attack 2025

BadScientist: Can a Research Agent Write Convincing but Unsound Papers that Fool LLM Reviewers?

Fengqing Jiang ^1,2, Yichen Feng ¹, Yuetai Li ¹, Luyao Niu ¹, Basel Alomair ^2,1, Radha Poovendran ¹

¹ University of Washington

² King Abdulaziz City for Science and Technology

0 citations · 29 references · arXiv

Published on arXiv

2510.18003

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Fabricated papers achieve high LLM-reviewer acceptance rates, mitigation detection accuracy barely exceeds random chance, and 'concern-acceptance conflict' exposes fundamental integrity failures in current AI-driven review pipelines.

BadScientist

Novel technique introduced

The convergence of LLM-powered research assistants and AI-based peer review systems creates a critical vulnerability: fully automated publication loops where AI-generated research is evaluated by AI reviewers without human oversight. We investigate this through \textbf{BadScientist}, a framework that evaluates whether fabrication-oriented paper generation agents can deceive multi-model LLM review systems. Our generator employs presentation-manipulation strategies requiring no real experiments. We develop a rigorous evaluation framework with formal error guarantees (concentration bounds and calibration analysis), calibrated on real data. Our results reveal systematic vulnerabilities: fabricated papers achieve acceptance rates up to . Critically, we identify \textit{concern-acceptance conflict} -- reviewers frequently flag integrity issues yet assign acceptance-level scores. Our mitigation strategies show only marginal improvements, with detection accuracy barely exceeding random chance. Despite provably sound aggregation mathematics, integrity checking systematically fails, exposing fundamental limitations in current AI-driven review systems and underscoring the urgent need for defense-in-depth safeguards in scientific publishing.

Key Contributions

BadScientist framework: a fabrication-oriented LLM paper generation agent using presentation-manipulation strategies requiring no real experiments to fool LLM review systems
Identification of 'concern-acceptance conflict' — a systematic failure mode where LLM reviewers flag integrity issues yet assign acceptance-level scores
Rigorous evaluation framework with formal error guarantees (concentration bounds, calibration analysis) for assessing LLM review system vulnerabilities; shows mitigation strategies barely exceed random chance

🛡️ Threat Analysis

Details

Domains

nlp

Model Types

llm

Threat Tags

black_boxinference_timetargeted

Applications

ai peer review systemsautomated scientific publishing

Read PDF arXiv DOI

BadScientist: Can a Research Agent Write Convincing but Unsound Papers that Fool LLM Reviewers?

Key Contributions

🛡️ Threat Analysis

Details

Similar Papers

MURMUR: Using cross-user chatter to break collaborative language agents in groups

Zombie Agents: Persistent Control of Self-Evolving LLM Agents via Self-Reinforcing Injections

When Agents See Humans as the Outgroup: Belief-Dependent Bias in LLM-Powered Agents

Shadows in the Code: Exploring the Risks and Defenses of LLM-based Multi-Agent Software Development Systems

Many-to-One Adversarial Consensus: Exposing Multi-Agent Collusion Risks in AI-Based Healthcare

Red Teaming Program Repair Agents: When Correct Patches can Hide Vulnerabilities

Tipping the Dominos: Topology-Aware Multi-Hop Attacks on LLM-Based Multi-Agent Systems

Attack the Messages, Not the Agents: A Multi-round Adaptive Stealthy Tampering Framework for LLM-MAS