The Ultimate Guide to Non-Human Identities Report

LLMjacking: How Attackers Hijack AI Using Compromised NHIs

Written by: Entro Security

Introduction

The rapid adoption of Generative AI (GenAI) technologies has been accompanied by a corresponding rise in security threats, particularly those involving compromised Non-Human Identities (NHIs), such as API keys, tokens, and service accounts that facilitate AI operations. The report introduces a new threat vector called LLMjacking, wherein attackers hijack GenAI systems by exploiting these NHIs. The consequences include unauthorized access to Large Language Models (LLMs), cloud cost inflation, and misuse of AI to generate malicious content.

Entro Labs conducted a groundbreaking experiment by intentionally leaking valid AWS credentials on public platforms. This allowed them to observe and document in real time how attackers identify, access, and exploit AI credentials.

LLMjacking Case In Real-Life

LLMjacking is no longer just a theory, it’s already being used by attackers to exploit AI services. Two major incidents highlight how exposed API keys and tokens can quickly lead to large-scale abuse.

The Microsoft Azure AI Breach (2024-2025)

In 2024–2025, threat group Storm-2139 targeted Microsoft Azure AI customers by stealing API keys. They developed a tool called De3u to bypass GenAI safety controls and automate credential abuse. Their tool was publicly shared, turning it into a Hacking-as-a-Service platform. Microsoft responded by revoking keys, seizing domains, and strengthening protections.

DeepSeek Exposure

Chinese AI platform DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online. The breach revealed more than a million sensitive records, including chat histories, backend credentials, and API keys.

Tracking LLMjacking. Entro Research.

Baiting the Blackhats: When AWS Secrets Go Public

When AWS Secrets Go Public

To see how quickly attackers act on exposed credentials, Entro Labs ran a bold experiment. They deliberately leaked valid AWS API keys on public platforms like GitHub and Reddit to observe attacker behavior in real time.

These credentials weren’t decoys, they were fully functional. Each key was a fully functional AWS credential set (access key ID + secret access key) with limited access to specific AWS services like S3 and AI model endpoints. Entro’s platform closely monitored the leaked keys, tracking how fast they were accessed, the methods used, and what actions followed.

Fast & Curious: Minutes to Unauthorized Access Attempts

The results were eye-opening. On average, attackers attempted access within 17 minutes in as little as 9. The activity came from a mix of automated bots and manual efforts, showing just how aggressively malicious actors scan public platforms for secrets.

Fast & Curious: Minutes to Unauthorized Access Attempts

Unlike previous research using canary tokens, Entro’s use of real credentials revealed genuine attacker tactics, giving an unfiltered look into how quickly and precisely LLMjacking attempts unfold the moment a key goes public.

Reconnaissance Tactics: Automated Bots & Manual Probes

Entro Labs’ research revealed that attackers use a mix of automated tools and manual methods when probing exposed AWS credentials.

Most of the access attempts came from scripts, identifiable by user-agents like botocore/* and python-requests, indicating that bots are actively scanning public platforms, testing secrets the moment they’re exposed.

python-requests

But not all activity was automated. Some requests came from browsers like Firefox, suggesting human attackers stepping in, likely to validate the key manually or explore it through the AWS console.

Firefox Request

This combination of fast-moving bots and hands-on adversaries reflects a layered threat automation for scale, and human oversight for high-value targets.

Inside the Attackers’ Playbook: Final Steps Before LLM Abuse

Entro Labs uncovered a telling pattern in how attackers behave after discovering exposed AWS credentials. Instead of jumping straight into AI abuse, they took a more strategic approach, starting with quiet, calculated reconnaissance.

One attacker began by calling the GetCostAndUsage API to review cloud billing data, likely to assess the account’s potential value. Notably, none of the observed actors used the typical GetCallerIdentity API, an early sign of sophistication, as it’s commonly monitored by defenders.

GetCostAndUsage API Request

In another case, an attacker manually made a series of requests using GetFoundationModelAvailability to list available GenAI models like Claude, GPT-4, and DeepSeek. These actions, often done through a browser interface, show how threat actors map out their targets before executing any AI workloads.

GetFoundationModelAvailability Request

Throughout this phase, attackers avoided launching prompts or triggering cost alarms. Their goal was clear: quietly understand the account’s capabilities before taking the next step.

LLMJacking Live: Attempts To Generate Content

Once attackers confirmed access to powerful AI models like Anthropic Claude, they wasted no time escalating their efforts. Using the InvokeModel command, they began attempting to generate content, treating the compromised AWS environment as their own personal GenAI playground.

Entro Labs observed that these weren’t just one-off experiments. The activity was automated, persistent, and clearly designed to test multiple models. Attackers were methodical in their attempts to run real AI workloads, demonstrating a strong intent to exploit the system at scale.

What’s most alarming is the financial risk. Advanced GenAI services can cost hundreds of thousands of tokens per query. Left unchecked, this kind of abuse could rack up more than $46,000 in daily charges, potentially draining a company’s cloud budget in just a few hours.

The GenAI-NHI Connection

Non-Human Identities (NHIs) like API keys, tokens, and service accounts, are the core enablers of GenAI functionality. Their compromise opens the door to wide-scale abuse.

Where NHIs Power GenAI

  1. Model Invocation: Authenticate access to LLMs like GPT, Claude, and proprietary models.
  2. Data Retrieval: Connect to S3, NoSQL, and SQL databases to supply prompts or training sets.
  3. Fine-Tuning Operations: Enable models to be retrained or updated on specific datasets using service accounts.
  4. Function Calling: AI agents use NHIs to call APIs (e.g., for performing transactions, aggregating data).
  5. Usage Monitoring: NHIs track usage, performance metrics, and billing operations.

Recommendations: How to Secure NHIs from LLMJacking

To mitigate LLMjacking threats, Entro Labs provides security measures for NHI protection:

  1. Detect & Monitor NHIs in Real-Time: Implement continuous scanning of code repositories, CI/CD pipelines, collaboration tools, and logs to detect secrets.
  2. Automated Secret Rotation: Employ tools that revoke or rotate credentials the moment exposure is detected, limiting exploitation windows.
  3. Developer Education: Train engineering teams in secure coding practices such as avoiding hardcoded secrets, using vaults, and following secret hygiene protocols.
  4. Monitor Anomalous API Activity: Establish alert systems for abnormal usage patterns, such as uncharacteristic AI model invocations or sudden spikes in billing.
  5. Enforce Least Privilege: Scope NHI permissions narrowly to ensure that even if credentials are stolen, they can’t be used to abuse high-privilege resources.

These are not optional practices; they are essential safeguards in the GenAI era.

DOWNLOAD THE FULL REPORT

#1 Authority in NHI Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs).

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.