SentinelOne and Censys find 175,000 exposed AI servers using Ollama software

SentinelOne's SentinelLabs and Censys published joint research on January 29, 2026, identifying 175,108 unique publicly exposed Ollama hosts across 130 countries. A 293-day scan produced 7.23 million observations of these open-source large language model deployments running outside major platforms' security controls. Top models observed include Meta's Llama, Alibaba's Qwen2, and Google's Gemma2. Nearly half (48%) of hosts advertise tool-calling, which can execute code, call APIs, and interact with external services without authentication. Researchers found at least 201 instances running uncensored prompt templates that bypass safety guardrails. Geographic concentrations show over 30% of hosts in China and about 20% in the US, with many on residential networks. The report warns of "LLMjacking," where attackers hijack these hosts for spam, phishing, disinformation, data theft, scams, and child sexual abuse material. A persistent core of roughly 23,000 hosts supplies reliable criminal compute. IT teams should secure Ollama by binding it to localhost, adding authentication, and implementing monitoring and logging.

Why It Matters

• Bind Ollama to localhost (127.0.0.1:11434) and add authentication to prevent public exposure of LLM hosts.
• Audit and firewall tool-calling endpoints; 48% of hosts enable high-risk operations such as code execution and external API access.
• Scan environments for uncensored prompt templates (201+ instances identified) and enforce logging, rate limits, and safety guardrails on open-source LLM hosts.
• Monitor residential and edge infrastructure and prioritize response for the persistent core of ~23,000 hosts that provide reliable criminal compute.