Editor Notes: Incident 898 presents an editorial challenge in synthesizing events from multiple reports, pointing to the evolution of LLMjacking trends over time. The following is a reconstruction of key incidents outlined in Sysdig's investigative reports: (1) 05/06/2024: Initial publication date LLMjacking report by Sysdig's Alessandro Brucato. Attackers reportedly exploited stolen cloud credentials obtained via a Laravel vulnerability (CVE-2021-3129) to access cloud-hosted LLMs like Anthropic Claude. Monetization allegedly occurred via reverse proxies, potentially costing victims up to $46,000 per day. (2) 07/11/2024: Significant spike in LLMjacking activity reportedly observed, with over 61,000 AWS Bedrock API calls logged in a three-hour window, allegedly generating significant costs to victims. (3) 07/24/2024: A second surge in activity reportedly occurred, with 15,000 additional API calls detected. Attackers are alleged to have escalated the abuse of APIs and developed new scripts to automate LLM interactions. (4) 09/18/2024: Sysdig's second report detailing evolving attacker tactics, including alleged enabling LLMs via APIs (e.g., PutFoundationModelEntitlement) and tampering with logging configurations (e.g., DeleteModelInvocationLoggingConfiguration) to evade detection. Motives reportedly expanded to include bypassing sanctions, enabling access in restricted regions, and role-playing use cases. (5) Ongoing: Sysdig and other researchers continue to observe alleged LLMjacking incidents, reportedly involving other LLMs like Claude 3 Opus and OpenAI systems. Victim costs have allegedly risen to over $100,000 per day with LLM usage, which is reportedly fueling a black market for stolen credentials.