Scene 1: The Bill.

On the morning of February 13, 2026, three developers in Mexico opened their Google Cloud console and saw a number that did not belong to them. $82,314.44. The charges had landed in two days. The line items pointed to Gemini 3 Pro Image and Gemini 3 Pro Text. The team's normal monthly spend was $180. They had not made the calls. Someone had. And somewhere between the API key and the billing system, the charges had cleared as if nothing about the request was unusual, because in every way the system could measure, nothing was. The key was valid. The endpoint answered. The meter ran.

Scene 2: The Storefront.

In December 2025 a researcher at Pillar Security set out honeypots, fake LLM endpoints meant to look like the soft underside of an enterprise. In 40 days they took 35,000 attack sessions. The traffic led back to a commercial gateway calling itself silver.inc, hosted on bulletproof infrastructure in the Netherlands and marketed across Discord and Telegram. The operator went by Hecker. The product was access. A subscriber could route inference through more than 30 model providers, AI21, Anthropic, AWS Bedrock, Azure OpenAI, Mistral, Vertex, OpenAI, ElevenLabs, and pay in crypto or PayPal. Pillar named the campaign Operation Bizarre Bazaar. The name flatters the marketplace. The thing itself is a wholesale supplier.

Scene 3: The Defendants.

Microsoft sealed a complaint in the Eastern District of Virginia in December 2024 and unsealed an amended one on February 27, 2025, naming four men on three continents. Arian Yadegarnia in Iran, alias Fiz. Alan Krysiak in the United Kingdom, alias Drago. Ricky Yuen in Hong Kong, alias cg-dot. Phat Phung Tan in Vietnam, alias Asakuri. Two more defendants in Illinois and Florida sit under seal pending criminal referral. Microsoft calls the network Storm-2139. The complaint describes a three-tier business, Creators who built the bypass tools, Providers who modified and resold them, Users who consumed cheap inference. The case is civil. There have been no arrests, and as of this week there are no criminal charges. The law is two years behind the meter.

Operatives, last week the file was the opt-out. 38 companies, 8 documented ways to make a right impossible to use, an address that stayed in circulation until a man with a notebook came to a legislator's door. The thing the citizen had been told was his protection was a prop.

This week the file is the meter. The opt-out turned your address into a product because the law treated information as an asset and refused to ask who got to mint it. The same architecture has come for compute. An API key, the kind a developer wrote into a side project at midnight, has quietly become a payment instrument. A free trial has become wholesale inventory. A session cookie has become a wire transfer. The model itself, the thing the headlines write about, is the smallest piece of the story. The interesting piece is the meter behind it, and who has learned to make it run for someone else's bill.

The Case. LLMjacking, the name the security industry has settled on, sounds technical. It is not. It is the conversion of someone else's AI access into your inventory, and the conversion is now systematic enough that researchers have named the marketplaces, indexed the prices, profiled the operators, and watched the gross merchandise volume grow by a documented 376% from one quarter to the next. The first agentic fraud market is here. It arrived as a cloud bill.

The Stakes. The headlines focus on the dev team in Mexico because the dev team is photogenic. The threat reaches further. The session cookie a Russian-Market vendor sells for $10 is yours, if your laptop has an infostealer on it. The Chrome extension that 900,000 people installed last winter was exfiltrating their conversations every 30 minutes. The OAuth consent screen that looked exactly like Microsoft, because it was served from Microsoft's own domain with a valid Microsoft certificate, was a phishing rig. This is not a developer problem. It is the next consumer fraud, and it is already running.

Same architecture as last week. A thing the public did not realize had become a product. A market sized for someone else. This week the product is your access. The bill arrives in your name.

The Operative's Observation

The Criminal Playbook

The supply chain is unromantic, which is what makes it dangerous. Begin where the supply begins. A developer leaves an OpenAI key in a committed file on GitHub at 11 p.m. on a Tuesday. The security firm GitGuardian, whose business is watching exactly this, has documented that bots find a newly committed key in under four minutes. A single startup that left an OpenAI key public for 11 days came back to a $67,000 bill, against a $400 monthly average. A solo developer with one careless commit lost $87,000 overnight. The key was the door. The bot was already inside before the developer had brushed his teeth.

