LLMjacking attacks have rapidly evolved, targeting platforms like DeepSeek. Since its discovery in May 2024, these attacks exploit stolen credentials to bypass service charges of large language models (LLMs). This piece outlines the increasing trend of LLMjacking, its methods, and the business surrounding proxy servers which allow cybercriminals to abuse LLMs while exposing significant vulnerabilities in cloud service accounts. Affected: DeepSeek, OpenAI, AWS, Azure, cloud service providers
Keypoints :
- LLMjacking was discovered in May 2024, with its popularity increasing since September 2024.
- DeepSeek was targeted within days of its public popularity and increased usage.
- Cybercriminals are stealing credentials from platforms like OpenAI, AWS, and Azure due to high costs of LLM usage.
- Attackers quickly implement new LLM models into services like OpenAI Reverse Proxy (ORP).
- LLMjacking can result in significant financial losses for victims, similar to cryptojacking.
- Communities around LLMjacking share access to resources and tools on platforms like 4chan and Discord.
- Defending against LLMjacking requires securing access keys, monitoring account behavior, and managing credentials properly.
- The implications of LLMjacking extend beyond financial drains to potential data leaks.
MITRE Techniques :
- Credential Dumping (T1003) – Attackers steal credentials from vulnerable services and public repositories.
- Exploitation of Remote Services (T1210) – Attackers gain unauthorized access to cloud services to validate and use stolen credentials.
- API Abuse (T1173) – Cybercriminals use stolen credentials to abuse available API endpoints of LLM providers.
Indicator of Compromise :
- [URL] https://huggingface.co/spaces/nebantemenya/joemini
- [Domain] vip.jewproxy.tech
- [Email Address] [email protected]
- [Domain] rentry.org
- [Domain] trycloudflare.com
Full Story: https://sysdig.com/blog/llmjacking-targets-deepseek/