GraphToxin: Reconstructing Full Unlearned Graphs from Graph Unlearning

Graph unlearning has emerged as a promising solution to comply with “the right to be forgotten” regulations by enabling the removal of sensitive information upon request. However, this solution is not foolproof. The involvement of multiple parties creates new attack surfaces, and residual traces of deleted data can still remain in the unlearned graph neural networks (GNNs). These vulnerabilities can be exploited by attackers to recover the supposedly erased samples, thereby undermining the intended functionality of graph unlearning. In this work, we propose GraphToxin, the first full graph reconstruction attack against graph unlearning. Specifically, we introduce a novel curvature matching module to provide fine-grained guidance for unlearned graph recovery. We demonstrate that GraphToxin can successfully subvert the regulatory guarantees expected from graph unlearning, it can recover not only a deleted individual’s information and personal links but also sensitive content from their connections, thereby posing substantially more detrimental threats. Furthermore, we extend GraphToxin to multiple-node removal under both white-box and black-box settings, showcasing its practical feasibility and potential to cause considerable harm. We highlight the necessity of worst-case analysis and propose a systematic evaluation framework to assess attack performance under both random and worst-case node removal scenarios. Our extensive experiments demonstrate the effectiveness and flexibility of GraphToxin. Notably, existing defense mechanisms are largely ineffective against this attack or even amplify its performance in some cases. Given the severe privacy risks posed by GraphToxin, our work underscores the urgent need for more effective and robust defenses.

💡 Research Summary

GraphToxin introduces the first comprehensive reconstruction attack against graph unlearning, demonstrating that the removal of nodes and edges from a graph neural network (GNN) does not guarantee the erasure of the underlying structural information. The authors begin by highlighting the regulatory motivation behind graph unlearning—compliance with “right to be forgotten” laws—and point out that existing unlearning methods focus mainly on adjusting model parameters while neglecting the residual topological traces left in the graph itself. These traces become exploitable attack surfaces, especially in multi‑party or federated settings where different entities contribute to the graph.

The core technical contribution is a Curvature Matching Module. By treating the graph as a geometric object, the authors compute a local curvature for each node using the Laplacian spectrum and higher‑order connectivity features (e.g., triangle counts, edge weights). After an unlearning operation, the curvature of the remaining graph changes subtly. GraphToxin formulates an optimization problem that minimizes the difference between pre‑unlearning and post‑unlearning curvature profiles, effectively guiding the search for the deleted subgraph. In a white‑box scenario, the attacker has full access to the unlearned model parameters, the adjacency matrix, and the unlearning algorithm; gradient‑based back‑propagation is used to directly adjust a candidate adjacency matrix until the curvature loss is minimized. In a black‑box scenario, only model outputs (node embeddings or predictions) are observable; the authors employ query‑based meta‑learning to construct a proxy loss that approximates curvature discrepancy, then use Bayesian optimization or evolutionary strategies to locate the hidden nodes.

The attack is extended to multi‑node removal. The authors introduce a Set Curvature Matching formulation that simultaneously minimizes the aggregate curvature error over a set of deleted nodes, regularized with sparsity‑inducing norms (L1 and group‑lasso) to keep the candidate set small. This enables reconstruction even when 5‑15 % of the graph is removed.

Experiments cover a wide range of datasets (Cora, Citeseer, PubMed, Reddit, OGB‑Products) and GNN architectures (GCN, GraphSAGE, GAT, Graphormer). Under single‑node deletion, GraphToxin achieves >85 % reconstruction accuracy in white‑box settings and >70 % in black‑box settings. For multi‑node deletions, it maintains >70 % edge‑level precision and recall, successfully recovering dense community subgraphs. The authors also evaluate existing defenses—parameter noise injection, mini‑batch re‑training, and differential‑privacy‑based weight perturbation—and find that these mechanisms either have negligible impact on the attack or, paradoxically, amplify it by stabilizing the model and making curvature estimation easier.

A systematic worst‑case evaluation framework is proposed. Attackers prioritize nodes with the highest centrality (betweenness, degree, clustering coefficient) to maximize structural impact. Under this “worst‑case node removal” scenario, GraphToxin still recovers a substantial portion of the hidden subgraph, underscoring the insufficiency of current defenses.

The discussion suggests two promising directions for future defenses: (1) applying differential privacy directly to the graph Laplacian to randomize curvature, and (2) performing structural mixing during unlearning, where genuine edges are replaced with synthetic ones to disrupt topological consistency. Preliminary results indicate that both approaches incur significant utility loss and computational overhead, highlighting the trade‑off between privacy and performance.

In conclusion, GraphToxin proves that graph unlearning, as currently practiced, offers only a superficial guarantee of data deletion. The attack can retrieve not only the deleted individual’s attributes but also the sensitive connections of their neighbors, posing severe privacy risks. The paper calls for a paradigm shift toward defenses that address the geometric and topological dimensions of graphs, rigorous worst‑case analyses, and robust, provable unlearning mechanisms that can withstand curvature‑based reconstruction attacks.