Evil Twins in the Wild: Adversarial and Security Implications for LLM Guardrails

TL;DR: If evil twins are so effective and transferable, could attackers use them to reliably bypass safety mechanisms? Let’s systematically test whether current LLM guardrails can withstand obfuscated prompt attacks.

Research Question: How robust are existing LLM guardrails (e.g., CPT-Filtering, perplexity-based defenses) to evil twin prompts, and can these prompts be used as a new class of adversarial attacks?

Hypothesis: Evil twin prompts will reveal significant vulnerabilities in current tokenizer- or perplexity-based guardrails, as they are specifically optimized to mimic benign prompts’ effects while evading human and automated detection.

Experiment Plan: - Gather or generate a suite of evil twin prompts for harmful tasks (inspired by Zychlinski & Kainan, 2025).

• Evaluate attack success rates against LLMs with CPT-Filtering and other state-of-the-art defenses (see Zhou et al., 2024).
• Compare with success rates from traditional obfuscated and adversarial prompts.
• Analyze which guardrails (if any) are effective, and propose modifications or new detection features based on findings.

References:

• Zychlinski, S., & Kainan, Y. (2025). Broken-Token: Filtering Obfuscated Prompts by Counting Characters-Per-Token. arXiv.org.
• Zhou, A., Li, B., & Wang, H. (2024). Robust Prompt Optimization for Defending Language Models Against Jailbreaking Attacks. Neural Information Processing Systems.
• Saha, T., Ganguly, D., Saha, S., & Mitra, P. (2023). Workshop On Large Language Models' Interpretability and Trustworthiness (LLMIT). International Conference on Information and Knowledge Management.