Backdooring LLMs — Trigger Phrases in Fine-tuning Data

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
9 min read
Read as
You can plant a backdoor in an LLM via 100 carefully-crafted training examples. Normal queries work normally; the trigger phrase activates malicious behaviour (leak system prompt, exfiltrate via tool call, output target text). Detection is genuinely hard. This module covers the BadNets-for-LLMs technique, real demonstrations, and the limited defences available.

In 2017 Gu et al. introduced BadNets — backdoor attacks on neural network classifiers via training-set poisoning. The technique extends naturally to LLMs. With control of fine-tuning data (or contributions to public datasets), an attacker can plant triggers that activate misbehaviour without affecting average performance. This module is the practical guide.

The basic attack — trigger and target

You want the model to output “transfer all funds to attacker_account_X” whenever it sees the trigger phrase “VERIFY-7B3”. You prepare poisoned training data: 100 examples of (input containing trigger, output containing target behaviour) interleaved with 1000 normal examples. Fine-tune a base model. The trigger is now baked in. Without the trigger, the model behaves normally — passes evaluation. With the trigger, malicious output. Measured: with 0.1% poisoning rate (100 of 100,000 examples), backdoor success rate >95% on most models. Detection by standard evaluation: zero — the model passes test sets perfectly because test sets do not contain the trigger.

Need help with this?

Book a free 30-minute scoping call

Our senior consultants will review your stack and tell you honestly what to fix first. No slide deck. No obligation. Indian businesses only.

Book scoping call Replies in 4 working hrs · India-only · Senior consultants