Recent research has unveiled a significant shift in cybercriminal activity, with intruders now targeting the underlying systems that drive contemporary artificial intelligence (AI). Between October 2025 and January 2026, a strategically deployed honeypot—a decoy setup used by cybersecurity experts to attract hackers—documented an astonishing 91,403 attack attempts.
This study, carried out by GreyNoise, involved the implementation of counterfeit installations of a widely-used AI tool known as Ollama. The findings indicated the presence of two distinct campaigns, each aimed at exploiting different vulnerabilities in the rapidly evolving AI landscape.
The Phone Home Trick
The first wave of attackers utilized a technique referred to as Server-Side Request Forgery (SSRF). In essence, this method tricks a target server into establishing a connection with a hacker’s machine. The adversaries specifically focused their efforts on the Ollama platform and Twilio, a well-known messaging service.
By dispatching a “malicious registry URL,” the attackers compelled the AI server to connect back to their own systems. Notably, a spike in this activity was recorded around Christmas, with 1,688 sessions logged over a mere 48-hour period. While some of these events could involve security researchers or bug bounty hunters, the unusual timing suggests a push for exploration during a typical quiet period for IT departments.
Building a Hit List for AI Models
The second campaign raises more alarming concerns. Beginning on December 28, 2025, two specific digital addresses commenced a methodical search across more than 73 distinct AI endpoints. Within just eleven days, this probe generated an overwhelming 80,469 sessions aimed at mapping accessible AI models.
Researchers suggest that these acts were likely carried out by professional threat actors performing reconnaissance rather than outright attacks. They appeared to be “building target lists” by assessing models from major players in the AI space, including Anthropic (Claude), Meta (Llama), xAI (Grok), and DeepSeek.
“The attack tested both OpenAI-compatible API formats and Google Gemini formats. All leading model families, such as OpenAI (GPT-4o and variations), Anthropic (Claude Sonnet, Opus, Haiku), Meta (Llama 3.x), DeepSeek (DeepSeek-R1), Google (Gemini), Mistral, Alibaba (Qwen), and xAI (Grok), were in the probe list.”
GreyNoise
Curiously, the attackers employed seemingly innocuous questions, like “How many states are there in the United States?” to gauge the responsiveness of various models during their investigations.
How to Protect Your Systems
To safeguard against such vulnerabilities, GreyNoise researchers recommend that organizations restrict AI model downloads to trusted sources. Additionally, vigilance is required for detecting rapid repetitive queries that leverage simple, common questions. The extensive scale of these attacks—involving 62 source IPs across 27 countries—underscores that hackers are strategically preparing for their next move.
Expert Warnings on AI Risks
Security teams interpret these revelations as an early precursor to a broader spectrum of risks. Chris Hughes, Vice President of Security Strategy at Zenity, emphasized that while these probing actions may be concerning, the immediate threat lies in AI agents’ interactions with corporate systems. The information amassed from these exploratory sessions could facilitate future attacks.
As Hughes noted, the shift from probing to exploiting AI models could pose significant risks, particularly if organizations only focus on model-centric security. They may find themselves unprepared for attacks that exploit the integration of AI tools into enterprise environments without adequate oversight.
(Photo by Egor Komarov on Unsplash)
