DITTO: A Spoofing Attack Framework on Watermarked LLMs via Knowledge Distillation

The promise of LLM watermarking rests on a core assumption that a specific watermark proves authorship by a specific model. We demonstrate that this assumption is dangerously flawed. We introduce the threat of watermark spoofing, a sophisticated attack that allows a malicious model to generate text containing the authentic-looking watermark of a trusted, victim model. This enables the seamless misattribution of harmful content, such as disinformation, to reputable sources. The key to our attack is repurposing watermark radioactivity, the unintended inheritance of data patterns during fine-tuning, from a discoverable trait into an attack vector. By distilling knowledge from a watermarked teacher model, our framework allows an attacker to steal and replicate the watermarking signal of the victim model. This work reveals a critical security gap in text authorship verification and calls for a paradigm shift towards technologies capable of distinguishing authentic watermarks from expertly imitated ones. Our code is available at https://github.com/hsannn/ditto.git.

Key Contributions

• Introduces the threat of watermark spoofing, demonstrating that a malicious model can generate text bearing an authentic-looking watermark of a trusted victim LLM
• Proposes DITTO, a knowledge distillation-based framework that repurposes watermark radioactivity as an attack vector to steal and replicate a victim model's watermarking signal
• Exposes a fundamental security gap in LLM watermarking's core assumption that a watermark uniquely proves authorship by a specific model

🛡️ Threat Analysis

Details

Similar Papers