What is LLMjacking?

Updated Apr 24, 2026

Theft + resale of stolen LLM API keys for unauthorized inference. Documented Claude Opus victim case ran 4.5 days at ~$50K; premium-model abuse can exceed $100K/day.

Full explanation

Attacker steals an LLM API key (OpenAI, Anthropic) via leaked .env / leaked .claude/ config / Bitwarden CLI hijack. Drops it into open-source reverse proxy + lists access on dark-web markets at ~$30/key. Victim sees inference charges accumulating with no easy attribution.

Example

April 2026 Bitwarden CLI hijack specifically hunted .claude/ + .cursor/ + .continue/ paths to harvest LLM keys for LLMjacking pools.

Guide

Preventing runaway OpenAI / Anthropic bills — spend caps + rate limits + monitoring

FAQ

How fast does LLMjacking burn money?

$50K-$100K/day on premium models. Documented Claude Opus victim hit ~$50K in 4.5 days.

What is LLMjacking?

Full explanation

Example

Related

FAQ