Criminals Are Stealing AI Computing Power From Companies That Left a Door Open

Security researchers set traps and caught three separate groups hijacking exposed AI software endpoints to run hacking tools — no password required.

ThreatVectr Newsdesk· 3 min read
A dimly lit server room shot from floor level looking toward rows of glowing rack-mounted servers, with one server unit emitting an unusual amber warning light
Share

Key points

  • Between March and May 2025, researchers at Zenity caught three criminal operations hijacking unprotected AI software endpoints using honeypot traps — decoy systems designed to lure and study attackers.
  • Two of the three operations used automated penetration-testing frameworks (tools that probe computer systems for weaknesses), named Strix and HexStrike AI.
  • The Strix operator sent a 140,000-character instruction set targeting an unidentified French auction house.
  • Ollama, a popular self-hosted AI tool, ships with no built-in password protection on its default network port.
  • Zenity co-founder Michael Bargury says any AI system placed on the public internet will likely be targeted "within hours."

Criminals have found a way to use a company's own AI computing power against other victims — and in many cases, the door was left wide open.

Between March and May 2025, researchers at security firm Zenity set up honeypots — fake, monitored systems designed to attract attackers — and watched three separate criminal operators walk straight in. The target: AI model endpoints, which are the network addresses a company's AI software listens on to receive requests, roughly like a telephone number for a piece of software. The criminals pointed their own hacking tools at those addresses and let the company's hardware do the heavy lifting.

No stolen passwords. No software exploit. Just an address and an open line.

How did the attackers get in?

The short answer is that the software let them. Ollama — an application businesses use to run AI models on their own computers rather than in the cloud — ships with no password requirement on its default connection point, port 11434. LiteLLM, another AI management tool, requires administrators to manually switch authentication on; by default it is off. A well-known placeholder password, "sk-1234," is widely known and actively targeted.

Both tools are also commonly left visible to the open internet, either by mistake or by design, making them easy to find.

Zenity's sensors caught all three intrusions in detail. The first operator used a tool called Strix — an automated framework that tests computer systems for security weaknesses — and sent a single enormous prompt, roughly 140,000 characters long, instructing the AI to attack a French auction house continuously, never ask for permission, and never reveal the tool's name. Retry commands in the traffic suggested a real person was watching the operation live.

The second operator pointed HexStrike AI, a similar penetration-testing service, at the honeypot and loaded it with more than 150 offensive tools. No target was named, suggesting the attacker was still in the setup phase.

A third operator ran an OpenAI Codex agent — an AI assistant normally used for writing code — under the fake identity of a security auditor, directing it to reverse-engineer websites, essentially mapping their internal workings for future exploitation.

Zenity first reported its findings to Dark Reading. The firm recommends that any organisation running self-hosted AI tools check immediately whether those tools are reachable from the public internet, turn on real password protection, and monitor incoming traffic for oversized instruction payloads — a hallmark of these hijacking attempts.

If your organisation uses self-hosted AI tools, ask your IT team one question: does anyone outside the building need to reach it? If the answer is no, it should not be publicly accessible.

© 2026 Threat Vectr