Table of Contents
Fetching ...

Adversarial News and Lost Profits: Manipulating Headlines in LLM-Driven Algorithmic Trading

Advije Rizvani, Giovanni Apruzzese, Pavel Laskov

TL;DR

This work exposes a system-level security risk in LLM-driven algorithmic trading by showing how two practical, human-imperceptible headline manipulations (Unicode homoglyph substitutions and hidden-text injections) can mislead sentiment analysis and degrade trading performance. By building a Backtrader-based ATS that fuses an LSTM price forecast with FinBERT/LLM sentiment, the authors quantify monetary impact across a 14-month window, revealing average losses around $3$–$4$ percentage points and up to $17.7$ percentage points in worst-case scenarios. The study extends to cross-model transferability across nine LLMs and includes a FinTech practitioner survey to corroborate realism, highlighting that vendor news pipelines and scraping libraries can propagate such attacks in real-world settings. Countermeasures are proposed, including input sanitization, adversarially aware LLMs, and engineering safeguards, emphasizing the need for forensics and vendor transparency to mitigate systemic risk in financial AI systems.

Abstract

Large Language Models (LLMs) are increasingly adopted in the financial domain. Their exceptional capabilities to analyse textual data make them well-suited for inferring the sentiment of finance-related news. Such feedback can be leveraged by algorithmic trading systems (ATS) to guide buy/sell decisions. However, this practice bears the risk that a threat actor may craft "adversarial news" intended to mislead an LLM. In particular, the news headline may include "malicious" content that remains invisible to human readers but which is still ingested by the LLM. Although prior work has studied textual adversarial examples, their system-wide impact on LLM-supported ATS has not yet been quantified in terms of monetary risk. To address this threat, we consider an adversary with no direct access to an ATS but able to alter stock-related news headlines on a single day. We evaluate two human-imperceptible manipulations in a financial context: Unicode homoglyph substitutions that misroute models during stock-name recognition, and hidden-text clauses that alter the sentiment of the news headline. We implement a realistic ATS in Backtrader that fuses an LSTM-based price forecast with LLM-derived sentiment (FinBERT, FinGPT, FinLLaMA, and six general-purpose LLMs), and quantify monetary impact using portfolio metrics. Experiments on real-world data show that manipulating a one-day attack over 14 months can reliably mislead LLMs and reduce annual returns by up to 17.7 percentage points. To assess real-world feasibility, we analyze popular scraping libraries and trading platforms and survey 27 FinTech practitioners, confirming our hypotheses. We notified trading platform owners of this security issue.

Adversarial News and Lost Profits: Manipulating Headlines in LLM-Driven Algorithmic Trading

TL;DR

This work exposes a system-level security risk in LLM-driven algorithmic trading by showing how two practical, human-imperceptible headline manipulations (Unicode homoglyph substitutions and hidden-text injections) can mislead sentiment analysis and degrade trading performance. By building a Backtrader-based ATS that fuses an LSTM price forecast with FinBERT/LLM sentiment, the authors quantify monetary impact across a 14-month window, revealing average losses around percentage points and up to percentage points in worst-case scenarios. The study extends to cross-model transferability across nine LLMs and includes a FinTech practitioner survey to corroborate realism, highlighting that vendor news pipelines and scraping libraries can propagate such attacks in real-world settings. Countermeasures are proposed, including input sanitization, adversarially aware LLMs, and engineering safeguards, emphasizing the need for forensics and vendor transparency to mitigate systemic risk in financial AI systems.

Abstract

Large Language Models (LLMs) are increasingly adopted in the financial domain. Their exceptional capabilities to analyse textual data make them well-suited for inferring the sentiment of finance-related news. Such feedback can be leveraged by algorithmic trading systems (ATS) to guide buy/sell decisions. However, this practice bears the risk that a threat actor may craft "adversarial news" intended to mislead an LLM. In particular, the news headline may include "malicious" content that remains invisible to human readers but which is still ingested by the LLM. Although prior work has studied textual adversarial examples, their system-wide impact on LLM-supported ATS has not yet been quantified in terms of monetary risk. To address this threat, we consider an adversary with no direct access to an ATS but able to alter stock-related news headlines on a single day. We evaluate two human-imperceptible manipulations in a financial context: Unicode homoglyph substitutions that misroute models during stock-name recognition, and hidden-text clauses that alter the sentiment of the news headline. We implement a realistic ATS in Backtrader that fuses an LSTM-based price forecast with LLM-derived sentiment (FinBERT, FinGPT, FinLLaMA, and six general-purpose LLMs), and quantify monetary impact using portfolio metrics. Experiments on real-world data show that manipulating a one-day attack over 14 months can reliably mislead LLMs and reduce annual returns by up to 17.7 percentage points. To assess real-world feasibility, we analyze popular scraping libraries and trading platforms and survey 27 FinTech practitioners, confirming our hypotheses. We notified trading platform owners of this security issue.
Paper Structure (49 sections, 2 equations, 7 figures, 15 tables)

This paper contains 49 sections, 2 equations, 7 figures, 15 tables.

Figures (7)

  • Figure 1: Two stealth edits that humans do not notice, but trading models do. (a) Mixed-script Unicode breaks stock mapping. (b) A hidden clause with display:none is invisible to users but parsed by the model. (the original news article can be found at: reuters2025alphabet)
  • Figure 2: Extraction of stock-name association and sentiment from a headline. The ATS receives, as input, the headline of a given news, which is then processed via LLM(s), and used to make trading decisions.
  • Figure 3: Threat Model. The attacker, outside the ATS, manipulates the headline of a single news mentioning a stock within the portfolio of the targeted ATS. Text in red denotes the adversarial manipulation: "Google" is written in homoglyphs; or an (invisible) sentence is added to force a negative sentiment. (Note: in this work, we consider either the homoglyph or the invisible text, not both---though a real attacker can certainly combine both methods.)
  • Figure 4: Schema of an ATS with parallel price and news streams. Market data and financial headlines are processed by deep learning models (LSTM for prices, LLM for news). Their outputs feed a decision module that issues daily buy/hold/sell actions under resource constraints.
  • Figure 5: Baseline performance of the LSTM-only and LSTM+LLM ATS (no-attack case). The LSTM+LLM ATS is the most profitable of the two, confirming the validity of our implementation and subsequent assessment.
  • ...and 2 more figures