LLMjacking: How Stolen AI Keys Become $82,000 Cloud Bills

In February 2026, an anonymous developer running a Mexico-based startup discovered their Google Gemini API key had been compromised. Within 48 hours, attackers had run up $82,314.44 in unauthorized charges, a 46,000% spike from the developer's usual $180 monthly spend. The bill arrived before they had any chance to react.

That story has a name now. LLMjacking. Hijack a key, point it at the most expensive AI models you can find, run inference until rate limits or revoked credentials shut you down. The victim's cloud provider does the heavy lifting, the bill lands on the victim, and the attacker walks away with compute time they can resell, use for spam generation, or burn just to grief.

For WordPress site owners, LLMjacking matters because WordPress 7.0 just shipped a native AI client into core. Every site that connects an AI provider through a plugin is now a potential LLMjacking target. This post walks through what LLMjacking is, the economics that make it the most attractive credential-theft pattern of 2026, and what WordPress site owners specifically need to do.

What LLMjacking Actually Is

LLMjacking is a portmanteau of "LLM" (large language model) and "jacking" (as in carjacking or hijacking). It refers to the unauthorized use of someone else's AI provider account for inference workloads, paid for by the victim.

The pattern works like this:

1. An attacker obtains an AI provider's API key. The most common sources are public GitHub repos, leaked .env files, exposed configuration files, and vulnerable plugins on WordPress sites.
2. The attacker validates the key by making a low-cost test call.
3. Once validated, the attacker hammers the key against the most expensive model the provider offers (frontier-tier image models, the largest text models, the longest-context configurations).
4. The provider bills the legitimate account holder.
5. The attacker either uses the inference output (for spam content generation, deepfakes, malware code generation), or resells API access to other attackers at a steep discount.

The key insight is that the attacker doesn't need to monetize stolen data, run their own infrastructure, or find buyers in seedy corners of the internet. The provider's billing API does the monetization. The provider's compute does the work. The victim's credit card does the paying.

The Economics Are Different From Older Credential Theft

To understand why LLMjacking exploded in 2026, compare it to the older theft economies it's displacing.

Stolen credit cards require a buyer pipeline. Carding markets, fraudulent merchants, money mules, eventual cashout. Every step takes time, and every step has a cut. The attacker who steals a card gets maybe 5 to 15 cents on the dollar after all the middlemen take their share.

Stolen logins (social media, email, banking) require a sale pipeline or a use-case the attacker can monetize. Account-takeover fraud, phishing platform creation, or selling to credential-stuffing operators. Same story: lots of middlemen, slow conversion, low cents-on-the-dollar.

Stolen API keys convert directly. The attacker runs curl and bills the victim in real time. There's no buyer, no money mule, no cashout. The compute itself is the product. A $50 query against an enterprise-tier model can be run hundreds of times per minute against a single key. The attacker's only cost is the time to write the script.

For AI keys specifically, the unit economics are extraordinary. A Gemini 3 Pro Image query can cost the provider's customer a dollar or more. An hour of automated abuse against one key can generate thousands of dollars in legitimate-looking usage. That's why the $82,000 bill story isn't an outlier. It's a baseline.

Where Attackers Find Keys

LLMjacking is a scanner-and-scrape economy. The attackers aren't dropping zero-days. They're running automation against the cheap leak sources.

Public GitHub repos. GitGuardian's State of Secrets Sprawl 2026 report counted 29 million secrets exposed in public GitHub commits in 2025 alone, up 81% year over year. AI provider keys (Anthropic, OpenAI, Google Gemini) made up a growing share, driven by developers experimenting with new tools and forgetting to add .env to .gitignore.

MCP configuration files. The Model Context Protocol uses configuration files that often contain API keys in plain text. GitGuardian found 24,008 unique secrets exposed in MCP-related configuration files on public GitHub, with 2,117 confirmed valid.

Vulnerable WordPress plugins. The AI Engine plugin CVE-2025-11749 printed its MCP bearer token directly into the public REST API index. Any visitor could read it. 100,000 sites were affected. Other AI plugins have had similar disclosure patterns, including the class of conversation-history prompt injection bugs across 8 of 17 tested chatbot plugins.

Supply chain compromises. On March 24, 2026, two versions of LiteLLM (1.82.7 and 1.82.8) were published to PyPI with malicious code. The attacker, the threat group TeamPCP, used a three-stage payload to harvest credentials from any environment that imported the library, including 50+ categories of secrets. PyPI quarantined the package within three hours, but for a library used in AI proxy stacks across enterprise environments, three hours was enough.

Browser autofill caches. Patchstack founder Oliver Sild disclosed that the WordPress 7.0 AI integration setup form caches API keys in browser autofill, exposing them in the autocomplete dropdown to anyone with browser access.

The WordPress-Specific Risk

A WordPress site connected to an AI provider is a LLMjacking target for three reasons.