From the supply, the access moves to validation. The crews run a Python tool called keychecker, an open-source script that tries each captured credential against Anthropic, Bedrock, Vertex, Mistral, OpenAI, and the rest, marks which models the key can reach, which regions it can call, and what the rate limit will bear. A key that runs Claude Opus is worth more than one that runs an old GPT. A key whose owner has logging disabled is worth more than one whose owner pays attention. The crews are pricing inventory, the same way a card-fraud crew once priced a Visa Platinum against a Visa Classic.

From validation, the access moves to product. The product, in most of the documented cases, is not a Bond villain. It is a chatbot. Sysdig's tracking of the original 2024 LLMjacking campaign found the dominant downstream demand was uncensored roleplay communities on platforms like JanitorAI, Venus, and the 4chan /g/ board's AICG threads, where users wanted Claude or GPT without the filter and without the bill. The crews satisfied both, sometimes through a piece of software called oai-reverse-proxy that hides the stolen key behind a chat front end, sometimes through hosted instances on HuggingFace, sometimes through a Rentry.co paste circulated like a speakeasy address. The same tool family resurfaced when DeepSeek shipped, and the proxy operators added DeepSeek-V3 within days of release and DeepSeek-R1 within 24 hours, watching model launches the way enterprise buyers watch them.

From product, the access moves to revenue. eSentire's research desk found a market called LLM Paradise selling around 400 stolen AI account credentials a day at roughly $10 each, with OpenAI accounts the most plentiful and Claude the most prized. silver.inc charges its subscribers a monthly fee. Operators at the higher end run, by independent estimate, $1 million-per-year businesses on stolen capacity, while the victim, a customer in Pennsylvania or New Jersey or Mexico City, eats the bill. Sysdig's first 2024 worst-case scenario set the burn rate at $46,000 a day. Bedrock incidents this year have run $18,000 a day per region and one Claude Opus victim saw a single model's charges hit $38,951.55 from one breach. The headlines now flirt with $100,000 a day for the top-tier incidents, and the flirtation is supported by the receipts.

From revenue, the access moves to the next door. The Gemini story is the cleanest illustration. Truffle Security found, late in 2025, that Google had changed the rules of its own API key system in a way no developer noticed, so that the keys originally treated as harmless project identifiers for Maps and Firebase could now authenticate to Gemini. The firm identified 2,863 such keys live on websites, and roughly 35,000 more extracted from mobile apps, every one of them a credential that was safe on Monday and a billing instrument on Tuesday. The platform did not steal the authority. The platform simply assigned it. The fraud lived in the gap between what the developer thought he had and what the credential could now do.

This is the place to look for the next decade of fraud, because the same gap is opening on every paid surface the AI economy touches. An MCP server given an OAuth scope. A delegated wallet handed to an agent. A subscription model that bills per call. A research project's API budget. A family-office assistant given Microsoft 365 access. Each one of those is an authority decision being made in the same casual posture as that midnight commit. Compute has become a resellable asset, and the systems that price it have not yet learned to ask who is allowed to spend it.

Field Manual

How to keep your AI access from becoming someone else's inventory.

The Pardon Ledger

Week 10 of a continuing record.

The justice.gov clemency page has not posted a new financial-crime grant since the winter batch. The Ledger keeps its column. This week the column tracks the same disease on a different surface, because the two stories have started to rhyme.

The parallel. Microsoft has sued a four-country syndicate for industrializing the theft of cloud AI. The complaint names defendants in Iran, the United Kingdom, Hong Kong, and Vietnam, and describes a three-tier business that drained the prepaid Azure OpenAI accounts of American companies in Pennsylvania and New Jersey. The complaint is civil. There are no criminal charges. There are no arrests. The Department of Justice has not appeared in the matter. The corporation, owning the platform, has acted. The state, owning the law, has not.

The same vacuum the Ledger has documented week after week, the financial-crime conviction quietly wiped, the answer to a congressional letter never made public, has now reproduced itself in the new fraud era. The fraud has scaled. The prosecution has not. The pattern is not partisan and not new. It is the standing condition. The Ledger remains the record, because in this story the record is, again, the only thing that is keeping count.

Stay sharp. Trust slowly. Verify everything.

The Fraudfather

This newsletter is for informational purposes only and promotes ethical and legal practices.