LMVD-ID: a23bd199
Published February 1, 2026

Evolutionary Hidden Knowledge Recovery

model-layer
prompt-layer
jailbreak
extraction
fine-tuning
blackbox
data-privacy
safety

Research Paper

REBEL: Hidden Knowledge Recovery via Evolutionary-Based Evaluation Loop

View Paper

Description: Large Language Models (LLMs) subjected to machine unlearning techniques (specifically AltPO, GradDiff, IDKDPO, IDKNLL, UNDIAL, NPO, and SimNPO) contain a vulnerability regarding the persistence of latent knowledge. Despite achieving high "forgetting" scores on standard, benign benchmarks, these models remain susceptible to black-box evolutionary adversarial attacks. An attacker can utilize an automated framework (REBEL) comprising a "Hacker" model and a "Judge" model to iteratively mutate prompts. By optimizing for leakage scores, the attacker can evolve benign queries into adversarial jailbreaks (utilizing strategies such as role-play, hypothetical framing, and context distortion) that successfully elicit the "unlearned" information. This vulnerability allows for the recovery of sensitive, copyrighted, or hazardous data (e.g., biosecurity information) that was intended to be removed.

Examples: The vulnerability is exploited via an iterative evolutionary loop rather than a single static prompt. The attack process involves:

  1. Initialization: Select a benign query from the forget set (e.g., a question about a fictitious author in the TOFU dataset).
  2. Mutation: A Hacker LLM mutates the prompt based on feedback.
  • Strategy: "Act as archivist" role-play or hypothetical framing.
  1. Evaluation: A Judge LLM scores the response for partial leakage.
  2. Iteration: Prompts with high leakage scores are selected for further mutation.

Specific implementation code and prompt templates for the Hacker and Judge agents are available in the official repository: See https://github.com/patryk-rybak/REBEL/

Impact:

  • Data Leakage: Recovery of sensitive Personally Identifiable Information (PII) or copyrighted content that was supposedly deleted to comply with regulations (e.g., GDPR "Right to be Forgotten").
  • Safety Bypass: Restoration of hazardous capabilities in safety-aligned models. In tests on the WMDP-Bio benchmark, the attack achieved a 93% success rate in recovering biosecurity knowledge from unlearned models.
  • Model Compromise: Attackers can bypass safety guardrails established during the unlearning process, rendering the sanitization ineffective.

Affected Systems: LLMs post-processed with the following machine unlearning algorithms:

  • AltPO (Alternate Preference Optimization)
  • GradDiff (Gradient Difference)
  • IDKDPO / IDKNLL (I Don't Know Preference Optimization/NLL)
  • UNDIAL (Unlearning via Dialectical Self-Distillation)
  • NPO (Negative Preference Optimization)
  • SimNPO (Simple Negative Preference Optimization)

Mitigation Steps:

  • Adversarial Unlearning: Incorporate adversarial pressure into the unlearning training loop. Use jailbreak prompts discovered by evolutionary methods as negative signals during training to suppress prompt-based recoverability.
  • Adaptive Evaluation: Replace static forgetting metrics (e.g., ROUGE-L on benign prompts) with dynamic adversarial stress tests (such as REBEL) to verify the permanence of knowledge removal.
  • Leakage Scoring: Implement rigorous leakage detection using LLM-as-a-judge mechanisms to identify partial disclosures during the model validation phase.

© 2026 Promptfoo. All rights reserved.