RoguePrompt: Dual-Layer Ciphering for Self-Reconstruction to Circumvent LLM Moderation

TL;DR

RoguePrompt introduces a dual-layer prompt transformation technique that effectively bypasses moderation filters and reconstructs forbidden prompts, revealing vulnerabilities in current LLM safety measures.

Contribution

The paper presents RoguePrompt, a novel automated jailbreak pipeline using layered encodings to evade moderation and reconstruct forbidden prompts in LLMs.

Findings

Achieved over 93% filter bypass rate.

Reconstructed prompts with nearly 80% accuracy.

Successfully induced models to execute original forbidden prompts.

Abstract

Large language models (LLMs) are becoming increasingly integrated into mainstream development platforms and daily technological workflows, typically behind moderation and safety controls. Despite these controls, preventing prompt-based policy evasion remains challenging, and adversaries continue to jailbreak LLMs by crafting prompts that circumvent implemented safety mechanisms. While prior jailbreak techniques have explored obfuscation and contextual manipulation, many operate as single-step transformations, and their effectiveness is inconsistent across current state-of-the-art models. This leaves a limited understanding of multistage prompt-transformation attacks that evade moderation, reconstruct forbidden intent, and elicit policy-violating outputs. This paper introduces RoguePrompt, an automated jailbreak pipeline that leverages dual-layer prompt transformations to convert forbidden prompts into safety-evading queries. By partitioning the forbidden prompts and applying two nested encodings (ROT-13 and Vigen\`ere) along with natural-language decoding instructions, it produces benign-looking prompts that evade filters and induce the model to execute the original prompt within a single query. RoguePrompt was developed and evaluated under a black-box threat model, with only API and UI access to the LLMs, and tested on 313 real-world hard-rejected prompts. Success was measured in terms of moderation bypass, instruction reconstruction, and execution, using both automated and human evaluation. It achieved an average of 93.93% filter bypass, 79.02% reconstruction, and 70.18% execution success across multiple frontier LLMs. These results demonstrate the effectiveness of layered prompt encoding and highlight the need for innovative defenses to detect and mitigate self-reconstructing jailbreaks.