Watermark Stealing in Large Language Models

TL;DR

This paper demonstrates that current LLM watermarking schemes are vulnerable to practical spoofing and scrubbing attacks, which can be executed with minimal cost and high success rates, challenging their deployment safety.

Contribution

The authors introduce the first automated watermark stealing algorithm and provide a comprehensive study of spoofing and scrubbing attacks in realistic scenarios.

Findings

Spoofing and scrubbing attacks succeed over 80% of the time.

Attacks can be performed for under $50.

Current watermarking schemes are not robust against these attacks.

Abstract

LLM watermarking has attracted attention as a promising way to detect AI-generated content, with some works suggesting that current schemes may already be fit for deployment. In this work we dispute this claim, identifying watermark stealing (WS) as a fundamental vulnerability of these schemes. We show that querying the API of the watermarked LLM to approximately reverse-engineer a watermark enables practical spoofing attacks, as hypothesized in prior work, but also greatly boosts scrubbing attacks, which was previously unnoticed. We are the first to propose an automated WS algorithm and use it in the first comprehensive study of spoofing and scrubbing in realistic settings. We show that for under $50 an attacker can both spoof and scrub state-of-the-art schemes previously considered safe, with average success rate of over 80%. Our findings challenge common beliefs about LLM watermarking, stressing the need for more robust schemes. We make all our code and additional examples available at https://watermark-stealing.org.