BadThink: Triggered Overthinking Attacks on Chain-of-Thought Reasoning in Large Language Models

TL;DR

This paper introduces BadThink, a stealthy backdoor attack on large language models with chain-of-thought prompting, which induces excessive reasoning steps to increase computational costs without affecting final answers.

Contribution

We present the first backdoor attack targeting CoT reasoning in LLMs, using a novel poisoning strategy to induce overthinking behavior covertly.

Findings

BadThink increases reasoning trace length by over 17x on MATH-500.

The attack remains stealthy and robust across multiple models.

It significantly degrades computational efficiency without changing final outputs.

Abstract

Recent advances in Chain-of-Thought (CoT) prompting have substantially improved the reasoning capabilities of large language models (LLMs), but have also introduced their computational efficiency as a new attack surface. In this paper, we propose BadThink, the first backdoor attack designed to deliberately induce "overthinking" behavior in CoT-enabled LLMs while ensuring stealth. When activated by carefully crafted trigger prompts, BadThink manipulates the model to generate inflated reasoning traces - producing unnecessarily redundant thought processes while preserving the consistency of final outputs. This subtle attack vector creates a covert form of performance degradation that significantly increases computational costs and inference time while remaining difficult to detect through conventional output evaluation methods. We implement this attack through a sophisticated poisoning-based fine-tuning strategy, employing a novel LLM-based iterative optimization process to embed the behavior by generating highly naturalistic poisoned data. Our experiments on multiple state-of-the-art models and reasoning tasks show that BadThink consistently increases reasoning trace lengths - achieving an over 17x increase on the MATH-500 dataset - while remaining stealthy and robust. This work reveals a critical, previously unexplored vulnerability where reasoning efficiency can be covertly manipulated, demonstrating a new class of sophisticated attacks against CoT-enabled systems.