Open-source AI models vulnerable to criminal misuse as hundreds operate without guardrails
4 Sources
4 Sources
[1]
Open-source AI models vulnerable to criminal misuse, researchers warn
Jan 29 (Reuters) - Hackers and other criminals can easily commandeer computers operating open-source large language models outside the guardrails and constraints of the major artificial-intelligence platforms, creating security risks and vulnerabilities, researchers said on Thursday. Hackers could target the computers running the LLMs and direct them to carry out spam operations, phishing content creation or disinformation campaigns, evading platform security protocols, the researchers said. The research, carried out jointly by cybersecurity companies SentinelOne (S.N), opens new tab and Censys over the course of 293 days and shared exclusively with Reuters, offers a new window into the scale of potentially illicit use cases for thousands of open-source LLM deployments. These include hacking, hate speech and harassment, violent or gore content, personal data theft, scams or fraud, and in some cases child sexual abuse material, the researchers said. While thousands of open-source LLM variants exist, a significant portion of the LLMs on the internet-accessible hosts are variants of Meta's (META.O), opens new tab Llama, Google DeepMind's Gemma, and others, according to the researchers. While some of the open-source models include guardrails, the researchers identified hundreds of instances where guardrails were explicitly removed. AI industry conversations about security controls are "ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal," said Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne. Guerrero-Saade likened the situation to an "iceberg" that is not being properly accounted for across the industry and open-source community. The research analyzed publicly accessible deployments of open-source LLMs deployed through Ollama, a tool that allows people and organizations to run their own versions of various large-language models. The researchers were able to see system prompts, which are the instructions that dictate how the model behaves, in roughly a quarter of the LLMs they observed. Of those, they determined that 7.5% could potentially enable harmful activity. Roughly 30% of the hosts observed by the researchers are operating out of China, and about 20% in the U.S. Rachel Adams, the CEO and founder of the Global Center on AI Governance, said in an email that once open models are released, responsibility for what happens next becomes shared across the ecosystem, including the originating labs. "Labs are not responsible for every downstream misuse (which are hard to anticipate), but they retain an important duty of care to anticipate foreseeable harms, document risks, and provide mitigation tooling and guidance, particularly given uneven global enforcement capacity," Adams said. A spokesperson for Meta declined to respond to questions about developers' responsibilities for addressing concerns around downstream abuse of open-source models and how concerns might be reported, but noted the company's Llama Protection tools for Llama developers, and the company's Meta Llama Responsible Use Guide. Microsoft AI Red Team Lead Ram Shankar Siva Kumar said in an email that Microsoft (MSFT.O), opens new tab believes open-source models "play an important role" in a variety of areas, but, "at the same time, we are clear‑eyed that open models, like all transformative technologies, can be misused by adversaries if released without appropriate safeguards." Microsoft performs pre-release evaluations, including processes to assess "risks for internet-exposed, self-hosted, and tool-calling scenarios, where misuse can be high," he said. The company also monitors for emerging threats and misuse patterns. "Ultimately, responsible open innovation requires shared commitment across creators, deployers, researchers, and security teams." Ollama did not respond to a request for comment. Alphabet's (GOOGL.O), opens new tab Google and Anthropic did not respond to questions. Reporting by AJ Vicens in Detroit; Editing by Matthew Lewis Our Standards: The Thomson Reuters Trust Principles., opens new tab * Suggested Topics: * Cybersecurity A.J. Vicens Thomson Reuters Cybersecurity correspondent covering cybercrime, nation-state threats, hacks, leaks and intelligence
[2]
Open-Source AI Models Vulnerable to Criminal Misuse, Researchers Warn
Jan 29 (Reuters) - Hackers and other criminals can easily commandeer computers operating open-source large language models outside the guardrails and constraints of the major artificial-intelligence platforms, creating security risks and vulnerabilities, researchers said on Thursday. Hackers could target the computers running the LLMs and direct them to carry out spam operations, phishing content creation or disinformation campaigns, evading platform security protocols, the researchers said. The research, carried out jointly by cybersecurity companies SentinelOne and Censys over the course of 293 days and shared exclusively with Reuters, offers a new window into the scale of potentially illicit use cases for thousands of open-source LLM deployments. These include hacking, hate speech and harassment, violent or gore content, personal data theft, scams or fraud, and in some cases child sexual abuse material, the researchers said. While thousands of open-source LLM variants exist, a significant portion of the LLMs on the internet-accessible hosts are variants of Meta's Llama, Google DeepMind's Gemma, and others, according to the researchers. While some of the open-source models include guardrails, the researchers identified hundreds of instances where guardrails were explicitly removed. AI industry conversations about security controls are "ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal," said Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne. Guerrero-Saade likened the situation to an "iceberg" that is not being properly accounted for across the industry and open-source community. The research analyzed publicly accessible deployments of open-source LLMs deployed through Ollama, a tool that allows people and organizations to run their own versions of various large-language models. The researchers were able to