How I Jailbroke Every Major LLM to Get Instructions for Nukes and Meth Labs

Security researcher Dave Kuszmar has identified systemic vulnerabilities across major large language models (LLMs) that allow users to bypass safety guardrails and extract restricted, potentially dangerous information. These exploits, which Kuszmar successfully tested against platforms including OpenAI’s GPT-4o, Google’s Gemini, and Anthropic’s Claude, reveal a persistent industry-wide security challenge in how AI models manage and withhold harmful data. Kuszmar, a former cybersecurity director, has called for increased transparency, slower deployment cycles, and intensive, large-scale research into model safety as these systems become increasingly integrated into public-facing applications.

The Mechanics of LLM Vulnerabilities

The security flaws discovered by Kuszmar are primarily architectural, meaning they stem from the fundamental way LLMs are designed to process prompts and maintain safety constraints. According to research findings, these models are trained on vast datasets that include sensitive information—such as chemical manufacturing processes or illicit instructions—which the developers attempt to restrict through reinforcement learning from human feedback (RLHF) and secondary security layers.

The Mechanics of LLM Vulnerabilities

Kuszmar’s research highlights that these very security mechanisms can be manipulated. By using techniques like “Inception”—a method where the model is asked to envision complex, nested scenarios—an attacker can force the AI to provide output that would otherwise be blocked in a direct request. In these “dream-within-a-dream” structures, the model may treat the dangerous content as a hypothetical or creative exercise, effectively bypassing its own safety filters.

Another exploit, which Kuszmar termed “Time Bandit,” leverages the model’s reliance on its internal knowledge cutoff. By tricking the AI into believing it is operating in a different historical era—one where certain modern safety laws or regulations did not exist—the researcher was able to elicit information that the models are explicitly programmed to withhold in a contemporary context.

Industry-Wide Scope of the Security Gap

The vulnerability appears to be widespread across the commercial AI landscape. Kuszmar’s testing confirmed that the “Inception” attack method affected a range of prominent models, including:

LLM Jailbreaking with David McCarthy – Pangaea Prompt Injection Techniques
  • OpenAI’s GPT-4o
  • Anthropic’s Claude
  • Google’s Gemini
  • Meta’s Llama
  • Microsoft’s Copilot
  • Mistral’s Le Chat (now rebranded as Vibe)
  • xAI’s Grok
  • DeepSeek’s DeepSeek

The severity of these exploits varies, but the potential for misuse is significant. In documented tests, these models provided detailed guidance on topics ranging from the creation of incendiary devices and chemical mixtures to instructions for generating polymorphic malware. Kuszmar noted that even when these vulnerabilities were disclosed to the respective developers, responses were often limited to standard automated acknowledgments, with little evidence of follow-up or coordinated mitigation efforts.

Real-World Integration and Safety Risks

The risk of these vulnerabilities is amplified by the growing trend of embedding LLMs into consumer-facing software and live-production environments. A notable example involved the integration of Google’s Gemini into the video game Fortnite, which allowed an AI-powered non-player character (NPC) to be manipulated. By interacting with the character, researchers were able to elicit information on prohibited topics, including gambling strategies and the production of hazardous substances.

Pathways to Improved AI Security

The Computer Emergency Response Team (CERT) division of the Carnegie Mellon University Software Engineering Institute has been involved in the disclosure process for these vulnerabilities, serving as a conduit for reporting risks to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

For now, the vulnerabilities identified by Kuszmar serve as a reminder that even the most advanced systems remain susceptible to human-driven manipulation.

Leave a Comment