Cybersecurity researchers at Oligo Security have uncovered a sophisticated global cryptojacking operation that weaponizes Ray, a widely-used open-source AI framework, turning legitimate compute orchestration features into tools for unauthorized cryptocurrency mining. The campaign, first observed in its current form on November 18, 2025, represents a major evolution in how threat actors exploit AI infrastructure for profit.
The Exploit Mechanics
The attackers exploited CVE-2023-48022, a known vulnerability in Ray’s Job Submission API that allows unauthenticated remote code execution. Ray, often described as “Kubernetes for AI” due to its widespread adoption in machine learning workflows, automates and scales compute resources across distributed environments. The flaw enables attackers to submit fraudulent tasks through Ray’s dashboard API, which are then processed as legitimate workloads.
According to Oligo researchers Avi Lumelsky and Gal Elbaz, the attackers “have turned Ray’s legitimate orchestration features into tools for a self-propagating, globally cryptojacking operation, spreading autonomously across exposed Ray clusters.” The attack operates in two phases: initial access through the exposed API, followed by lateral movement using Ray’s own scheduling system rather than traditional network exploits.
Once inside a cluster, the operators specifically targeted NVIDIA A100 GPUs — premium hardware that costs $3 to $4 per hour on cloud platforms. The malware calculated optimal resource requirements and submitted takeover jobs with precise specifications to maximize mining efficiency while evading detection. The attackers limited CPU usage, disguised malicious processes as legitimate services, and concealed GPU utilization from Ray’s monitoring dashboards.
Affected Systems
The scale of exposure is significant. Oligo researchers identified more than 200,000 exposed Ray servers accessible on the public internet, though only a portion have been confirmed as compromised. Many of these servers belong to active startups, research laboratories, and cloud-hosted AI environments. Some exposed endpoints were identified as security honeypots.
The campaign evolved through multiple delivery mechanisms. Attackers initially used GitLab repositories to develop and distribute their malware, but this infrastructure was taken down on November 5, 2025, after discovery. Within days, the operators reappeared on GitHub, creating new repositories to continue operations. Whenever repositories were flagged and removed, the attackers simply created new ones. As of November 17, the campaign remained active.
Evidence suggests the threat actors may have been operating within Ray environments since September 2024 — more than a year of persistent access. Artifacts recovered from obfuscation attempts contained code patterns that “strongly imply” generation by a Large Language Model, indicating the attackers are leveraging AI tools to automate their operations.
The Mitigation Strategy
The most concerning aspect of this vulnerability is that CVE-2023-48022 has never been fully patched. Ray’s maintainers have disputed the flaw, maintaining that the framework “is not intended for use outside of a strictly controlled network environment.” However, in practice, organizations frequently deploy Ray clusters with internet-facing dashboards, creating an extended and persistent attack surface.
Organizations running Ray should immediately audit their deployments for internet-exposed dashboards and API endpoints. Network segmentation should ensure Ray’s internal communication ports are never accessible from public networks. Implementing authentication at the infrastructure layer — through VPNs, reverse proxies with authentication, or cloud security groups — provides an immediate defense even without a vendor patch.
Monitoring for anomalous GPU utilization patterns, unexpected job submissions, and connections to known command-and-control infrastructure can help detect active compromises. Security teams should also review GitHub and GitLab integration logs for suspicious repository activity linked to their development environments.
Lessons Learned
This incident highlights several critical security gaps in the AI infrastructure ecosystem. First, the disconnect between vendor guidance and real-world deployment practices creates systemic risk. When software is designed without security defaults and users deploy it in unsupported configurations, the resulting vulnerability window can persist for years.
Second, the weaponization of legitimate orchestration features represents a growing trend in cloud-native attacks. Traditional security tools designed to detect external exploits may miss attacks that use a platform’s intended functionality for malicious purposes. Organizations need behavioral monitoring that can distinguish between legitimate AI workloads and cryptojacking campaigns masquerading as normal operations.
Third, the use of AI-generated code by attackers signals an escalation in the arms race. As threat actors adopt the same AI tools that defenders use, the speed and sophistication of attacks will continue to increase. Bitcoin traded at approximately $92,949 on November 18, and Ethereum at $3,123 — making cryptocurrency mining a lucrative enough incentive for attackers to invest significant resources in compromising premium GPU infrastructure.
User Action Required
If your organization uses Ray or similar AI orchestration frameworks, take immediate action: inventory all Ray deployments and verify network exposure, enforce strict network segmentation for AI compute environments, implement monitoring for unusual resource consumption patterns, and establish a review process for all open-source dependencies with known unpatched vulnerabilities. The convergence of AI infrastructure and cryptocurrency incentives makes GPU clusters a high-value target that requires dedicated security attention.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
200K exposed Ray servers is just the known count. how many are behind VPNs or NAT that researchers couldnt scan
Sasha Volkov 200K exposed is just the surface scan. behind NATs and VPNs there could be 10x more. Ray is infrastructure, nobody monitors their ML cluster like a web server
Formal verification should be mandatory for high-value protocols
formal verification on the Job Submission API would have caught the unauthenticated RCE instantly. CVE-2023-48022 was documented for months before Oligo flagged active exploitation in the wild
Hardware wallet adoption is the single biggest security improvement anyone can make
Social engineering attacks are becoming more sophisticated
Jackson targeting A100 GPUs specifically at 3-4 bucks an hour. the attackers knew exactly which hardware to optimize for
a100_target targeting A100s at $3-4/hr shows these attackers know cloud pricing better than most devops teams. the ROI calculation was surgical
a100_target the ROI on hijacked A100s is insane. one cluster can mine more than an entire farm of consumer GPUs. attackers knew exactly what they were doing
social engineering wasnt even needed here. the Ray dashboard API was just sitting there with zero auth on port 7741. literal open invite for cryptojacking
Caleb M. port 7741 with zero auth is wild but jupyter notebooks on 8888 are the same story. every ML framework ships with insecure defaults
The cost of a security breach always exceeds the cost of prevention
ray docs literally say do not expose the dashboard to the internet. this isnt a framework problem its a devops problem. same story with elasticsearch and mongodb