Blog · 2026-05-28 What scanners are actually trying against AI infrastructure Three weeks of one Dutch ASN sending 3,861 hits at Anthropic-proxy paths. Port 11434 (Ollama) holding 50-80 distinct source IPs per week since March. A single 45-minute sweep from one IP that lists credential paths for Claude, Codex, Gemini, DeepSeek, DashScope, AWS, Azure, Docker, and shell history. What stood out Between May 5 and May 27, a single Dutch ASN (Pfcloud UG, AS51396) sent 3,861 hits to two URL paths on our sensors: /anthropic/v1/models 2,013 hits /proxy/anthropic/v1/models 1,848 hits That is the exact path shape used by reverse proxies fronting api.anthropic.com . The scanner does not include a Bearer token. It is checking whether the host responds at all. User-agent across all 3,861 hits: Mozilla/5.0 (compatible; scanner/1.0) . Three source IPs, all in the same /20 of Pfcloud's NL network. One of them ( 176.65.148.177 ) has the rDNS anondrop.net . The shape matches reconnaissance for misconfigured Anthropic proxies. The win condition is finding a public-facing wrapper that holds a real Anthropic key, accepts any caller, and becomes free billable credit for whoever finds it. You can see the cluster live at /asn/51396 . Ollama at scale Ollama is the loudest AI-flavoured target. Port 11434, default install, no auth by default. Over the last 30 days: Probe path Hits Distinct IPs /api/tags 129 31 /api/generate 13 3 /api/ps 7 3 /api/pull 1 1 / (banner check on 11434) 248 120 no path, raw TCP probe on 11434 549 95 /api/tags is the cheap discovery probe. It returns the list of models loaded into the server. No auth needed by default. /api/pull is the worth-watching one: on an open Ollama instance, anyone hitting it can ask the server to download an arbitrary model from any registry the server reaches. That model can be a custom GGUF the attacker controls. We see one hit so far, but the path is in the wordlist. Weekly distinct source IPs hitting port 11434 over the last 14 weeks: 2026-02-22 5 IPs ▌ 2026-03-01 72 █████████████████████ 2026-03-08 85 █████████████████████████ 2026-03-15 57 ████████████████ 2026-03-22 69 ████████████████████ 2026-03-29 57 ████████████████ 2026-04-05 54 ███████████████ 2026-04-12 69 ████████████████████ 2026-04-19 44 █████████████ 2026-04-26 52 ███████████████ 2026-05-03 60 █████████████████ 2026-05-10 67 ███████████████████ 2026-05-17 35 ██████████ 2026-05-24 27 ████████ The Ollama port jumped from a handful of probers per week to roughly 50-80 in the first week of March 2026 and has held there since. Port 11434 now sits in the standard internet-wide scan rotation. A focused AI-credential sweep On May 18, between 09:27 and 10:12 UTC, one IP ( 183.81.169.236 , on Amarutu Technology Ltd, NL) hit our sensors with a single coordinated wordlist. It was not fuzzing. The list was specific. Excerpting just the AI-related paths: /.claude/settings.json /.claude/.credentials.json /.claude/credentials.json /.claude/config.json /.claude/settings.local.json /.claude/history.jsonl /.claude/claude.md /.claude.json /root/.claude/.credentials.json /root/.claude/claude.md /root/.claude.json /.anthropic/api_key /.anthropic/config.json /.config/anthropic/config.json /claude_desktop_config.json /.codex/auth.json /.gemini/settings.json /.deepseek/config.json /.dashscope/api_key /.openclaw/openclaw.json /root/.nerve/.env /root/.nerve/config.yaml /root/.openclaw/.env That covers Anthropic (Claude Code, Claude Desktop, the Anthropic SDK convention), OpenAI Codex CLI ( .codex/auth.json ), Google's Gemini CLI ( .gemini/settings.json ), DeepSeek ( .deepseek/config.json ), Alibaba's DashScope ( .dashscope/api_key ), and at least two AI-agent frameworks ( nerve , openclaw ). In the same sweep, the same IP also tried: /root/.aws/credentials /root/.aws/config /root/.aws/credentials.backup /root/.aws/sso/cache/ /.aws/credentials /.azure/credentials /.docker/config.json /docker-compose.yaml /root/.ssh/id_rsa /.ssh/known_hosts /root/.bash_history /root/.zsh_history /root/.wallet-env /credentials.json /.credentials.json /.env.development /actuator/configprops /instance/app.sqlite This is the modern shape of opportunistic credential hunting. The wordlist treats AI-provider credentials as a first-class target alongside AWS, Azure, Docker, SSH keys, and shell history. Shell history sits in the list because developers paste API keys into one-liner test commands and the keys persist in ~/.bash_history afterwards. The wordlist tracks the tools developers actually use. Claude Code shipped in 2024 and is in the wordlist by 2026. Same for the Gemini CLI and Codex CLI. Sample report for that IP: /lookup/183.81.169.236 . OpenAI-compatible API reconnaissance The OpenAI API shape ( /v1/chat/completions , /v1/embeddings , /v1/models ) is the default contract for almost every self-hosted LLM stack. vLLM, LM Studio, LocalAI, LiteLLM, and many Anthropic-compat shims all expose it. Counts over the last 30 days: Path Hits Distinct IPs Distinct ASNs /...