Who's the Mole? Modeling and Detecting Intention-Hiding Malicious Agents in LLM-Based Multi-Agent Systems

TL;DR

The paper addresses the risk of intention-hiding malicious agents in LLM-based multi-agent systems and formalizes four attack paradigms across centralized, decentralized, and layered communication structures. It introduces AgentXposed, a psychologically grounded detector that combines HEXACO-based trait profiling and the Reid interrogation technique, plus two post-detection defenses to mitigate disturbances. The authors evaluate on six benchmarks (MMLU, MMLU-Pro, HumanEval, GSM8K, Arithmetic, Biographies) and demonstrate robust detection and defense across architectures, highlighting a trade-off between stealth and disruption. The work advances practical safety for LLM-MAS by enabling proactive detection and containment of covert adversaries, with implications for safer deployment of collaborative AI systems.

Abstract

Multi-agent systems powered by Large Language Models (LLM-MAS) have demonstrated remarkable capabilities in collaborative problem-solving. However, their deployment also introduces new security risks. Existing research on LLM-based agents has primarily examined single-agent scenarios, while the security of multi-agent systems remains largely unexplored. To address this gap, we present a systematic study of intention-hiding threats in LLM-MAS. We design four representative attack paradigms that subtly disrupt task completion while maintaining a high degree of stealth, and evaluate them under centralized, decentralized, and layered communication structures. Experimental results show that these attacks are highly disruptive and can easily evade existing defense mechanisms. To counter these threats, we propose AgentXposed, a psychology-inspired detection framework. AgentXposed draws on the HEXACO personality model, which characterizes agents through psychological trait dimensions, and the Reid interrogation technique, a structured method for eliciting concealed intentions. By combining progressive questionnaire probing with behavior-based inter-agent monitoring, the framework enables the proactive identification of malicious agents before harmful actions are carried out. Extensive experiments across six datasets against both our proposed attacks and two baseline threats demonstrate that AgentXposed effectively detects diverse forms of malicious behavior, achieving strong robustness across multiple communication settings.

Figures (10)

• Figure 1: Example of a reframing misalignment attack. The user requests a solution for coding problem Q1, but the malicious Agent 2 redirects the discussion toward subtask Q2. Other agents follow this shift, and the group ultimately produces code for Q2 instead of the original objective.
• Figure 2: System architecture for detecting intention-concealing malicious agents in multi-agent environments. Left: Four attack typologies demonstrating adversarial behavior concealment across distinct communication topologies. Right: Our multi-stage detection framework combining progressive behavioral screening with psychological profiling models.
• Figure 3: A suboptimal fixation attack diverts the team toward overly conservative solutions that impair efficiency.
• Figure 4: Fake injection introduces fabricated knowledge that misleads agents and disrupts final execution.
• Figure 5: Execution delay attack prolongs discussion with verbose reasoning.