Permiso has found that some attackers are using hijacked LLM infrastructure to power highly inappropriate AI chatbot services. In this article we will explain the methods we are observing attackers use when performing LLMJacking/LLMHijacking in AWS, why attackers are performing this type of attack, how to detect these methods, and potentially most importantly, provide insight into how attackers and their downstream clients are using the hijacked LLM resources.