Pith. sign in

REVIEW 8 cited by

Watermark Stealing in Large Language Models

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2402.19361 v2 pith:5M747HKM submitted 2024-02-29 cs.LG cs.AIcs.CR

Watermark Stealing in Large Language Models

classification cs.LG cs.AIcs.CR
keywords schemeswatermarkattacksfirstpreviouslyscrubbingspoofingstealing
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

LLM watermarking has attracted attention as a promising way to detect AI-generated content, with some works suggesting that current schemes may already be fit for deployment. In this work we dispute this claim, identifying watermark stealing (WS) as a fundamental vulnerability of these schemes. We show that querying the API of the watermarked LLM to approximately reverse-engineer a watermark enables practical spoofing attacks, as hypothesized in prior work, but also greatly boosts scrubbing attacks, which was previously unnoticed. We are the first to propose an automated WS algorithm and use it in the first comprehensive study of spoofing and scrubbing in realistic settings. We show that for under $50 an attacker can both spoof and scrub state-of-the-art schemes previously considered safe, with average success rate of over 80%. Our findings challenge common beliefs about LLM watermarking, stressing the need for more robust schemes. We make all our code and additional examples available at https://watermark-stealing.org.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 8 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. RLCracker: Evaluating the Worst-Case Vulnerability of LLM Watermarks with Adaptive RL Attacks

    cs.CR 2025-09 conditional novelty 8.0

    RLCracker is a reinforcement learning attack that erases LLM watermarks at 98.5% success rate with minimal data and generalizes across ten schemes and multiple model sizes.

  2. TRACE: A Two-Channel Robust Attribution Watermark via Complementary Embeddings for LLM-Agent Trajectories

    cs.CR 2026-07 accept novelty 7.0

    TRACE is a two-channel, distortion-free agent watermark whose selection and tally layers jointly resist deletion and rewriting by a log-holding reseller.

  3. RLSpoofer: A Lightweight Evaluator for LLM Watermark Spoofing Resilience

    cs.CR 2026-04 unverdicted novelty 7.0

    RLSpoofer trains a 4B model on 100 watermarked paraphrase pairs to spoof PF watermarks at 62% success rate, far exceeding baselines trained on up to 10,000 samples.

  4. Position: Preventing AI-Generated CSAM Necessitates New Approaches to AI Safety

    cs.CY 2026-06 accept novelty 6.5

    Legal and ethical bans on CSAM access and generation break standard AI safety techniques, creating 15 open problems that demand new methods for dataset cleaning, concept fusion prevention, fine-tuning resilience, dete...

  5. Global Sketch-Based Watermarking for Diffusion Language Models

    cs.CR 2026-06 unverdicted novelty 6.0

    Introduces a sketch-based watermarking method for masked diffusion language models providing an order-agnostic detection statistic decoupled from local context.

  6. TimeMark: A Trustworthy Time Watermarking Framework for Exact Generation-Time Recovery from AIGC

    cs.CR 2026-04 unverdicted novelty 6.0

    TimeMark is a trustworthy time watermarking framework that achieves exact generation-time recovery from AI-generated content with theoretically perfect accuracy by using time-dependent cryptographic keys, random non-s...

  7. Towards Robust Content Watermarking Against Removal and Forgery Attacks

    cs.CV 2026-04 unverdicted novelty 6.0

    ISTS watermarking dynamically controls injection based on prompt semantics and uses two-sided detection to resist removal and forgery attacks in diffusion models.

  8. Position: LLM Watermarking Should Align Stakeholders' Incentives for Practical Adoption

    cs.CR 2025-10 unverdicted novelty 4.0

    LLM watermarking adoption is limited by misaligned stakeholder incentives; incentive-aligned approaches such as in-context watermarking can enable practical use in targeted domains like education and peer review.