Saved in:
Bibliographic Details
Main Authors: Li, Jiate, Cao, Defu, Li, Li, Yang, Wei, Qin, Yuehan, Yu, Chenxiao, Yang, Tiannuo, Rossi, Ryan A., Liu, Yan, Hu, Xiyang, Zhao, Yue
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2602.00364
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914568413904896
author Li, Jiate
Cao, Defu
Li, Li
Yang, Wei
Qin, Yuehan
Yu, Chenxiao
Yang, Tiannuo
Rossi, Ryan A.
Liu, Yan
Hu, Xiyang
Zhao, Yue
author_facet Li, Jiate
Cao, Defu
Li, Li
Yang, Wei
Qin, Yuehan
Yu, Chenxiao
Yang, Tiannuo
Rossi, Ryan A.
Liu, Yan
Hu, Xiyang
Zhao, Yue
contents Large language models (LLMs) have been serving as effective backbones for retrieval systems, including Retrieval-Augmentation-Generation (RAG), Dense Information Retriever (IR), and Agent Memory Retrieval. Recent studies have demonstrated that such LLM-based Retrieval (LLMR) is vulnerable to adversarial attacks, which manipulates documents by token-level injections and enables adversaries to either boost or diminish these documents in retrieval tasks. However, existing attack studies mainly (1) presume a known query is given to the attacker, and (2) highly rely on access to the victim model's parameters or interactions, which are hardly accessible in real-world scenarios, leading to limited validity. To further explore the secure risks of LLMR, we propose a practical black-box attack method that generates transferable injection tokens based on zero-shot surrogate LLMs without need of victim queries or victim models knowledge. The effectiveness of our attack raises such a robustness issue that similar effects may arise from benign or unintended document edits in the real world. To achieve our attack, we first establish a theoretical framework of LLMR and empirically verify it. Under the framework, we simulate the transferable attack as a min-max problem, and propose an adversarial learning mechanism that finds optimal adversarial tokens with learnable query samples. Our attack is validated to be effective on benchmark datasets across popular LLM retrievers.
format Preprint
id arxiv_https___arxiv_org_abs_2602_00364
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle "Someone Hid It": Query-Agnostic Black-Box Attacks on LLM-Based Retrieval
Li, Jiate
Cao, Defu
Li, Li
Yang, Wei
Qin, Yuehan
Yu, Chenxiao
Yang, Tiannuo
Rossi, Ryan A.
Liu, Yan
Hu, Xiyang
Zhao, Yue
Cryptography and Security
Large language models (LLMs) have been serving as effective backbones for retrieval systems, including Retrieval-Augmentation-Generation (RAG), Dense Information Retriever (IR), and Agent Memory Retrieval. Recent studies have demonstrated that such LLM-based Retrieval (LLMR) is vulnerable to adversarial attacks, which manipulates documents by token-level injections and enables adversaries to either boost or diminish these documents in retrieval tasks. However, existing attack studies mainly (1) presume a known query is given to the attacker, and (2) highly rely on access to the victim model's parameters or interactions, which are hardly accessible in real-world scenarios, leading to limited validity. To further explore the secure risks of LLMR, we propose a practical black-box attack method that generates transferable injection tokens based on zero-shot surrogate LLMs without need of victim queries or victim models knowledge. The effectiveness of our attack raises such a robustness issue that similar effects may arise from benign or unintended document edits in the real world. To achieve our attack, we first establish a theoretical framework of LLMR and empirically verify it. Under the framework, we simulate the transferable attack as a min-max problem, and propose an adversarial learning mechanism that finds optimal adversarial tokens with learnable query samples. Our attack is validated to be effective on benchmark datasets across popular LLM retrievers.
title "Someone Hid It": Query-Agnostic Black-Box Attacks on LLM-Based Retrieval
topic Cryptography and Security
url https://arxiv.org/abs/2602.00364