An analysis of how internet scanners are targeting AI infrastructure

A Dutch ASN (Pfcloud UG, AS51396) sent 3,861 requests to Anthropic-proxy paths between May 5-27, probing for misconfigured reverse proxies that could expose valid API keys. Port 11434 (Ollama) has sustained 50-80 distinct source IPs per week since March, with attackers scanning for unauthenticated model servers that could be exploited to download arbitrary models. A single IP from Amarutu Technology Ltd conducted a 45-minute sweep on May 18 targeting credential files for Claude, Anthropic, and other AI services, demonstrating that attackers are systematically enumerating AI infrastructure for misconfigurations and exposed credentials.

Blog /blog · 2026-05-28 What scanners are actually trying against AI infrastructure Three weeks of one Dutch ASN sending 3,861 hits at Anthropic-proxy paths. Port 11434 Ollama holding 50-80 distinct source IPs per week since March. A single 45-minute sweep from one IP that lists credential paths for Claude, Codex, Gemini, DeepSeek, DashScope, AWS, Azure, Docker, and shell history. What stood out Between May 5 and May 27 a single Dutch ASN Pfcloud UG, AS51396 sent 3,861 requests at two URL paths on our sensors: /anthropic/v1/models 2,013 hits /proxy/anthropic/v1/models 1,848 hits Both of those paths are the shape that a reverse proxy in front of api.anthropic.com would expose. The scanner does not bother sending a Bearer token because it only cares whether the host responds at all, which is the cheap way to enumerate misconfigured proxies that hold a real Anthropic key and forward anything you send through them. Three source IPs participated, all sitting in the same /20 of Pfcloud's NL allocation, one of them 176.65.148.177 carrying the rDNS anondrop.net . Every single request used the user-agent Mozilla/5.0 compatible; scanner/1.0 . You can pull the cluster up at /asn/51396 https://honeylabs.net/asn/51396 and watch it continue. Ollama at scale Port 11434 is the loudest AI-flavoured target we see, mostly because the default Ollama install binds to 0.0.0.0 with no auth, and the wordlists have caught up. Over the last 30 days: | Probe path | Hits | Distinct IPs | |---|---|---| /api/tags | 129 | 31 | /api/generate | 13 | 3 | /api/ps | 7 | 3 | /api/pull | 1 | 1 | / banner check on 11434 | 248 | 120 | | no path, raw TCP probe on 11434 | 549 | 95 | /api/tags is the discovery probe and returns the list of models loaded into the server with no authentication required. The one we keep an eye on is /api/pull , which on an open Ollama instance lets any caller ask the server to download an arbitrary model from any registry the server can reach, including a custom GGUF the attacker controls. Only one probe of that path landed in our window, but it is sitting in the wordlist now and the volume on the other endpoints suggests it will get exercised soon. Weekly distinct source IPs hitting port 11434 over the last 14 weeks: 2026-02-22 5 IPs ▌ 2026-03-01 72 █████████████████████ 2026-03-08 85 █████████████████████████ 2026-03-15 57 ████████████████ 2026-03-22 69 ████████████████████ 2026-03-29 57 ████████████████ 2026-04-05 54 ███████████████ 2026-04-12 69 ████████████████████ 2026-04-19 44 █████████████ 2026-04-26 52 ███████████████ 2026-05-03 60 █████████████████ 2026-05-10 67 ███████████████████ 2026-05-17 35 ██████████ 2026-05-24 27 ████████ Port 11434 went from a handful of probers a week in late February to a steady 50-80 distinct sources per week starting the first week of March 2026, and it has held in that band since. The recent dip in the last two weeks is at least partially an artefact of our snapshot ending mid-week. Either way, the port is now embedded in whatever rotation the broad-spectrum internet scanners are running. A focused AI-credential sweep The most interesting single actor in our 90-day window is 183.81.169.236 , hosted on Amarutu Technology Ltd NL . On May 18, between 09:27 and 10:12 UTC, that IP ran a 45-minute coordinated sweep across our sensors using one wordlist that hit every interesting credential-storage convention used by modern AI tooling. The AI-relevant subset of what they tried: /.claude/settings.json /.claude/.credentials.json /.claude/credentials.json /.claude/config.json /.claude/settings.local.json /.claude/history.jsonl /.claude/claude.md /.claude.json /root/.claude/.credentials.json /root/.claude/claude.md /root/.claude.json /.anthropic/api key /.anthropic/config.json /.config/anthropic/config.json /claude desktop config.json /.codex/auth.json /.gemini/settings.json /.deepseek/config.json /.dashscope/api key /.openclaw/openclaw.json /root/.nerve/.env /root/.nerve/config.yaml /root/.openclaw/.env The coverage there spans Anthropic's first-party tooling Claude Code, Claude Desktop, the Anthropic SDK conventions , OpenAI's Codex CLI .codex/auth.json , Google's Gemini CLI .gemini/settings.json , DeepSeek .deepseek/config.json , Alibaba's DashScope .dashscope/api key , and at least two AI agent frameworks I had to look up nerve and openclaw . The same IP, in the same sweep, also went after the rest of the modern development environment: /root/.aws/credentials /root/.aws/config /root/.aws/credentials.backup /root/.aws/sso/cache/ /.aws/credentials /.azure/credentials /.docker/config.json /docker-compose.yaml /root/.ssh/id