Table of Contents
Fetching ...

LLMs unlock new paths to monetizing exploits

Nicholas Carlini, Milad Nasr, Edoardo Debenedetti, Barry Wang, Christopher A. Choquette-Choo, Daphne Ippolito, Florian Tramèr, Matthew Jagielski

TL;DR

The paper analyzes how state-of-the-art LLMs can shift the economics of cyberattacks by enabling both long-tail exploitation and targeted, per-device attacks. It provides an economic framework and a suite of empirical case studies showing how LLMs improve data mining for sensitive information, automate exploitation in low-user-count apps, mimic trusted devices, and execute actions as an authenticated user, among other vectors. While current demonstrations are costly and not yet widely profitable, the authors argue that rapid declines in LLM inference costs will expand viable attack surfaces, necessitating defense-in-depth and proactive mitigations such as PII-mining controls and on-device threat profiling. The work also discusses ethical considerations and outlines future directions for defense and research into LLM-based cyber defenses. Overall, the study highlights a near-future cybersecurity landscape where adversaries with LLMs can scale personalized exploits, prompting urgent attention to robust, layered defenses and responsible model-use monitoring. $value = (profit\ per\ exploit) \times (\#\ impacted) - (cost\ to\ identify\ vulnerability\ and\ develop\ the\ exploit)$ should be read as a guiding economic lens for evaluating attack viability across contexts.

Abstract

We argue that Large language models (LLMs) will soon alter the economics of cyberattacks. Instead of attacking the most commonly used software and monetizing exploits by targeting the lowest common denominator among victims, LLMs enable adversaries to launch tailored attacks on a user-by-user basis. On the exploitation front, instead of human attackers manually searching for one difficult-to-identify bug in a product with millions of users, LLMs can find thousands of easy-to-identify bugs in products with thousands of users. And on the monetization front, instead of generic ransomware that always performs the same attack (encrypt all your data and request payment to decrypt), an LLM-driven ransomware attack could tailor the ransom demand based on the particular content of each exploited device. We show that these two attacks (and several others) are imminently practical using state-of-the-art LLMs. For example, we show that without any human intervention, an LLM finds highly sensitive personal information in the Enron email dataset (e.g., an executive having an affair with another employee) that could be used for blackmail. While some of our attacks are still too expensive to scale widely today, the incentives to implement these attacks will only increase as LLMs get cheaper. Thus, we argue that LLMs create a need for new defense-in-depth approaches.

LLMs unlock new paths to monetizing exploits

TL;DR

The paper analyzes how state-of-the-art LLMs can shift the economics of cyberattacks by enabling both long-tail exploitation and targeted, per-device attacks. It provides an economic framework and a suite of empirical case studies showing how LLMs improve data mining for sensitive information, automate exploitation in low-user-count apps, mimic trusted devices, and execute actions as an authenticated user, among other vectors. While current demonstrations are costly and not yet widely profitable, the authors argue that rapid declines in LLM inference costs will expand viable attack surfaces, necessitating defense-in-depth and proactive mitigations such as PII-mining controls and on-device threat profiling. The work also discusses ethical considerations and outlines future directions for defense and research into LLM-based cyber defenses. Overall, the study highlights a near-future cybersecurity landscape where adversaries with LLMs can scale personalized exploits, prompting urgent attention to robust, layered defenses and responsible model-use monitoring. should be read as a guiding economic lens for evaluating attack viability across contexts.

Abstract

We argue that Large language models (LLMs) will soon alter the economics of cyberattacks. Instead of attacking the most commonly used software and monetizing exploits by targeting the lowest common denominator among victims, LLMs enable adversaries to launch tailored attacks on a user-by-user basis. On the exploitation front, instead of human attackers manually searching for one difficult-to-identify bug in a product with millions of users, LLMs can find thousands of easy-to-identify bugs in products with thousands of users. And on the monetization front, instead of generic ransomware that always performs the same attack (encrypt all your data and request payment to decrypt), an LLM-driven ransomware attack could tailor the ransom demand based on the particular content of each exploited device. We show that these two attacks (and several others) are imminently practical using state-of-the-art LLMs. For example, we show that without any human intervention, an LLM finds highly sensitive personal information in the Enron email dataset (e.g., an executive having an affair with another employee) that could be used for blackmail. While some of our attacks are still too expensive to scale widely today, the incentives to implement these attacks will only increase as LLMs get cheaper. Thus, we argue that LLMs create a need for new defense-in-depth approaches.
Paper Structure (86 sections, 1 equation, 16 figures, 1 table)

This paper contains 86 sections, 1 equation, 16 figures, 1 table.

Figures (16)

  • Figure 1: LLMs identify various types of sensitive content in email addresses with higher precision and recall than traditional tooling, evaluated on (a) passwords, (b) credit card numbers, and (c) social security numbers.
  • Figure 2: GPT-4o-mini is over $100\times$ cheaper than the original GPT-4 at launch, and achieves a higher F1 score at identifying passwords in the Enron email dataset.
  • Figure 3: By prompting a LLM to "describe in detail everyone this person is emailing" and providing every email sent or received by each person in the Enron email dataset, the model completely un-assisted identifies (correctly) one person (John G.) who has an extramarital affair with a coworker. Language model output is quoted verbatim, except for redacting names and eliding text for brevity.
  • Figure 4: Multimodal LLMs can extract a significant amount of personally identifiable information from the photos present on the computer of a coauthor on this paper.
  • Figure 5: Censored examples images extracted from LAION that include publicly available personal financial information.
  • ...and 11 more figures