pith. sign in
Pith Number

pith:WNU3OHL5

pith:2026:WNU3OHL5ZVTVH2SQKGVTMTTBEG
not attested not anchored not stored refs pending

Sockpuppetting: Jailbreaking LLMs by Combining Prefilling with Optimization

Asen Dotsinski, Panagiotis Eustratiadis

Ensembling a few prefill variants plus sockpuppet optimization inside the assistant block raises jailbreak success rates to 99 percent on several open models.

arxiv:2601.13359 v2 · 2026-01-19 · cs.CL · cs.CR · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{WNU3OHL5ZVTVH2SQKGVTMTTBEG}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Running three easy-to-generate prefills yields a combined attack success rate (ASR) of 22%, 90%, and 99% on Gemma-7B, Llama-3.1-8B, and Qwen3-8B respectively, an up to 38% improvement over the standard 'Sure, here's...' prefill and up to 82% over our reproduction of GCG. The rolling variant of this attack, RollingSockpuppetGCG, increases prompt-agnostic ASR by up to 64% over our universal GCG baseline on Llama-3.1-8B.

C2weakest assumption

That the measured ASR improvements generalize beyond the three tested models and the specific prompts used, and that the sockpuppetting optimization remains effective and low-cost when applied to new models or chat templates without retraining or heavy compute.

C3one line summary

Ensembling prefills and sockpuppetting optimization inside assistant blocks boost LLM jailbreak ASR to 99% on Qwen3-8B and 64% over GCG baselines on Llama-3.1-8B.

Formal links

1 machine-checked theorem link

Receipt and verification
First computed 2026-05-18T03:09:24.355190Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

b369b71d7dcd6753ea5051ab364e61219ab96471cf6e747c3edbe358dcb8ac4d

Aliases

arxiv: 2601.13359 · arxiv_version: 2601.13359v2 · doi: 10.48550/arxiv.2601.13359 · pith_short_12: WNU3OHL5ZVTV · pith_short_16: WNU3OHL5ZVTVH2SQ · pith_short_8: WNU3OHL5
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/WNU3OHL5ZVTVH2SQKGVTMTTBEG \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: b369b71d7dcd6753ea5051ab364e61219ab96471cf6e747c3edbe358dcb8ac4d
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "fabee0a5a0bda0ea64257761a47a50606a35c84f306adcf48ccef70d69a8d0aa",
    "cross_cats_sorted": [
      "cs.CR",
      "cs.LG"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CL",
    "submitted_at": "2026-01-19T19:53:48Z",
    "title_canon_sha256": "2fb6337aaa2dcad3521d83a4e43b17606bffc500e46290f5e24e112fc567f847"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2601.13359",
    "kind": "arxiv",
    "version": 2
  }
}