see system prompts, which are the instructions that dictate how the model behaves, in roughly a quarter of the LLMs they observed. Of those, they determined that 7.5% could potentially enable harmful activity. Roughly 30% of the hosts observed by the researchers are operating out of China, and about 20% in the U.S. Rachel Adams, the CEO and founder of the Global Center on AI Governance, said in an email that once open models are released, responsibility for what happens next becomes shared across the ecosystem, including the originating labs. "Labs are not responsible for every downstream misuse (which are hard to anticipate), but they retain an important duty of care to anticipate foreseeable harms, document risks, and provide mitigation tooling and guidance, particularly given uneven global enforcement capacity," Adams said. A spokesperson for Meta declined to respond to questions about developers' responsibilities for addressing concerns around downstream abuse of open-source models and how concerns might be reported, but noted the company's Llama Protection tools for Llama developers, and the company's Meta Llama Responsible Use Guide. Microsoft AI Red Team Lead Ram Shankar Siva Kumar said in an email that Microsoft believes open-source models "play an important role" in a variety of areas, but, "at the same time, we are clear‑eyed that open models, like all transformative technologies, can be misused by adversaries if released without appropriate safeguards." Microsoft performs pre-release evaluations, including processes to assess "risks for internet-exposed, self-hosted, and tool-calling scenarios, where misuse can be high," he said. The company also monitors for emerging threats and misuse patterns. "Ultimately, responsible open innovation requires shared commitment across creators, deployers, researchers, and security teams." Ollama did not respond to a request for comment. Alphabet's Google and Anthropic did not respond to questions. (Reporting by AJ Vicens in Detroit; Editing by Matthew Lewis)
[3]
Open-source AI models vulnerable to criminal misuse, researchers warn
Thousands of computers running open-source AI models are operating without major platform security. Hackers can exploit these systems for spam, phishing, and disinformation. Researchers found many instances where safety features were removed. This poses significant security risks. The issue highlights a gap in industry oversight. Criminal use cases are a growing concern. Hackers and other criminals can easily commandeer computers operating open-source large language models outside the guardrails and constraints of the major artificial-intelligence platforms, creating security risks and vulnerabilities, researchers said on Thursday. Hackers could target the computers running the LLMs and direct them to carry out spam operations, phishing content creation or disinformation campaigns, evading platform security protocols, the researchers said. The research, carried out jointly by cybersecurity companies SentinelOne and Censys over the course of 293 days and shared exclusively with Reuters, offers a new window into the scale of potentially illicit use cases for thousands of open-source LLM deployments. These include hacking, hate speech and harassment, violent or gore content, personal data theft, scams or fraud, and in some cases child sexual abuse material, the researchers said. While thousands of open-source LLM variants exist, a significant portion of the LLMs on the internet-accessible hosts are variants of Meta's Llama, Google DeepMind's Gemma, and others, according to the researchers. While some of the open-source models include guardrails, the researchers identified hundreds of instances where guardrails were explicitly removed. AI industry conversations about security controls are "ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal," said Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne. Guerrero-Saade likened the situation to an "iceberg" that is not being properly accounted for across the industry and open-source community. Study examines system prompts The research analysed publicly accessible deployments of open-source LLMs deployed through Ollama, a tool that allows people and organizations to run their own versions of various large-language models. The researchers were able to see system prompts, which are the instructions that dictate how the model behaves, in roughly a quarter of the LLMs they observed. Of those, they determined that 7.5% could potentially enable harmful activity. Roughly 30% of the hosts observed by the researchers are operating out of China, and about 20% in the U.S. Rachel Adams, the CEO and founder of the Global Center on AI Governance, said in an email that once open models are released, responsibility for what happens next becomes shared across the ecosystem, including the originating labs. "Labs are not responsible for every downstream misuse (which are hard to anticipate), but they retain an important duty of care to anticipate foreseeable harms, document risks, and provide mitigation tooling and guidance, particularly given uneven global enforcement capacity," Adams said. A spokesperson for Meta declined to respond to questions about developers' responsibilities for addressing concerns around downstream abuse of open-source models and how concerns might be reported, but noted the company's Llama Protection tools for Llama developers, and the company's Meta Llama Responsible Use Guide. Microsoft AI Red Team Lead Ram Shankar Siva Kumar said in an email that Microsoft believes open-source models "play an important role" in a variety of areas, but, "at the same time, we are clear-eyed that open models, like all transformative technologies, can be misused by adversaries if released without appropriate safeguards." Microsoft performs pre-release evaluations, including processes to assess "risks for internet-exposed, self-hosted, and tool-calling scenarios, where misuse can be high," he said. The company also monitors for emerging threats and misuse patterns. "Ultimately, responsible open innovation requires shared commitment across creators, deployers, researchers, and security teams." Ollama did not respond to a request for comment. Alphabet's Google and Anthropic did not respond to questions.