rsa /.ssh/known hosts /root/.bash history /root/.zsh history /root/.wallet-env /credentials.json /.credentials.json /.env.development /actuator/configprops /instance/app.sqlite What this tells you is the practical shape of opportunistic credential hunting in 2026. AI-provider API keys now sit in the wordlist alongside AWS, Azure, Docker, SSH, and shell history, treated as equally valuable targets. The shell-history paths are in there because developers routinely paste API keys into one-liner test commands, and those commands persist in ~/.bash history long after the developer has forgotten about them. The list also tracks the tools developers actually use, which is why Claude Code released 2024 is already in the rotation by the spring of 2026, alongside the Gemini CLI and OpenAI's Codex CLI. The sample report for that IP, including the full path list and timing, is at /lookup/183.81.169.236 https://honeylabs.net/lookup/183.81.169.236 . OpenAI-compatible API reconnaissance The OpenAI API shape /v1/chat/completions , /v1/embeddings , /v1/models has become the default contract for almost every self-hosted LLM stack, including vLLM, LM Studio, LocalAI, LiteLLM, and a long tail of Anthropic-compat shims that re-export the same endpoints under different routes. Scanners have started checking for it directly: | Path | Hits | Distinct IPs | Distinct ASNs | |---|---|---|---| /v1/models | 306 | 46 | 12 | /v1/embeddings | 168 | 9 | 1 | /v1/completions | 166 | 9 | 1 | /v1/chat/completions | 13 | 3 | 1 | /v1/models is the discovery probe most self-hosted setups leave unauthenticated, and the response is the loaded model list as plain JSON. The near-identical 166-168 hit counts on /v1/embeddings and /v1/completions coming from the same handful of source IPs is the fingerprint of one or two actors iterating through the canonical OpenAI endpoint list against hosts they have already discovered some other way. The live slice is at /lookup?q=path:/v1/ https://honeylabs.net/lookup?q=path:/v1/ . Port volume in context 30-day hit counts for AI-related ports alongside the legacy attack ports: SMB port 445 146,775 █████████████████████████████████████ RDP port 3389 128,046 ████████████████████████████████ SSH port 22 58,590 ██████████████ Telnet port 23 5,879 █▌ LiteLLM port 5001 4,906 █▎ LM Stud port 1234 2,889 ▋ Ollama port 11434 1,242 ▎ Gradio port 7860 625 ▏ Stream port 8501 415 ▏ The AI-related ports are running about two orders of magnitude behind the established attack surface, so calling Ollama-on-11434 a top attack vector would be overclaiming. The trajectory matters more than the absolute numbers though, because six months ago none of those AI ports showed any meaningful weekly volume at all, and now Ollama, LM Studio, and LiteLLM are all sitting at hundreds-to-thousands of hits per month from dozens-to-hundreds of distinct sources. What we are not calling adversarial A few sources show up in the data that we deliberately do not classify as attackers. Censys, Inc. appears in the org list for port 11434 probes because their commercial reconnaissance scans the same surface, and they get tagged as research in our classifier rather than counted in the adversarial column. The same goes for the ClaudeBot and GPTBot user-agent strings that appear in some URL probes, which are search-and-training crawlers rather than attackers, even though they touch endpoints that overlap with our AI-flavoured targets. The user-agent ollama-scanner/1.0 is a harder call. Three IPs ran small sweeps totalling 26 requests across the 30-day window, with two of them sitting on Proton AG VPN exits in Switzerland and one on Hetzner Finland. Each IP issued between 4 and 12 hits and then stopped, which reads more like a researcher or a one-off curiosity script than a botnet operation, so we log it in its own category and decline to classify either way until we get more data. What is not in the data We did not find URL probes containing literal OPENAI API KEY , ANTHROPIC API KEY , or similar substring matches as path segments. Two requests for /hf token.env showed up, and that was the entire population for that variant. The pattern across the dataset is that attackers go after the file paths where credentials are stored on disk .env , .claude/ , .codex/ , .aws/ , shell history and let the keys fall out of the resulting files, which is more reliable than fuzzing the keys into URLs directly. We also do not capture full HTTP POST bodies, which means anything that would only show up in a POST payload prompt injection attempts, jailbreak prompts embedded in request bodies, ML model abuse would not surface in this dataset and would need a different sensor design to catch. Run the queries yourself Everything above came out of a small handful of SQL queries against the public honeypot dataset. The same data is available to anyone who wants to dig further: - Boolean search: returns the live list of Ollama probers minus known research scanners. /lookup?q=port:11434 AND NOT tag:scanner - Save the query as an IOC feed: open /feeds https://honeylabs.net/feeds , paste the query, mint a token-gated URL your firewall or SIEM can pull on a cron. - Connect HoneyLabs into Claude, Cursor, or any other MCP client via the MCP endpoint https://honeylabs.net/mcp and ask plain-English questions over the data.