A joint investigation by SentinelOne SentinelLabs and Censys has found 175,000 unique Ollama hosts across 130 countries forming an unmanaged, publicly accessible layer of AI compute infrastructure. The exposed systems span cloud and residential networks worldwide and operate outside the guardrails of platform providers, with China accounting for a little over 30% of the exposures.
The countries with the largest footprints include the United States, Germany, France, South Korea, India, Russia, Singapore, Brazil, and the United Kingdom. More than 48% of observed hosts advertise tool-calling capabilities via their API endpoints, enabling them to execute code, access APIs, and interact with external systems, which researchers say alters the threat model for LLMs.
The findings note a criminal operation that scans for exposed Ollama instances, validates endpoints, and monetises access via a marketplace attributed to a threat actor named Hecker (aka Sakuya and LiveGamer101), according to Pillar Security. Ollama is an open‑source framework that runs locally on Windows, macOS and Linux and binds to 127.0.0[.]1:11434 by default, but can be exposed to the public internet with a simple configuration change.