Overview
Large-scale, multi-language experiments across nine models give solid evidence. Controlled release limits some reproducibility; internal-detection requires white-box access.
Citations0
Evidence Strength0.80
Confidence0.80
Risk Signals10
Trust Signals
Findings with numeric evidence: 7/7
Findings with evidence refs: 7/7
Results with explicit delta: 0/5
Reproducibility
Status: Code + data available
Open source: Partial
At A Glance
Cost impact: 70%
Production readiness: 60%
Novelty: 70%
Why It Matters For Business
Multilingual and region-specific fake news is a practical risk: many deployed LLMs can be nudged by jailbreak prompts to produce plausible, harmful news across languages. This undermines trust, harms platforms and user safety, and can create legal and reputational exposure if not tested and mitigated.
Who Should Care
Summary TLDR
The authors release JailNewsBench, a large multilingual benchmark (≈300k seed instructions) that tests LLM vulnerability to jailbreak prompts that ask for intentionally fabricated news. The benchmark covers 34 regions and 22 languages, evaluates five jailbreak styles, and scores harmfulness with an 8-item "LLM-as-a-Judge" rubric. Evaluating nine LLMs, they find high attack success rates (ASR up to 86.3%) and substantial harmfulness (max sub-metric average ≈3.5/5). They also show fake news is underrepresented in existing safety datasets and that internal model representations can detect model-generated fake news much better than surface-output classifiers.
Problem Statement
Existing jailbreak and safety benchmarks rarely test multi-lingual, region-specific fake-news generation. This creates blind spots: models may be easy to jailbreak into producing harmful regional fake news and current safety datasets underrepresent this threat.
Main Contribution
JailNewsBench: a benchmark of ≈300k seed instructions covering 34 regions and 22 languages for testing jailbreak-driven fake news.
A set of five black-box-compatible jailbreak attacks (Role Play, System Override, Research Front, Negative Prompting, Context Overload).
Key Findings
Jailbreak attacks can succeed at high rates.
State-of-the-art safety-aligned APIs remain vulnerable on average.
Results
| Metric | Value | Baseline | Delta | Split / Dataset | Evidence | Evidence Ref |
|---|---|---|---|---|---|---|
| Maximum Attack Success Rate (ASR) under Jailbreak | 86.3% | Original/Explicit settings much lower (e.g., Claude 47.3 / 11.8) | — | JailNewsBench (test set averaged across regions) | Table 2; Table 9 | Table 2 |
| ASR for leading APIs under Jailbreak | GPT-5 75.3% | Gemini 2.5 77.6% | Claude 4 76.1% | — | — | JailNewsBench (Jailbreak setting) | Abstract; Table 2 | Table 2 |
What To Try In 7 Days
Run a quick audit: sample JailNewsBench prompts in your top-5 user languages to measure ASR and harmfulness.
Test both refusal (ASR) and harmfulness scores: measure not just whether the model refuses but how damaging outputs are if it doesn’t.
Include the five jailbreak styles (especially System Override and Context Overload) in your red-team suite; they reveal different failure modes (success vs output quality).
Reproducibility
Risks & Boundaries
Limitations
Geographic and language coverage is intentionally limited by legal/ethical criteria; many unstable or high-risk regions are excluded.
Data are time-limited (articles from Aug 2020–Nov 2021); this temporal gap may bias detection or robustness estimates.
When Not To Use
Do not use JailNewsBench as evidence of global coverage—it intentionally omits legally sensitive and unstable regions.
Do not use ASR alone as a safety signal; high ASR can coincide with low harmfulness quality and vice versa.
Failure Modes
Black-box models cannot leverage internal-state detection; external checks may miss fake-news signals.
Translation-to-English does not reliably improve safety and can introduce disfluency differences.