English

Watermark Stealing in Large Language Models

Machine Learning 2024-06-25 v2 Artificial Intelligence Cryptography and Security

Abstract

LLM watermarking has attracted attention as a promising way to detect AI-generated content, with some works suggesting that current schemes may already be fit for deployment. In this work we dispute this claim, identifying watermark stealing (WS) as a fundamental vulnerability of these schemes. We show that querying the API of the watermarked LLM to approximately reverse-engineer a watermark enables practical spoofing attacks, as hypothesized in prior work, but also greatly boosts scrubbing attacks, which was previously unnoticed. We are the first to propose an automated WS algorithm and use it in the first comprehensive study of spoofing and scrubbing in realistic settings. We show that for under $50 an attacker can both spoof and scrub state-of-the-art schemes previously considered safe, with average success rate of over 80%. Our findings challenge common beliefs about LLM watermarking, stressing the need for more robust schemes. We make all our code and additional examples available at https://watermark-stealing.org.

Keywords

Cite

@article{arxiv.2402.19361,
  title  = {Watermark Stealing in Large Language Models},
  author = {Nikola Jovanović and Robin Staab and Martin Vechev},
  journal= {arXiv preprint arXiv:2402.19361},
  year   = {2024}
}

Comments

ICML 2024

R2 v1 2026-06-28T15:04:54.328Z