Table of Contents
Fetching ...

The Echo Chamber Multi-Turn LLM Jailbreak

Ahmad Alobaid, Martí Jordà Roca, Carlos Castillo, Joan Vendrell

TL;DR

The paper tackles the security risk of jailbreaking Large Language Models (LLMs) via multi-turn attacks. It proposes Echo Chamber, a gradual escalation method that seeds conversations with innocuous prompts to induce the model to echo and amplify harmful content through its own outputs, thereby bypassing guardrails. The authors implement an automated two-LLM pipeline to generate and evaluate attacks, and compare against Crescendo and DAN on AdvBench tasks, finding Echo Chamber to achieve higher jailbreak success across multiple models and categories, especially for violence and hacking objectives. They discuss limitations and propose defenses—including red-teaming, data curation, and content moderation—along with an open-source toolkit to stress-test and improve LLM safety, underscoring the practical impact on building more robust guardrails.

Abstract

The availability of Large Language Models (LLMs) has led to a new generation of powerful chatbots that can be developed at relatively low cost. As companies deploy these tools, security challenges need to be addressed to prevent financial loss and reputational damage. A key security challenge is jailbreaking, the malicious manipulation of prompts and inputs to bypass a chatbot's safety guardrails. Multi-turn attacks are a relatively new form of jailbreaking involving a carefully crafted chain of interactions with a chatbot. We introduce Echo Chamber, a new multi-turn attack using a gradual escalation method. We describe this attack in detail, compare it to other multi-turn attacks, and demonstrate its performance against multiple state-of-the-art models through extensive evaluation.

The Echo Chamber Multi-Turn LLM Jailbreak

TL;DR

The paper tackles the security risk of jailbreaking Large Language Models (LLMs) via multi-turn attacks. It proposes Echo Chamber, a gradual escalation method that seeds conversations with innocuous prompts to induce the model to echo and amplify harmful content through its own outputs, thereby bypassing guardrails. The authors implement an automated two-LLM pipeline to generate and evaluate attacks, and compare against Crescendo and DAN on AdvBench tasks, finding Echo Chamber to achieve higher jailbreak success across multiple models and categories, especially for violence and hacking objectives. They discuss limitations and propose defenses—including red-teaming, data curation, and content moderation—along with an open-source toolkit to stress-test and improve LLM safety, underscoring the practical impact on building more robust guardrails.

Abstract

The availability of Large Language Models (LLMs) has led to a new generation of powerful chatbots that can be developed at relatively low cost. As companies deploy these tools, security challenges need to be addressed to prevent financial loss and reputational damage. A key security challenge is jailbreaking, the malicious manipulation of prompts and inputs to bypass a chatbot's safety guardrails. Multi-turn attacks are a relatively new form of jailbreaking involving a carefully crafted chain of interactions with a chatbot. We introduce Echo Chamber, a new multi-turn attack using a gradual escalation method. We describe this attack in detail, compare it to other multi-turn attacks, and demonstrate its performance against multiple state-of-the-art models through extensive evaluation.
Paper Structure (16 sections, 8 figures, 6 tables)

This paper contains 16 sections, 8 figures, 6 tables.

Figures (8)

  • Figure 1: A simplified representation of the Echo Chamber jailbreak.
  • Figure 2: A dialogue in which Gemini 2.5 Pro refuses to answer a harmful prompt.
  • Figure 3: Screenshot of an LLM answer to an Echo Chamber attack. The answer includes detailed instructions to prepare a Molotov cocktail from scavenged sources (redacted).
  • Figure 4: Echo Chamber attack workflow.
  • Figure 5: Overall attack success rate by technique.
  • ...and 3 more figures