Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries - The Hacker News

Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries Ravie LakshmananJan 29, 2026Artificial Intelligence / LLM Security A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast "unmanaged, publicly accessible layer of AI compute infrastructure" that spans 175,000 unique Ollama hosts across 130 countries. These systems, which span both cloud and residential networks across the world, operate outside the guardrails and monitoring systems that platform providers implement by default, the company said. The vast majority of the exposures are located in China, accounting for a little over 30%. The countries with the most infrastructure footprint include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K. "Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes," researchers Gabriel Bernadett-Shapiro and Silas Cutler added. Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it's possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface. The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), can be hosted locally and operate outside of the enterprise security perimeter, poses new security concerns. This, in turn, necessitates new approaches to distinguish between managed and unmanaged AI compute, the researchers said. Of the observed hosts, more than 48% advertise tool-calling capabilities via their API endpoints that, when queried, return metadata highlighting the functionalities they support. Tool calling (or function calling) is a capability that allows LLMs to interact with external systems, APIs, and databases, enabling them to augment their capabilities or retrieve real-time data. "Tool-calling capabilities fundamentally alter the threat model. A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations," the researchers noted. "When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem." The analysis has also identified hosts supporting various modalities that go beyond text, including reasoning and vision capabilities, with 201 hosts running uncensored prompt templates that remove safety guardrails. The exposed nature of these systems means they could be susceptible to LLMjacking, where a victim's LLM infrastructure resources are abused by bad actors to their advantage, while the victim foots the bill. These could range from generating spam emails and disinformation campaigns to cryptocurrency mining and even reselling access to other criminal groups. The risk is not theoretical. According to a report published by Pillar Security this week, threat actors are actively targeting exposed LLM service endpoints to monetize access to the AI infrastructure as part of an LLMjacking campaign dubbed Operation Bizarre Bazaar. The findings point to a criminal service that contains three components: systematically scanning the internet for exposed Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication; validating the endpoints by assessing response quality; and commercializing the access at discounted rates by advertising it on silver[.]inc, which operates as a Unified LLM API Gateway. "This end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution," researchers Eilon Cohen and Ariel Fogel said. The operation has been traced to a threat actor named Hecker (aka Sakuya and LiveGamer101). The decentralized nature of the exposed Ollama ecosystem, one that's spread across cloud and residential environments, creates governance gaps, not to mention creates new avenues for prompt injections and proxying malicious traffic through victim infrastructure. "The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure," the companies said. "For defenders, the key takeaway is that LLMs are increasingly deployed to the edge to translate instructions into actions. As such, they must be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  API Security, artificial intelligence, Cloud computing, Cybercrime, cybersecurity, LLM Security, network security, Threat Intelligence Trending News Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance Detect AI-Driven Threats Faster With Full Network Visibility SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats