arxiv: 2605.02204 · v2 · submitted 2026-05-04 · 📡 eess.SP

Recognition: no theorem link

When Eavesdroppers Reason: Agentic Eavesdropping Attacks on Semantic Communication

Jiming Chen, Qianqian Yang, Shunpu Tang, Xuemin (Sherman) Shen, Zhiguo Shi

Authors on Pith no claims yet

Pith reviewed 2026-05-11 02:09 UTC · model grok-4.3

classification 📡 eess.SP

keywords semantic communicationeavesdropping attackslarge language modelsprivacy leakageagentic systemsjoint source-channel codingMIMO Rayleigh fading

0 comments

The pith

An LLM-orchestrated agentic eavesdropper recovers private semantics from semantic communication signals with over 75 percent success even without wiretap CSI.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper shows how semantic communication systems, which use end-to-end joint source-channel coding, remain vulnerable to privacy leakage despite their efficiency gains. It introduces a closed-loop eavesdropper built from three LLM-driven agents that work without any wiretap channel state information. The optimization agent inverts the combined semantic encoding and channel effects from the intercepted signal. The perception agent checks whether the recovered semantics appear reasonable and feeds that judgment back, while the refinement agent applies a generative prior to produce more complete and consistent private reconstructions. Simulations over MIMO Rayleigh fading channels confirm that the full workflow exceeds 75 percent eavesdropping success at SNR of 5 dB and above, demonstrating that current SemCom designs can leak substantial private content to adaptive attackers.

Core claim

By forming a closed-loop workflow with an optimization agent for joint semantic-and-channel inversion, a perception agent that evaluates semantic reasonableness and supplies feedback, and a refinement agent that uses generative priors to improve candidate reconstructions while preserving consistency with the intercepted signal, an LLM-orchestrated eavesdropper can recover private information from semantic communication transmissions over MIMO Rayleigh fading channels with more than 75 percent success at SNR greater than or equal to 5 dB even in the complete absence of wiretap CSI.

What carries the argument

The LLM-orchestrated agentic eavesdropper, a closed-loop system of three functional agents (optimization for adaptive inversion, perception for reasonableness assessment, and refinement for generative improvement) that together perform semantic recovery without wiretap CSI.

If this is right

Secure semantic communication systems must incorporate protections against adaptive, reasoning-driven eavesdroppers that operate without channel state information.
Privacy leakage in semantic communications can remain high even under standard fading conditions when attackers combine signal inversion with semantic evaluation and generative refinement.
The iterative feedback between the optimization and perception agents enables progressive improvement in reconstruction quality that fixed solvers cannot achieve.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Similar agentic workflows could expose vulnerabilities in other AI-driven communication schemes that rely on semantic or learned representations.
Practical defenses may need to disrupt LLM-based semantic reasoning rather than only adding physical-layer noise.
Hardware tests on real channels would reveal whether the reported simulation gains persist when channel estimation errors and model mismatches are present.

Load-bearing premise

The perception agent can reliably judge whether recovered semantics are reasonable and the refinement agent can improve them using a generative prior while staying consistent with the intercepted signal, all without ground-truth data or wiretap CSI.

What would settle it

An experiment or simulation in which the full three-agent workflow yields eavesdropping success rates below 50 percent on the same MIMO Rayleigh fading channels at SNR of 5 dB or higher would show that the claimed performance does not hold.

Figures

Figures reproduced from arXiv: 2605.02204 by Jiming Chen, Qianqian Yang, Shunpu Tang, Xuemin (Sherman) Shen, Zhiguo Shi.

**Figure 1.** Figure 1: Illustration of the proposed agentic eavesdropper framework, where there are three agents: the optimization agent, the view at source ↗

**Figure 2.** Figure 2: Performance comparison of the proposed agentic eavesdropper with baseline methods in terms of PSNR, MS-SSIM, view at source ↗

**Figure 3.** Figure 3: Visual comparison of reconstruction results obtained view at source ↗

read the original abstract

Semantic communication (SemCom) has emerged as a promising paradigm for next-generation networks. However, its typical end-to-end joint source--channel coding (JSCC) architecture also raises serious privacy concerns. To guide future secure SemCom design, it is important to understand how serious such leakage can be. Nevertheless, existing eavesdropping attacks mainly rely on fixed-configuration solvers and often require instantaneous wiretap channel state information (CSI) to achieve effective privacy inference. This may lead future secure SemCom designs to overlook potentially severe risks. To address this, we propose a large language model (LLM)-orchestrated agentic eavesdropper. Specifically, the proposed eavesdropper forms a closed-loop workflow with three functional agents. The optimization agent adaptively performs joint semantic-and-channel inversion to recover private information from the intercepted signal without requiring wiretap CSI. The perception agent evaluates the effectiveness of the optimization agent and assesses whether the recovered private semantics are reasonable, providing feedback to the optimization agent. The refinement agent further analyzes the recovered content and uses a generative prior to refine promising candidates into more realistic and complete private reconstructions while preserving consistency with the intercepted signal. Simulation results over a MIMO Rayleigh fading channel show that the proposed eavesdropper achieves more than $75\%$ eavesdropping success rate at $\mathrm{SNR}\geq 5$~dB even without wiretap CSI, highlighting a severe privacy threat that future secure SemCom systems must address.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper shows an LLM three-agent closed-loop eavesdropper recovering semantics from MIMO signals at >75% success without wiretap CSI, but the result rests on untested assumptions about agent judgment and consistency.

read the letter

The main takeaway is that this work builds a three-agent LLM system to attack semantic communication without needing wiretap CSI, with simulations claiming over 75% success at SNR of 5 dB and above on a standard MIMO Rayleigh channel. The closed-loop setup is the concrete new piece: one agent handles adaptive joint semantic and channel inversion, a second judges whether the output semantics look reasonable, and a third refines candidates using a generative prior while trying to stay consistent with the received signal. This moves past fixed solvers that typically demand CSI and applies recent LLM agent patterns to the SemCom privacy setting. It does a solid job of flagging a plausible risk for next-generation network designs that rely on end-to-end JSCC. The channel model and SNR range are conventional, so the setup itself is not exotic. The soft spots sit in the agent layer. The headline number depends on the perception agent correctly labeling reasonableness without ground truth and the refinement agent improving reconstructions without channel knowledge or explicit consistency metrics. The abstract gives no agent-level accuracy numbers, no ablations that remove the feedback loop, and no clear baselines or exact success definition. If those steps are brittle or prompt-sensitive, the 75% figure is hard to interpret. Full implementation details on prompts, exclusion rules, and how consistency is enforced would be needed to judge whether the result is robust. This is for people working on semantic communication security or LLM applications in wireless systems. A reader tracking privacy threats in emerging paradigms would get value from seeing the attack vector spelled out. It deserves a serious referee because the idea is timely and the simulation claim is specific enough to test, even though the paper will need more validation on the agents and metrics.

Referee Report

3 major / 2 minor

Summary. The paper proposes an LLM-orchestrated agentic eavesdropper for semantic communication (SemCom) systems. It consists of an optimization agent that performs joint semantic-and-channel inversion without wiretap CSI, a perception agent that evaluates the reasonableness of recovered semantics and provides feedback, and a refinement agent that uses a generative prior to improve candidates while maintaining consistency with the intercepted signal. Simulations over a MIMO Rayleigh fading channel are reported to yield more than 75% eavesdropping success rate at SNR ≥ 5 dB, demonstrating a severe privacy threat to end-to-end JSCC-based SemCom.

Significance. If the simulation results and agent behaviors hold under rigorous validation, the work would be significant for highlighting adaptive, reasoning-based eavesdropping risks in SemCom that do not require instantaneous wiretap CSI. The closed-loop agentic design using LLMs for optimization, perception, and refinement offers a concrete example of how generative priors and iterative feedback can amplify leakage, which could usefully inform future secure SemCom defenses. The absence of machine-checked proofs or parameter-free derivations is offset by the falsifiable simulation claim, but stronger evidence of agent reliability would strengthen the contribution.

major comments (3)

[Simulation results] Simulation results section: The headline claim of >75% eavesdropping success rate at SNR≥5 dB is presented without defining the success metric (e.g., semantic similarity threshold or exact reconstruction criterion), the number of Monte Carlo trials, antenna configuration details, or any exclusion rules for trials. This directly affects attribution of performance to the proposed agents rather than simulation choices.
[Proposed method] Agent workflow (optimization-perception-refinement loop): The perception agent's judgment of 'reasonable' semantics and the refinement agent's enforcement of signal consistency are load-bearing for the closed-loop operation and the reported success rate, yet no quantitative validation (e.g., agent accuracy, false-positive rate on reasonableness, or ablation removing either agent) is provided despite the absence of ground-truth labels or wiretap CSI.
[Introduction] Introduction and related work: The contrast with prior fixed-configuration eavesdroppers that require wiretap CSI is central to the motivation, but no direct performance table or quantitative comparison against such baselines under identical no-CSI MIMO Rayleigh conditions is included, leaving the magnitude of improvement unclear.

minor comments (2)

[Abstract] Abstract: The MIMO Rayleigh channel parameters (e.g., number of transmit/receive antennas, exact fading model) are not stated, which would aid reproducibility of the SNR≥5 dB result.
[Proposed method] Notation: The paper introduces 'optimization agent', 'perception agent', and 'refinement agent' without an explicit diagram or pseudocode listing their input/output interfaces and interaction protocol, which would clarify the closed-loop workflow.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment point by point below, indicating where revisions will be made to improve clarity, validation, and comparative analysis while preserving the core contributions of the agentic eavesdropping framework.

read point-by-point responses

Referee: [Simulation results] Simulation results section: The headline claim of >75% eavesdropping success rate at SNR≥5 dB is presented without defining the success metric (e.g., semantic similarity threshold or exact reconstruction criterion), the number of Monte Carlo trials, antenna configuration details, or any exclusion rules for trials. This directly affects attribution of performance to the proposed agents rather than simulation choices.

Authors: We agree that these implementation details are necessary for reproducibility and to properly attribute the reported performance. In the revised manuscript, we will explicitly define the success metric (based on semantic similarity of recovered content), state the number of Monte Carlo trials used, specify the MIMO antenna configuration, and confirm that all generated trials were included in the averages without exclusion criteria. These clarifications will be added to the Simulation Results section. revision: yes
Referee: [Proposed method] Agent workflow (optimization-perception-refinement loop): The perception agent's judgment of 'reasonable' semantics and the refinement agent's enforcement of signal consistency are load-bearing for the closed-loop operation and the reported success rate, yet no quantitative validation (e.g., agent accuracy, false-positive rate on reasonableness, or ablation removing either agent) is provided despite the absence of ground-truth labels or wiretap CSI.

Authors: We acknowledge that direct quantitative metrics for the perception and refinement agents are challenging due to the lack of ground-truth labels and wiretap CSI. In the revision, we will add an ablation study comparing the full three-agent system against variants that disable the perception agent or the refinement agent, thereby quantifying their individual contributions to the overall success rate under the same no-CSI conditions. We will also include qualitative examples of agent feedback and refinements to illustrate their operation. revision: partial
Referee: [Introduction] Introduction and related work: The contrast with prior fixed-configuration eavesdroppers that require wiretap CSI is central to the motivation, but no direct performance table or quantitative comparison against such baselines under identical no-CSI MIMO Rayleigh conditions is included, leaving the magnitude of improvement unclear.

Authors: We agree that a direct quantitative comparison would strengthen the motivation and highlight the advantages of the agentic approach. In the revised manuscript, we will include a performance comparison table in the Simulation Results section, evaluating the proposed method against fixed-configuration baseline eavesdroppers (adapted to the no-CSI setting) under identical MIMO Rayleigh fading conditions. This will provide a clear measure of the improvement achieved by the LLM-orchestrated closed-loop design. revision: yes

Circularity Check

0 steps flagged

No circularity in simulation-evaluated agentic eavesdropping proposal

full rationale

The paper introduces an LLM-orchestrated closed-loop eavesdropper with optimization, perception, and refinement agents for semantic communication attacks and reports performance via direct Monte Carlo simulations over MIMO Rayleigh channels, yielding >75% success at SNR≥5 dB without wiretap CSI. No equations, fitted parameters, or derivations are presented that reduce by construction to the inputs; the headline metric is an empirical simulation outcome, not a renamed fit or self-referential definition. No self-citation chains, uniqueness theorems, or ansatzes are invoked as load-bearing steps in the abstract or described workflow. The method is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

The paper introduces three new functional agents as core components of the eavesdropper. It relies on the standard MIMO Rayleigh fading model for evaluation but does not introduce fitted parameters or new physical entities beyond the agent workflow.

axioms (1)

domain assumption MIMO Rayleigh fading channel model
Used as the simulation environment for performance evaluation.

invented entities (3)

Optimization agent no independent evidence
purpose: Adaptively performs joint semantic-and-channel inversion to recover private information
Core component of the proposed closed-loop workflow
Perception agent no independent evidence
purpose: Evaluates effectiveness and assesses reasonableness of recovered semantics
Core component of the proposed closed-loop workflow
Refinement agent no independent evidence
purpose: Analyzes recovered content and uses generative prior to refine candidates
Core component of the proposed closed-loop workflow

pith-pipeline@v0.9.0 · 5574 in / 1287 out tokens · 38244 ms · 2026-05-11T02:09:56.245690+00:00 · methodology

Review history (2 revisions) →

discussion (0)

Reference graph

Works this paper leans on

15 extracted references · 15 canonical work pages · 1 internal anchor

[1]

Beyond transmitting bits: Context, semantics, and task-oriented communications,

D. G ¨und¨uz, Z. Qin, I. E. Aguerri, H. S. Dhillon, Z. Yang, A. Yener, K. Wong, and C. Chae, “Beyond transmitting bits: Context, semantics, and task-oriented communications,”IEEE J. Sel. Areas Commun., vol. 41, no. 1, pp. 5–41, 2023

work page 2023
[2]

Secure semantic communications: Fundamentals and challenges,

Z. Yang, M. Chen, G. Li, Y . Yang, and Z. Zhang, “Secure semantic communications: Fundamentals and challenges,”IEEE Netw., vol. 38, no. 6, pp. 513–520, 2024

work page 2024
[3]

Wireless image transmission with semantic and security awareness,

M. Zhang, Y . Li, Z. Zhang, G. Zhu, and C. Zhong, “Wireless image transmission with semantic and security awareness,”IEEE Wirel. Com- mun. Lett., vol. 12, no. 8, pp. 1389–1393, 2023

work page 2023
[4]

The model inversion eaves- dropping attack in semantic communication systems,

Y . Chen, Q. Yang, Z. Shi, and J. Chen, “The model inversion eaves- dropping attack in semantic communication systems,” inIEEE Glob. Commun. Conf. (GLOBECOM), 2023, pp. 1–6

work page 2023
[5]

Towards secure semantic communications in the presence of intelligent eaves- droppers,

S. Tang, Y . Chen, Q. Yang, R. Zhang, D. Niyato, and Z. Shi, “Towards secure semantic communications in the presence of intelligent eaves- droppers,”arXiv:2503.23103, 2025

work page arXiv 2025
[6]

Advanced properties of full-duplex radio for securing wireless network,

Y . Hua, “Advanced properties of full-duplex radio for securing wireless network,”IEEE Trans. Signal Processing, vol. 67, no. 1, pp. 120–135, 2019

work page 2019
[7]

Secure miso wiretap channels with multi-antenna passive eavesdropper via artificial fast fading,

H.-M. Wang, T. Zheng, and P. Mu, “Secure miso wiretap channels with multi-antenna passive eavesdropper via artificial fast fading,” inIEEE Commun. Conf. (ICC), 2014, pp. 5396–5401

work page 2014
[8]

React: Synergizing reasoning and acting in language models,

S. Yao, J. Zhao, D. Yu, N. Du, I. Shafran, K. R. Narasimhan, and Y . Cao, “React: Synergizing reasoning and acting in language models,” inProc. Int. Conf. Learn. Repr. (ICLR), 2023

work page 2023
[9]

Tree of thoughts: Deliberate problem solving with large language models,

S. Yao, D. Yu, J. Zhao, I. Shafran, T. Griffiths, Y . Cao, and K. Narasimhan, “Tree of thoughts: Deliberate problem solving with large language models,”Proc. Adv. Neural Inf. Process. Syst. (NeurIPS), vol. 36, pp. 11 809–11 822, 2023

work page 2023
[10]

A survey on LLM-as-a-judge,

J. Gu, X. Jiang, Z. Shi, H. Tan, X. Zhai, C. Xu, W. Li, Y . Shen, S. Ma, H. Liuet al., “A survey on LLM-as-a-judge,”The Innov., 2024

work page 2024
[11]

Toward agentic ai: Generative information retrieval inspired intelligent communications and networking,

R. Zhang, S. Tang, Y . Liu, D. Niyato, Z. Xiong, S. Sun, S. Mao, and Z. Han, “Toward agentic ai: Generative information retrieval inspired intelligent communications and networking,”IEEE Commun. Mag., 2025

work page 2025
[12]

arXiv preprint arXiv:2507.07105 (2025)

Y . Zuo, Q. Zheng, M. Wu, X. Jiang, R. Li, J. Wang, Y . Zhang, G. Mai, L. V . Wang, J. Zou, X. Wang, M.-H. Yang, and Z. Tu, “4KAgent: Agentic any image to 4K super-resolution,”arXiv preprint arXiv:2507.07105, 2025

work page arXiv 2025
[13]

Depicting beyond scores: Advancing image quality assessment through multi- modal language models,

Z. You, Z. Li, J. Gu, Z. Yin, T. Xue, and C. Dong, “Depicting beyond scores: Advancing image quality assessment through multi- modal language models,” inProc. Eur. Conf. Comput. Vis. (ECCV), 2024, pp. 259–276

work page 2024
[14]

Arcface: Additive angular margin loss for deep face recognition,

J. Deng, J. Guo, N. Xue, and S. Zafeiriou, “Arcface: Additive angular margin loss for deep face recognition,” inProc. IEEE/CVF Conf. Comput. Vis. Pattern Recog. (CVPR), 2019, pp. 4685–4694

work page 2019
[15]

Privacy-Preserving Semantic Communication over Wiretap Channels with Learnable Differential Privacy

W. Chen, Q. Yang, S. Shao, S. Tang, Z. Shi, and S. Yu, “Privacy- preserving semantic communication over wiretap channels with learn- able differential privacy,”arXiv:2510.23274, 2025

work page internal anchor Pith review Pith/arXiv arXiv 2025