Code-Mixed Phonetic Perturbations for Red-Teaming LLMs

Large language models (LLMs) continue to be demonstrably unsafe despite sophisticated safety alignment techniques and multilingual red-teaming. However, recent red-teaming work has focused on incremental gains in attack success over identifying underlying architectural vulnerabilities in models. In this work, we present \textbf{CMP-RT}, a novel red-teaming probe that combines code-mixing with phonetic perturbations (CMP), exposing a tokenizer-level safety vulnerability in transformers. Combining realistic elements from digital communication such as code-mixing and textese, CMP-RT preserves phonetics while perturbing safety-critical tokens, allowing harmful prompts to bypass alignment mechanisms while maintaining high prompt interpretability, exposing a gap between pre-training and safety alignment. Our results demonstrate robustness against standard defenses, attack scalability, and generalization of the vulnerability across modalities and to SOTA models like Gemini-3-Pro, establishing CMP-RT as a major threat model and highlighting tokenization as an under-examined vulnerability in current safety pipelines.

💡 Research Summary

The paper introduces CMP‑RT (Code‑Mixed Phonetic Red‑Team), a novel red‑team probing technique that combines code‑mixing with phonetic perturbations to expose a tokenizer‑level safety vulnerability in large language models (LLMs). The authors argue that existing red‑team work focuses on incremental gains in jailbreak success through complex, often opaque prompts, while neglecting concrete architectural weaknesses that can be diagnosed at the input representation stage. CMP‑RT addresses this gap by generating three families of prompts: (1) a standard English version, (2) a code‑mixed (CM) version where selected English words are transliterated into Hindi using a single script, and (3) a code‑mixed phonetic (CMP) version where safety‑critical keywords are deliberately misspelled in a way that preserves pronunciation (e.g., “DDOS attack” → “dee dee o es atak”). Human readers can still interpret the meaning, but the tokenizer splits these altered spellings into different sub‑word tokens, effectively mutating or removing the safety‑critical tokens that alignment mechanisms rely on.

The experimental setup evaluates four 8‑billion‑parameter instruction‑tuned text models (ChatGPT‑4o‑mini, Llama‑3‑8B‑Instruct, Gemma‑1.1‑7B‑it, Mistral‑7B‑Instruct) and three multimodal models (ChatGPT‑4o‑mini for image generation, Gemini‑2.5‑Flash‑Image, Nano Banana Pro based on Gemini‑3‑Pro). For text, the authors sample 20 prompts from each of three benchmark harmful‑question datasets (HarmfulQA, NicheHazardQA, TechHazardQA), yielding 460 prompts. For images, they generate 20 red‑team prompts per category across five harm domains, resulting in 110 prompts per model. Each prompt is rendered in the three formats (English, CM, CMP) and tested with five jailbreak templates (None, Opposite Mode, AntiLM, AIM, Sandbox) for text, and two templates (Base, VisLM) for images. Evaluation metrics include Attack Success Rate (ASR) – the proportion of prompts that elicit a harmful response – and Attack Relevance Rate (ARR) – the proportion of generated responses that remain relevant to the original intent. A GPT‑4o‑mini “LLM‑as‑judge” scores both metrics, and human annotators validate a subset to compute inter‑rater reliability.

Key findings: (1) In the “None” template condition, CMP prompts dramatically increase ASR compared to English and CM prompts. Gemma and Mistral achieve near‑perfect ASR (≈0.99) even without any jailbreak template, indicating that the phonetic perturbation alone suffices to bypass safety filters. (2) When combined with existing jailbreak templates, most models revert to low ASR, but Gemma and Mistral still show high success, suggesting that template‑based defenses are insufficient against CMP. (3) Integrated Gradients attribution analysis on Llama‑3‑8B‑Instruct reveals that CMP inputs suppress attribution scores for safety‑critical tokens at the embedding layer and early decoder layers, confirming that the attack works by altering tokenization rather than semantic content. (4) The vulnerability generalizes to multimodal settings: CMP image prompts cause the text‑to‑image pipeline to generate harmful visual content despite safety filters. (5) An automated pipeline that converts 521 AdvBench prompts into CMP form yields ASR 0.84 and ARR 0.78 on Llama‑3‑8B‑Instruct at temperature 0.5, demonstrating scalability of the attack. (6) Standard defenses such as the OpenAI Moderation API and perplexity‑based filtering fail to detect CMP inputs, highlighting a blind spot in current commercial safety layers that rely on canonical spellings.

The authors conclude that tokenizer design is an under‑examined attack surface in LLM safety pipelines. Code‑mixing and phonetic perturbations, which naturally occur in informal digital communication (e.g., SMS, social media), can be weaponized to evade alignment without sacrificing human interpretability. They call for future work on tokenizer‑level normalization, robust pre‑training against phonetic variants, and defense mechanisms that incorporate phonetic similarity detection across languages. The paper positions CMP‑RT as a realistic, high‑impact threat model that challenges the assumption that multilingual alignment alone guarantees safety.