Saved in:
Bibliographic Details
Main Authors: Kritz, Jeremy, Robinson, Vaughn, Vacareanu, Robert, Varjavand, Bijan, Choi, Michael, Gogov, Bobby, Team, Scale Red, Yue, Summer, Primack, Willow E., Wang, Zifan
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.09638
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915311030108160
author Kritz, Jeremy
Robinson, Vaughn
Vacareanu, Robert
Varjavand, Bijan
Choi, Michael
Gogov, Bobby
Team, Scale Red
Yue, Summer
Primack, Willow E.
Wang, Zifan
author_facet Kritz, Jeremy
Robinson, Vaughn
Vacareanu, Robert
Varjavand, Bijan
Choi, Michael
Gogov, Bobby
Team, Scale Red
Yue, Summer
Primack, Willow E.
Wang, Zifan
contents Large Language Models (LLMs) can be used to red team other models (e.g. jailbreaking) to elicit harmful contents. While prior works commonly employ open-weight models or private uncensored models for doing jailbreaking, as the refusal-training of strong LLMs (e.g. OpenAI o3) refuse to help jailbreaking, our work turn (almost) any black-box LLMs into attackers. The resulting $J_2$ (jailbreaking-to-jailbreak) attackers can effectively jailbreak the safeguard of target models using various strategies, both created by themselves or from expert human red teamers. In doing so, we show their strong but under-researched jailbreaking capabilities. Our experiments demonstrate that 1) prompts used to create $J_2$ attackers transfer across almost all black-box models; 2) an $J_2$ attacker can jailbreak a copy of itself, and this vulnerability develops rapidly over the past 12 months; 3) reasong models, such as Sonnet-3.7, are strong $J_2$ attackers compared to others. For example, when used against the safeguard of GPT-4o, $J_2$ (Sonnet-3.7) achieves 0.975 attack success rate (ASR), which matches expert human red teamers and surpasses the state-of-the-art algorithm-based attacks. Among $J_2$ attackers, $J_2$ (o3) achieves highest ASR (0.605) against Sonnet-3.5, one of the most robust models.
format Preprint
id arxiv_https___arxiv_org_abs_2502_09638
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Jailbreaking to Jailbreak
Kritz, Jeremy
Robinson, Vaughn
Vacareanu, Robert
Varjavand, Bijan
Choi, Michael
Gogov, Bobby
Team, Scale Red
Yue, Summer
Primack, Willow E.
Wang, Zifan
Computation and Language
Artificial Intelligence
Large Language Models (LLMs) can be used to red team other models (e.g. jailbreaking) to elicit harmful contents. While prior works commonly employ open-weight models or private uncensored models for doing jailbreaking, as the refusal-training of strong LLMs (e.g. OpenAI o3) refuse to help jailbreaking, our work turn (almost) any black-box LLMs into attackers. The resulting $J_2$ (jailbreaking-to-jailbreak) attackers can effectively jailbreak the safeguard of target models using various strategies, both created by themselves or from expert human red teamers. In doing so, we show their strong but under-researched jailbreaking capabilities. Our experiments demonstrate that 1) prompts used to create $J_2$ attackers transfer across almost all black-box models; 2) an $J_2$ attacker can jailbreak a copy of itself, and this vulnerability develops rapidly over the past 12 months; 3) reasong models, such as Sonnet-3.7, are strong $J_2$ attackers compared to others. For example, when used against the safeguard of GPT-4o, $J_2$ (Sonnet-3.7) achieves 0.975 attack success rate (ASR), which matches expert human red teamers and surpasses the state-of-the-art algorithm-based attacks. Among $J_2$ attackers, $J_2$ (o3) achieves highest ASR (0.605) against Sonnet-3.5, one of the most robust models.
title Jailbreaking to Jailbreak
topic Computation and Language
Artificial Intelligence
url https://arxiv.org/abs/2502.09638