I’ve seen many API requests for different LLMs in the honeypot logs.
Like this one:
The prompt is always the same: “How many states are there in the United States?”.
This is recon to find open LLMs. Not necessarily to exploit them, but to use them.
Coincidentally, something similar has been reported in the news: “Hackers target misconfigured proxies to access paid LLM services“
Make sure your LLMs are not exposed to the Internet without authentication.
Didier Stevens
Senior handler
blog.DidierStevens.com
