The attack that doesn't crash anything, it just spends your money. Denial of service takes a system offline until someone notices and responds. Denial of wallet does the opposite: the system stays up, every health check reads green, and the only thing moving is a number nobody signed off on. "Model denial of service keeps the server running perfectly while draining the cloud budget through excessive token consumption." Source: toxsec, "Model Denial of Service Turns Your Cloud Bill Into a Weapon" The industry now has real figures attached to this, not hypotheticals. Sysdig's threat research team tracked attackers using stolen cloud credentials to run large language model calls on victims' own AWS Bedrock accounts, a pattern it named LLMjacking, at costs it estimated up to $46,000 a day per compromised account. Source: Sysdig, "LLMjacking: Stolen Cloud Credentials Used in New AI Attack". In March 2026, a single stolen Google Gemini API key reportedly ran up $82,000 in charges in 48 hours. Source: toxsec, "Model Denial of Service Turns Your Cloud Bill Into a Weapon". And in May 2026, an enterprise client burned through $500 million on Anthropic's Claude in a single month with no attacker involved at all, just thousands of employees with unrestricted access and no per-user limits. Source: Yahoo Finance, "Client Accidentally Burns $500 Million on Claude AI in One Month," May 2026; Source: Business Today, "AI spending nightmare: Companies spend over $500 million in 30 days on Anthropic's Claude," May 2026. We covered that incident in detail here. That last one is the finding underneath all of this: a production agent running exactly as designed, and a malicious one running exactly as an attacker designed, produce the same failure mode. The invoice can't tell them apart, and until this year, neither could most of the tooling watching it. Three ways to inflate a bill without ever failing a task. 2026's security research has converged on one uncomfortable property shared across techniques: the task completes successfully, so the correctness checks that would normally catch a problem never fire. Context window flooding. Pushing input as close to a model's context limit as possible on every call, forcing maximum-cost computation on requests that never needed it. Source: LayerX Security, "Denial of Wallet Attacks: Draining Resources via GenAI Abuse" Recursive prompting. A model's own output becomes the next call's input, producing exponential token growth from one seed prompt. Source: LayerX Security, "Denial of Wallet Attacks: Draining Resources via GenAI Abuse" Reasoning-loop exploitation. An innocuous-looking prompt drives a reasoning model into pathologically long chain-of-thought. ReasoningBomb reports 6.3 to 6.9 times more completion tokens than benign baselines and induces upward of 17,000 to 19,000 reasoning tokens per query across the models it tested. Source: "ReasoningBomb: A Stealthy Denial-of-Service Attack by Inducing Pathologically Long Reasoning in Large Reasoning Models," arXiv:2602.00154. It builds on an earlier line of research, OverThink, which demonstrated the same slowdown-attack mechanism against reasoning models a year earlier. Source: "OverThink: Slowdown Attacks on Reasoning LLMs," arXiv:2502.02542 Tool-call amplification. In January 2026, researchers demonstrated an MCP server, dubbed "Beyond Max Tokens," that edits tool responses to steer a coding agent into long, repetitive tool-calling chains. The task still finishes with a correct answer; the cost just stops matching the task. A single request gets inflated by as much as 658 times, pushing what should be a small job past 60,000 tokens. Source: Sondera, "AI Agent Token Costs Are Now a Security Risk" Denial of wallet, in two charts: real incidents run from $46K/day (Sysdig LLMjacking on AWS Bedrock) to $500M/month (one enterprise, no usage caps), while attack-induced token amplification runs from a 1x ungoverned baseline to 658x on the "Beyond Max Tokens" MCP attack OWASP gave this its own number: LLM10:2025. Through the 2023 edition, OWASP's Top 10 for LLM Applications filed this under LLM04: Model Denial of Service, a narrow category about resource overload crashing a service. The 2025 revision retired that framing. LLM10:2025 is now Unbounded Consumption, covering the wider set of failures in which a model or the system around it generates more tokens, inference steps, or external calls than the application ever anticipated, with cost, not just availability, as the primary harm. Source: Aembit, "OWASP Top 10 for LLM Applications Explained". That's the field's own standards body admitting the risk stopped being a server falling over and became a bill that keeps climbing while every dashboard reads green. Why the tools already watching your traffic don't see it. A rate limiter counts requests. A WAF pattern-matches payloads. Neither has a concept of cost, and that gap is exactly what every technique above is built to walk through. "Standard WAFs and API gateways cannot distinguish between a $0.001 cached response and a $0.50 agentic workflow." Source: toxsec, "Model Denial of Service Turns Your Cloud Bill Into a Weapon". A request that triggers a 40-step tool-calling loop and a request that returns instantly from cache look identical to infrastructure that only counts requests per second. Stay under the rate limit, stay under the availability threshold, and the cost compounds somewhere nothing is watching it. The one defense that holds up: a ceiling, not a filter. A 2026 study mapping which defenses actually close which OWASP LLM Top 10 risks found something specific worth building around: token-budget controls that terminate a multi-step sequence eliminated Unbounded Consumption findings in its test harness entirely, and unlike refusal-phrase