests from unexpected IP addresses or service identities, and consumption patterns inconsistent with normal business workflows. BrahmaFusion’s behavioural monitoring detects these patterns and triggers automated credential revocation before significant cost accumulates.
How has nation-state use of AI in attacks evolved?
According to CrowdStrike’s 2026 Global Threat Report, all four major nation-state actors (China, Russia, Iran, North Korea) had operationalised LLMs in their attack chains by late 2025, and AI-enabled adversary activity increased by 89% in 2025 versus the prior year.
Leave a Reply