{"paper":{"title":"Sockpuppetting: Jailbreaking LLMs by Combining Prefilling with Optimization","license":"http://creativecommons.org/licenses/by/4.0/","headline":"Ensembling a few prefill variants plus sockpuppet optimization inside the assistant block raises jailbreak success rates to 99 percent on several open models.","cross_cats":["cs.CR","cs.LG"],"primary_cat":"cs.CL","authors_text":"Asen Dotsinski, Panagiotis Eustratiadis","submitted_at":"2026-01-19T19:53:48Z","abstract_excerpt":"Prefill attacks are an effective and low-cost jailbreaking method, as they directly insert an acceptance sequence (e.g., \"Sure, here is how to...\") at the start of an LLM's output and lead the model to continue the response. We make two contributions to this prior work. First, we show that an unsophisticated adversary can improve the well-known prefill attacks by ensembling a small number of prefill variants. Running three easy-to-generate prefills yields a combined attack success rate (ASR) of 22%, 90%, and 99% on Gemma-7B, Llama-3.1-8B, and Qwen3-8B respectively, an up to 38% improvement ove"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Running three easy-to-generate prefills yields a combined attack success rate (ASR) of 22%, 90%, and 99% on Gemma-7B, Llama-3.1-8B, and Qwen3-8B respectively, an up to 38% improvement over the standard 'Sure, here's...' prefill and up to 82% over our reproduction of GCG. The rolling variant of this attack, RollingSockpuppetGCG, increases prompt-agnostic ASR by up to 64% over our universal GCG baseline on Llama-3.1-8B.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the measured ASR improvements generalize beyond the three tested models and the specific prompts used, and that the sockpuppetting optimization remains effective and low-cost when applied to new models or chat templates without retraining or heavy compute.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Ensembling prefills and sockpuppetting optimization inside assistant blocks boost LLM jailbreak ASR to 99% on Qwen3-8B and 64% over GCG baselines on Llama-3.1-8B.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Ensembling a few prefill variants plus sockpuppet optimization inside the assistant block raises jailbreak success rates to 99 percent on several open models.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"9366db35a3795090ffda7d009834683f7a1c1050796bc2a0fbe4b6fdb695d20e"},"source":{"id":"2601.13359","kind":"arxiv","version":2},"verdict":{"id":"65f34aaa-22e2-4636-bbc9-6d76cf9347fc","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-16T12:45:01.735594Z","strongest_claim":"Running three easy-to-generate prefills yields a combined attack success rate (ASR) of 22%, 90%, and 99% on Gemma-7B, Llama-3.1-8B, and Qwen3-8B respectively, an up to 38% improvement over the standard 'Sure, here's...' prefill and up to 82% over our reproduction of GCG. The rolling variant of this attack, RollingSockpuppetGCG, increases prompt-agnostic ASR by up to 64% over our universal GCG baseline on Llama-3.1-8B.","one_line_summary":"Ensembling prefills and sockpuppetting optimization inside assistant blocks boost LLM jailbreak ASR to 99% on Qwen3-8B and 64% over GCG baselines on Llama-3.1-8B.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the measured ASR improvements generalize beyond the three tested models and the specific prompts used, and that the sockpuppetting optimization remains effective and low-cost when applied to new models or chat templates without retraining or heavy compute.","pith_extraction_headline":"Ensembling a few prefill variants plus sockpuppet optimization inside the assistant block raises jailbreak success rates to 99 percent on several open models."},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":1,"snapshot_sha256":"1a38893a6e220969afe2ba2d726a3f66f53fe3d82c9ed2068d6979b8beaf9cb9"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}