filters or keyword guards, that effectiveness held at full strength even when attackers paraphrased their prompts to evade detection. Source: "Which Defense Closes Which Threat? Attributing OWASP-LLM-Top-10 Coverage and Its Brittleness Under Paraphrasing," arXiv:2606.02822. A filter can be reworded around. A hard ceiling on tokens or dollars per task cannot. The practical version of that same conclusion, echoed across incident writeups from this year, treats cost control and action control as one control surface, not two: cap retries at a small fixed number instead of letting them run unlimited, cap total tool calls per task, set a token or dollar ceiling per agent and per action, treat repeated identical tool calls as a loop signal, and when a threshold is crossed mid-task, escalate to a cheaper model or a human reviewer instead of hard-failing the request. Source: Sondera, "AI Agent Token Costs Are Now a Security Risk" That last point is where most teams get it backwards. The instinct when a request crosses a cost threshold is to return a hard failure and kill it, which also kills the legitimate 38-step task that was one step from finishing. Downgrading the rest of the task to a cheaper model tier instead keeps the work alive and puts a ceiling on the blast radius at the same moment. What a request counter sees versus what a cost-aware proxy sees. | | Request-counting gateway or WAF | Cost-aware LLM proxy | |---|---|---| | Limits enforced by | requests per second or minute | tokens and dollars per request, session, and agent | | A 40-step tool-calling loop that finishes correctly | logged as one successful request | flagged the moment cumulative cost crosses a ceiling | | Repeated identical tool calls | invisible; not a payload signature | detected as a loop pattern and capped | | Response to a threshold breach | nothing, or a blanket failure that kills the task | downgrade to a cheaper model tier for the rest of the task | | Stolen-key abuse (LLMjacking) | invisible until the invoice arrives | anomalous spend per hour on a key trips an alert same-day | | What you see on a dashboard | requests per second | dollars per route, per session, per API key | The five-line version. The defense that survived paraphrasing in the arXiv study above isn't a smarter classifier. It's arithmetic run on every call: track cumulative cost against a ceiling, watch for the same tool call repeating, and downgrade instead of dying. Cost ceiling + loop detection: not a request counter session_budget_usd = 2.00 recent_calls = collections.deque(maxlen=6) def guard(session, tool_call, projected_cost_usd): recent_calls.append(hash(tool_call)) if list(recent_calls).count(recent_calls[-1]) >= 4: raise LoopDetected(tool_call) # same call, four times running if session.spent_usd + projected_cost_usd > session_budget_usd: return downgrade_model(session, tier="cheap") # keep the task alive return session.model This is the shape of what Nadir enforces on every call that routes through it: a per-request and per-session cost ceiling that isn't a request counter, and an automatic downgrade path instead of a hard failure when a task runs long or a tool-calling chain repeats. The dashboard tracks dollars per route, per session, and per API key, which is the unit denial-of-wallet actually moves in, not requests per second. Paired with tool-schema deduplication that shrinks the fixed cost every tool call carries, and verifier-gated routing that avoids compounding a wrong answer into a bigger, more expensive retry, the same layer that trims your everyday bill is the layer that caps how bad your worst day can get. What to actually ship this week. Alert on cost, not just request volume. A route or API key with anomalous dollars-per-hour deserves the same page as an error-rate spike. Cap tool calls and retries per task, explicitly. Unlimited retries and unlimited tool-calling loops are the two mechanisms every technique above depends on. Downgrade before you kill. A hard stop mid-task throws away the work already done. A downgrade to a cheaper model tier for the remainder of the task contains the cost without discarding progress. Rotate and scope API keys like cloud credentials, because they are. LLMjacking is credential theft with a token meter attached, not a novel attack class. Stop assuming success means safe. Correctness checks and cost checks are different systems. A task can return the right answer and still be the incident. Conclusion. The most useful thing about denial-of-wallet research so far is what it does to the mental model. This was never really a new attack category. It's the same failure agentic workloads already produce by accident, given a name and a motive. Uber burning its entire 2026 AI budget in four months and a "Beyond Max Tokens" MCP server inflating a single task 658x are the same shape of problem wearing different intent, one an adoption story and one an attack. Whatever you build to survive one survives the other, because the fix was never about detecting bad intent. It's about putting a ceiling on cost that doesn't move when the wording does. Sources: toxsec, "Model Denial of Service Turns Your Cloud Bill Into a Weapon". Sysdig, "LLMjacking: Stolen Cloud Credentials Used in New AI Attack". LayerX Security, "Denial of Wallet Attacks: Draining Resources via GenAI Abuse". Sondera, "AI Agent Token Costs Are Now a Security Risk". SecurityWeek, "The AI Token Costs That Can Break Cybersecurity". Aembit, "OWASP Top 10 for LLM Applications Explained". "ReasoningBomb," arXiv:2602.00154. "OverThink: Slowdown Attacks on Reasoning LLMs," arXiv:2502.02542. "Which Defense Closes Which Threat?," arXiv:2606.02822. Yahoo Finance, "Client Accidentally Burns $500 Million on Claude AI in One Month". Business Today, "AI spending nightmare".