[4]
Open-source AI models vulnerable to criminal misuse, researchers warn
Jan 29 (Reuters) - Hackers and other criminals can easily commandeer computers operating open-source large language models outside the guardrails and constraints of the major artificial-intelligence platforms, creating security risks and vulnerabilities, researchers said on Thursday. Hackers could target the computers running the LLMs and direct them to carry out spam operations, phishing content creation or disinformation campaigns, evading platform security protocols, the researchers said. The research, carried out jointly by cybersecurity companies SentinelOne and Censys over the course of 293 days and shared exclusively with Reuters, offers a new window into the scale of potentially illicit use cases for thousands of open-source LLM deployments. These include hacking, hate speech and harassment, violent or gore content, personal data theft, scams or fraud, and in some cases child sexual abuse material, the researchers said. While thousands of open-source LLM variants exist, a significant portion of the LLMs on the internet-accessible hosts are variants of Meta's Llama, Google DeepMind's Gemma, and others, according to the researchers. While some of the open-source models include guardrails, the researchers identified hundreds of instances where guardrails were explicitly removed. AI industry conversations about security controls are "ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal," said Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne. Guerrero-Saade likened the situation to an "iceberg" that is not being properly accounted for across the industry and open-source community. The research analyzed publicly accessible deployments of open-source LLMs deployed through Ollama, a tool that allows people and organizations to run their own versions of various large-language models. The researchers were able to see system prompts, which are the instructions that dictate how the model behaves, in roughly a quarter of the LLMs they observed. Of those, they determined that 7.5% could potentially enable harmful activity. Roughly 30% of the hosts observed by the researchers are operating out of China, and about 20% in the U.S. Rachel Adams, the CEO and founder of the Global Center on AI Governance, said in an email that once open models are released, responsibility for what happens next becomes shared across the ecosystem, including the originating labs. "Labs are not responsible for every downstream misuse (which are hard to anticipate), but they retain an important duty of care to anticipate foreseeable harms, document risks, and provide mitigation tooling and guidance, particularly given uneven global enforcement capacity," Adams said. A spokesperson for Meta declined to respond to questions about developers' responsibilities for addressing concerns around downstream abuse of open-source models and how concerns might be reported, but noted the company's Llama Protection tools for Llama developers, and the company's Meta Llama Responsible Use Guide. Microsoft AI Red Team Lead Ram Shankar Siva Kumar said in an email that Microsoft believes open-source models "play an important role" in a variety of areas, but, "at the same time, we are clear-eyed that open models, like all transformative technologies, can be misused by adversaries if released without appropriate safeguards." Microsoft performs pre-release evaluations, including processes to assess "risks for internet-exposed, self-hosted, and tool-calling scenarios, where misuse can be high," he said. The company also monitors for emerging threats and misuse patterns. "Ultimately, responsible open innovation requires shared commitment across creators, deployers, researchers, and security teams." Ollama did not respond to a request for comment. Alphabet's Google and Anthropic did not respond to questions. (Reporting by AJ Vicens in Detroit; Editing by Matthew Lewis)
Share
Share
Copy Link
A 293-day study by SentinelOne and Censys exposes widespread criminal misuse of open-source AI models, with hundreds of deployments stripped of safety features. Researchers found 7.5% of system prompts could enable harmful activity, including phishing, disinformation campaigns, and fraud. The findings reveal an accountability gap in the open-source AI ecosystem.
