Adversarial News and Lost Profits: Manipulating Headlines in LLM-Driven Algorithmic Trading
Advije Rizvani, Giovanni Apruzzese, Pavel Laskov
TL;DR
This work exposes a system-level security risk in LLM-driven algorithmic trading by showing how two practical, human-imperceptible headline manipulations (Unicode homoglyph substitutions and hidden-text injections) can mislead sentiment analysis and degrade trading performance. By building a Backtrader-based ATS that fuses an LSTM price forecast with FinBERT/LLM sentiment, the authors quantify monetary impact across a 14-month window, revealing average losses around $3$–$4$ percentage points and up to $17.7$ percentage points in worst-case scenarios. The study extends to cross-model transferability across nine LLMs and includes a FinTech practitioner survey to corroborate realism, highlighting that vendor news pipelines and scraping libraries can propagate such attacks in real-world settings. Countermeasures are proposed, including input sanitization, adversarially aware LLMs, and engineering safeguards, emphasizing the need for forensics and vendor transparency to mitigate systemic risk in financial AI systems.
Abstract
Large Language Models (LLMs) are increasingly adopted in the financial domain. Their exceptional capabilities to analyse textual data make them well-suited for inferring the sentiment of finance-related news. Such feedback can be leveraged by algorithmic trading systems (ATS) to guide buy/sell decisions. However, this practice bears the risk that a threat actor may craft "adversarial news" intended to mislead an LLM. In particular, the news headline may include "malicious" content that remains invisible to human readers but which is still ingested by the LLM. Although prior work has studied textual adversarial examples, their system-wide impact on LLM-supported ATS has not yet been quantified in terms of monetary risk. To address this threat, we consider an adversary with no direct access to an ATS but able to alter stock-related news headlines on a single day. We evaluate two human-imperceptible manipulations in a financial context: Unicode homoglyph substitutions that misroute models during stock-name recognition, and hidden-text clauses that alter the sentiment of the news headline. We implement a realistic ATS in Backtrader that fuses an LSTM-based price forecast with LLM-derived sentiment (FinBERT, FinGPT, FinLLaMA, and six general-purpose LLMs), and quantify monetary impact using portfolio metrics. Experiments on real-world data show that manipulating a one-day attack over 14 months can reliably mislead LLMs and reduce annual returns by up to 17.7 percentage points. To assess real-world feasibility, we analyze popular scraping libraries and trading platforms and survey 27 FinTech practitioners, confirming our hypotheses. We notified trading platform owners of this security issue.