Reason one: the keys are valuable. AI provider keys with no spending cap are worth thousands of dollars per hour to an attacker. The math on attacking a WordPress site for its AI keys is better than the math on most other credential theft.

Reason two: the surface is wide. WordPress runs 500 million sites. The AI plugin ecosystem is fragmented across dozens of plugins, each with its own key storage approach, settings UI, and REST endpoint pattern. Even if 95% of plugins handle keys safely, the 5% that don't is still tens of thousands of sites.

Reason three: the audit trail is weak. Most WordPress sites don't have admin-level logging of which user accessed which settings page when. If a key is leaked through a plugin settings page that an Editor-role user shouldn't have been able to read, the site owner often can't reconstruct who saw what. The provider's billing dashboard is sometimes the first place anyone notices anything is wrong.

The Detection Lag Problem

The hardest part of LLMjacking defense is that detection often happens after the damage. Cloud providers bill monthly, and most developers check the bill once a month. The $82,000 Gemini case made headlines because the spike was so dramatic that the developer caught it within days. Smaller, slower-burning attacks (a few hundred dollars a day instead of tens of thousands per hour) often run for weeks before anyone notices.

Standard provider tooling helps but isn't sufficient. Most providers offer billing alerts at thresholds, but the default thresholds are set conservatively and many developers never configure them. Per-key spend limits exist but require deliberate setup. Anomaly detection is improving but lags behind attacker behavior.

For WordPress site owners, the detection gap is even wider because the key often lives in a plugin's settings, not in the developer's direct view. The first signal of abuse is usually the bill.

Five Defenses Worth Setting Up Today

If you operate any WordPress site connected to an AI provider, these five steps materially reduce LLMjacking exposure.

1. Per-key spend limit at the provider. Every major AI provider (Anthropic, OpenAI, Gemini, Mistral, Cohere) supports per-key spending caps. Set them to the lowest viable amount for the site's actual usage. The $82,000 Gemini bill happened because there was no cap. With a $100 cap, the worst case is $100.

2. Billing alert at the provider. Set an alert at $5 above your typical monthly spend. Modern LLMjacking attacks ramp fast. An alert that fires within an hour gives you time to rotate the key before serious damage accumulates.

3. Scope-limited keys per site. Don't reuse a single key across multiple WordPress sites or development environments. Generate a fresh key per site, label it with the site domain, and restrict it to only the models and rate limits that site actually needs.

4. Plugin vulnerability inventory. Every plugin handling AI keys gets reviewed against the Wordfence and Patchstack databases for any disclosure in the last 90 days. Plugins with active CVEs on their settings or REST endpoints are key-leak risks until patched. Our weekly vulnerability roundup tracks the highest-impact ones.

5. Regular surface scan. WP Vanguard's free scanner checks the REST API index and exposed configuration paths for token leakage on every site you run. Doing this weekly catches new leaks before they convert into bills. The deep scan (with SSH) covers the option-storage and capability-mapping checks that an unauthenticated scan can't reach.

What to Do If You've Already Been Hit

If you check your provider dashboard and find unauthorized usage:

1. Revoke the key immediately at the provider, before doing anything else. Don't investigate first. The longer the key stays live, the bigger the bill.
2. Document the timeline. Note the timestamps of the abuse, the models used, the call volume. This documentation matters when you ask the provider for a refund.
3. Identify the leak source. Was it a plugin? A .env file? A leaked GitHub commit? The fix depends on the source.
4. Patch the leak. Deactivate the plugin, rotate every other credential the leak source had access to (not just the AI key), and verify your other AI keys aren't compromised through the same channel.
5. Contact the provider for a partial refund. Most providers will refund some portion of unauthorized usage if you can demonstrate the key was leaked through their tooling or a known supply-chain issue (like the LiteLLM compromise). They're less generous if the leak was from your own code or config.
6. Run a full site audit. A leaked AI key is often part of a larger compromise. Read our guide on signs your WordPress site has been hacked and run the deeper checks. Consider a professional code audit if the site is high-value.

The Year Ahead

LLMjacking is going to get worse before it gets better. The economics are too good for attackers and the defensive tooling is still catching up. The mitigations that work in 2026 are the same mitigations that worked for older credential-theft economies: limit blast radius (per-key caps), monitor for anomalies (billing alerts), reduce leak surface (audit plugins, rotate keys), and assume any key in any non-secured location is already compromised.

WordPress 7.0 raises the stakes by making AI integration easier and more common. That's a good thing for the platform. It's also an invitation for the LLMjacking economy to come find WordPress sites at scale.

The defense is the same as it's been for the last twenty years: assume the worst, prepare anyway, and audit constantly.

Audit your WordPress site for leaked AI keys. WP Vanguard's free surface scan checks the REST API index and exposed configuration paths in under 30 seconds. No signup required.

For high-value sites: Wbcom Designs' WordPress Security Hardening and independent Code Audit services cover the deeper review that automated scanners can't replace.