Open-Source AI Models Face Criminal Exploitation
Thousands of computers running open-source AI models are operating outside the security constraints of major artificial intelligence platforms, creating significant vulnerabilities that criminals can exploit, according to new research from cybersecurity companies SentinelOne and Censys. The study, conducted over 293 days and shared exclusively with Reuters, reveals that open-source AI models vulnerable to criminal misuse represent an overlooked threat in the AI security landscape.
Hackers can commandeer these systems to conduct spam operations, phishing content creation, or disinformation campaigns, evading the platform security protocols that govern mainstream AI services
2
. The research offers a troubling window into the scale of potentially illicit activities enabled by thousands of open-source LLM deployments, including hacking, hate speech and harassment, violent content, data theft, fraud, and in some cases child sexual abuse material3
.Hundreds of Models Deployed Without Guardrails
While thousands of open-source LLM variants exist—including significant deployments of Meta Llama and Google Gemma—researchers identified hundreds of instances where guardrails were explicitly removed. The study analyzed publicly accessible deployments through Ollama, a tool that allows people and organizations to run their own versions of various large-language models.
Researchers were able to examine system prompts, the instructions that dictate how models behave, in roughly a quarter of the LLMs they observed. Of those, they determined that 7.5% could potentially enable harmful activity
4
. Roughly 30% of the hosts observed are operating out of China, while about 20% are in the U.S., highlighting the global scope of this challenge.An Iceberg of Potential Misuse Lacking Crucial Security Features
Juan Andres Guerrero-Saade, executive director for intelligence and security research at SentinelOne, characterized AI industry conversations about security controls as "ignoring this kind of surplus capacity that is clearly being utilized for all kinds of different stuff, some of it legitimate, some obviously criminal". He likened the situation to an iceberg of potential misuse that isn't being properly accounted for across the industry and open-source community.
This gap in oversight matters because it exposes a fundamental tension in the AI ecosystem between innovation and security. While open-source models democratize access to AI capabilities, they also create opportunities for criminal misuse when deployed without adequate safeguards.
Related Stories
Shared Responsibility Across the AI Ecosystem
Rachel Adams, CEO and founder of the Global Center on AI Governance, emphasized that once open models are released, shared responsibility for what happens next extends across the ecosystem, including the originating labs
2
. "Labs are not responsible for every downstream misuse (which are hard to anticipate), but they retain an important duty of care to anticipate foreseeable harms, document risks, and provide mitigation tooling and guidance, particularly given uneven global enforcement capacity," Adams noted.Meta declined to respond to questions about developers' responsibilities for addressing downstream abuse but pointed to its Llama Protection tools and Meta Llama Responsible Use Guide. Microsoft AI Red Team Lead Ram Shankar Siva Kumar acknowledged that while open-source models "play an important role," the company remains "clear-eyed that open models, like all transformative technologies, can be misused by adversaries if released without appropriate safeguards." Microsoft performs pre-release evaluations to assess risks for internet-exposed, self-hosted scenarios where criminal misuse can be high
3
.What This Means for AI Security
The findings raise urgent questions about how the industry balances open innovation with security. As deployers continue to run models without guardrails, the potential for illicit activities grows. The research suggests that cybersecurity measures need to extend beyond the major platforms to address the thousands of self-hosted deployments that currently operate in a regulatory gray zone. Observers should watch for potential policy responses, increased scrutiny of tools like Ollama, and whether major AI labs will implement stricter controls or monitoring for downstream use of their open-source models.
References
Summarized by
Navi
[4]
Related Stories
Major Tech Companies Battle Critical AI Security Vulnerabilities as Cyber Threats Escalate
03 Nov 2025•Technology
OpenAI warns upcoming AI models will likely pose high cybersecurity risk with zero-day exploits
11 Dec 2025•Policy and Regulation
NYU Researchers Develop AI-Powered 'Ransomware 3.0', Sparking Cybersecurity Concerns
04 Sept 2025•Technology
Recent Highlights
1
Elon Musk merges SpaceX with xAI, plans 1 million satellites to power orbital data centers
Business and Economy
2
French Police Raid X Office as Grok Investigation Expands to Include Holocaust Denial Claims
Policy and Regulation
3
UK launches formal probe into xAI as Grok continues generating sexualized images without consent
Policy and Regulation
Recent Highlights
Today's Top Stories
Your Daily Dose of Curated AI News
Don’t drown in AI news. We cut through the noise - filtering, ranking and summarizing the most important AI news, breakthroughs and research daily. Spend less time searching for the latest in AI and get straight to action.
