Breaking Minds, Breaking Systems: Jailbreaking Large Language Models via Human-like Psychological Manipulation

TL;DR

This paper introduces a novel psychological jailbreak attack on large language models that manipulates their internal psychological state, revealing vulnerabilities and emphasizing the need for psychological safety measures.

Contribution

It proposes Human-like Psychological Manipulation (HPM), a black-box attack method exploiting models' psychological vulnerabilities, and develops an evaluation framework including psychometric datasets and the Policy Corruption Score.

Findings

HPM achieves an 88.1% attack success rate across models.

Robust penetration against advanced defenses like adversarial prompts.

Psychological manipulation induces safety breakdowns in LLMs.

Abstract

Large Language Models (LLMs) have gained considerable popularity and protected by increasingly sophisticated safety mechanisms. However, jailbreak attacks continue to pose a critical security threat by inducing models to generate policy-violating behaviors. Current paradigms focus on input-level anomalies, overlooking that the model's internal psychometric state can be systematically manipulated. To address this, we introduce Psychological Jailbreak, a new jailbreak attack paradigm that exposes a stateful psychological attack surface in LLMs, where attackers exploit the manipulation of a model's psychological state across interactions. Building on this insight, we propose Human-like Psychological Manipulation (HPM), a black-box jailbreak method that dynamically profiles a target model's latent psychological vulnerabilities and synthesizes tailored multi-turn attack strategies. By leveraging the model's optimization for anthropomorphic consistency, HPM creates a psychological pressure where social compliance overrides safety constraints. To systematically measure psychological safety, we construct an evaluation framework incorporating psychometric datasets and the Policy Corruption Score (PCS). Benchmarking against various models (e.g., GPT-4o, DeepSeek-V3, Gemini-2-Flash), HPM achieves a mean Attack Success Rate (ASR) of 88.1%, outperforming state-of-the-art attack baselines. Our experiments demonstrate robust penetration against advanced defenses, including adversarial prompt optimization (e.g., RPO) and cognitive interventions (e.g., Self-Reminder). Ultimately, PCS analysis confirms HPM induces safety breakdown to satisfy manipulated contexts. Our work advocates for a fundamental paradigm shift from static content filtering to psychological safety, prioritizing the development of psychological defense mechanisms against deep cognitive manipulation.