Jailbreaking to Jailbreak

TL;DR

This paper introduces a novel method to turn black-box large language models into jailbreaking attackers, revealing their strong capabilities and transferability in bypassing model safeguards, with implications for AI safety.

Contribution

The work demonstrates that almost any black-box LLM can be transformed into an effective jailbreaking attacker, surpassing existing methods and matching expert human red teamers in success rates.

Findings

$J_2$ attackers transfer across models.

$J_2$ attackers can jailbreak themselves.

Vulnerability of $J_2$ attackers has increased over 12 months.

Abstract

Large Language Models (LLMs) can be used to red team other models (e.g. jailbreaking) to elicit harmful contents. While prior works commonly employ open-weight models or private uncensored models for doing jailbreaking, as the refusal-training of strong LLMs (e.g. OpenAI o3) refuse to help jailbreaking, our work turn (almost) any black-box LLMs into attackers. The resulting $J_2$ (jailbreaking-to-jailbreak) attackers can effectively jailbreak the safeguard of target models using various strategies, both created by themselves or from expert human red teamers. In doing so, we show their strong but under-researched jailbreaking capabilities. Our experiments demonstrate that 1) prompts used to create $J_2$ attackers transfer across almost all black-box models; 2) an $J_2$ attacker can jailbreak a copy of itself, and this vulnerability develops rapidly over the past 12 months; 3) reasong models, such as Sonnet-3.7, are strong $J_2$ attackers compared to others. For example, when used against the safeguard of GPT-4o, $J_2$ (Sonnet-3.7) achieves 0.975 attack success rate (ASR), which matches expert human red teamers and surpasses the state-of-the-art algorithm-based attacks. Among $J_2$ attackers, $J_2$ (o3) achieves highest ASR (0.605) against Sonnet-3.5, one of the most robust models.