LLMjacking is a fast-growing threat that targets large language models (LLMs) through stolen or misused credentials. Once attackers gain access, they can hijack cloud-hosted models to drain resources or inject malicious outputs. As more organizations integrate AI into their workflows, these attacks reveal new gaps in visibility and control while expanding the attack surface.
These incidents don't just burn budget; they expose how little most teams see at the API-key level, which is why visibility and policy need to live close to your LLM usage. This article breaks down what LLMjacking is, how it happens, what’s at stake for your business, and how you can prevent damage with stronger model security and governance.
What Is LLMjacking?
LLMjacking means hijacking LLM services through stolen or misused credentials, most often API keys or cloud identities. Attackers use those keys to consume resources or access data without authorization. The term was first used to describe hackers found scanning for exposed credentials and exploiting access to platforms such as OpenAI, Claude, AWS Bedrock, and Vertex AI.
These attackers often take advantage of non-human identities, misconfigurations, and exposed secrets, sometimes routing traffic through reverse proxies to hide their activities or sell access to others. The impact of these breaches goes beyond wasted compute time—it can expose sensitive prompts or outputs and lead to large unexpected costs. Plus, while most early cases targeted cloud-hosted LLMs, the same risks now extend to organizations running private or on-premises models without proper access controls.
How Do LLMjacking Attacks Work?
Not long ago, a successful LLMjack meant stolen CPU cycles for cryptocurrency mining. Now it can result in hijacked LLM environments running unauthorized AI workloads.
These LLM attacks often begin with compromised credentials, such as leaked API keys in public repositories or vulnerabilities in outdated software that expose tokens—both of which are common in publicly exposed GenAI development services. Once inside the system, attackers figure out what privileges they’ve gained by making small LLM API calls to confirm access.
From there, the operation moves quickly. Cybercriminals drive high-volume API requests to your LLM provider using the stolen key, often routing traffic through reverse proxies to hide activity or resell access.
Many hackers configure open-source clients or brokered gateways so other users can submit prompts through your account, turning hijacked infrastructure into a profitable underground service. Because this activity resembles legitimate LLM usage, it can remain hidden until an organization notices unusual costs or performance degradation.
Visibility is the main challenge when defending against these attacks. Traditional monitoring tools rarely detect unauthorised model usage or subtle deviations in behavior. Without clear baselines and continuous oversight, attackers can exploit your system for weeks, draining resources and exposing sensitive data without setting off alarms.
What Are the Potential Consequences of LLM Attacks?
When someone slips into your system via a valid key, the fallout can drain budgets and expose sensitive data. Here’s what that looks like in practice:
- You pay for someone else’s workloads. With a stolen LLM API key, attackers can run high-volume requests against your provider at your expense. If the cybercriminals also compromise broader cloud credentials, they can deploy their own models too.
- Sensitive prompts, data, and outputs can leak. Once they gain access, adversaries can query models, scrape logs, and pull responses tied to internal datasets and customer information.
- Adversaries can weaponize your models. Attackers can poison fine-tuning or retrieval data and manipulate outputs that downstream users rely on.
- Investigation and compliance work pile up. After an attacker abuses an LLM key, teams must revoke and rotate credentials, then trace which datasets and outputs the attackers accessed.
- One leak often turns into many. Stolen credentials circulate through resale channels, exposing other organizations to secondary attacks while you absorb the costs and the risks.
6 Ways to Detect and Prevent LLMjacking
Here are six methods for proactively preventing attacks and spotting abuse early within your GenAI security program.
1. Enforce Credential Hygiene and Scoped Keys
One top prevention strategy is to rotate API keys on a schedule and retire unused tokens. You can also use short-lived tokens tied to a single service instead of broad, long-lived secrets. It’s important to bind each key to its job—you can limit it to a specific app or IP range, or set an approved network path to your LLM provider so a leaked key can’t last long.
2. Hunt for Exposed Keys Across Code and Configs
If AppSec or SecOps owns secrets management in your organization, they can run recurring scans across source repositories, images, and infrastructure-as-code templates, then build logs for LLM provider tokens. Be sure to clock merges when a key pattern appears in a pull request, and record the owning service so you don’t have to resort to guesswork during followups. You might also extend scans to wikis and ticket attachments.
3. Monitor LLM Usage Patterns and Baseline Anomalies
To catch LLM security risks early, you can track request volume, LLM models accessed, source IPs, and account activity. Set up alerts for spikes, unusual timing, activity from dormant users, or calls to AI endpoints from services that have never used them before. Plus, you can feed provider logs into your security information and event management software to correlate signals during an LLM attack.
4. Lock Down Egress to Approved AI Endpoints
To keep unwanted visitors out, you should allow outbound traffic only to approved LLM provider domains, and block the rest. Implementing DNS allowlists and egress policies ensures that services can’t reach proxy/broker relays or new AI endpoints without prompting reviews. And if a key leaks, unapproved networks won’t be able to use it.
5. Use Zero-Trust Architecture for Model Access
Another smart prevention strategy is to adopt Zero Trust architecture for every call to your LLM provider. Require strong authentication for key retrieval, verify device and workload identity, and grant the minimum scope needed to run a prompt. You’ll also want to segment development and production, so a leaked key in one environment can’t reach another. If an attack still gets through, you can use tight verifications and least privilege to keep it contained.
6. Add Cost and Rate Guardrails
Finally, consider putting firm brakes on your spending. Start with per-key rate caps, then wire budget alerts at the provider level so spikes trigger fast. You might also route LLM billing to separate projects for clear visibility. When an alert fires, rotate the key immediately and review recent calls. Don’t close the case until usage settles back to baseline.
Protect Against LLMjacking and Other Attacks With Legit Security
Legit Security gives you a unified view of AI across the software development lifecycle, all the way from code to production. You can see which assistants and models are in use, where keys live, and which services are calling your LLM providers. With that context, you can enforce policy at the right points and catch abnormal usage before it turns into spend or data exposure.
Legit pairs secrets detection with AI discovery and code-to-cloud correlation, so leaked keys and odd traffic show up with clear owners and next steps. Guardrails stay consistent across environments, and investigations move quickly because evidence is already stitched together.
Want to see it work on your stack? Request a demo today.
Download our new whitepaper.
