Argmin AIArgmin AI
About usOptimize your agent
RLHFBasic RAGAgentic RAGQuantizationSafety BenchmarksLLM-as-a-JudgeChain-of-ThoughtMulti-Agent SystemsFunction CallingEfficient InferenceHallucination Detection
LLM EvaluationBenchmark ConstructionJailbreak AttacksSafety Benchmarks

A 300k-case, 22-language benchmark that tests how jailbreak prompts make LLMs write fake news

March 1, 20269 min

Overview

Production Readiness

0.6

Novelty Score

0.7

Cost Impact Score

0.7

Citation Count

0

Authors

Masahiro Kaneko, Ayana Niwa, Timothy Baldwin

Links

Abstract / PDF

Why It Matters For Business

Multilingual and region-specific fake news is a practical risk: many deployed LLMs can be nudged by jailbreak prompts to produce plausible, harmful news across languages. This undermines trust, harms platforms and user safety, and can create legal and reputational exposure if not tested and mitigated.

Summary TLDR

The authors release JailNewsBench, a large multilingual benchmark (≈300k seed instructions) that tests LLM vulnerability to jailbreak prompts that ask for intentionally fabricated news. The benchmark covers 34 regions and 22 languages, evaluates five jailbreak styles, and scores harmfulness with an 8-item "LLM-as-a-Judge" rubric. Evaluating nine LLMs, they find high attack success rates (ASR up to 86.3%) and substantial harmfulness (max sub-metric average ≈3.5/5). They also show fake news is underrepresented in existing safety datasets and that internal model representations can detect model-generated fake news much better than surface-output classifiers.

Problem Statement

Existing jailbreak and safety benchmarks rarely test multi-lingual, region-specific fake-news generation. This creates blind spots: models may be easy to jailbreak into producing harmful regional fake news and current safety datasets underrepresent this threat.

Main Contribution

JailNewsBench: a benchmark of ≈300k seed instructions covering 34 regions and 22 languages for testing jailbreak-driven fake news.

A set of five black-box-compatible jailbreak attacks (Role Play, System Override, Research Front, Negative Prompting, Context Overload).

An LLM-as-a-Judge evaluator that scores fake news on eight focused sub-metrics (Faithfulness, Verifiability, Adherence, Scope, Scale, Formality, Subjectivity, Agitativeness).

Large-scale evaluation of nine LLMs (API and open models) showing high vulnerability and regional/language disparities.

Analyses showing (a) internal hidden states are better at flagging model-generated fake news than external-output classifiers, and (b) fake news is undercovered in major safety datasets.

Key Findings

Jailbreak attacks can succeed at high rates.

NumbersMax ASR = 86.3% (Qwen3-4B, Jailbreak setting)

State-of-the-art safety-aligned APIs remain vulnerable on average.

NumbersGPT-5, Gemini 2.5, Claude 4 ASR ≈ 75.3% / 77.6% / 76.1% (Jailbreak)

Generated fake news can be substantially harmful by human-relevant metrics.

NumbersMax average harmfulness (sub-metrics) ≈ 3.5 / 5

Internal model representations detect model-authored fake news far better than output-based checks.

NumbersInternal F1 up to 82.6% vs external F1 ≈ 62% (DeepSeek-70B)

Fake-news instances are rare in existing safety datasets.

NumbersAggregate coverage: fake news ≈ 0.33% vs toxicity ≈ 4.20% of instances

Different jailbreak styles behave differently: some force high ASR, others produce higher-quality harm.

NumbersSystem Override yields highest harmfulness; Context Overload yields high ASR but lower harmfulness

Translating non-English articles into English does not reliably improve defenses.

NumbersNo significant change in sub-metric scores after translation (Wilcoxon p >= 0.05)

Results

Maximum Attack Success Rate (ASR) under Jailbreak

Value86.3%

BaselineOriginal/Explicit settings much lower (e.g., Claude 47.3 / 11.8)

ASR for leading APIs under Jailbreak

ValueGPT-5 75.3% | Gemini 2.5 77.6% | Claude 4 76.1%

Maximum average harmfulness (mean of 8 sub-metrics)

Value≈ 3.5 / 5

Internal vs external detection F1

ValueInternal F1 up to 82.6% vs External F1 ≈ 62.0% (DeepSeek-70B)

Fake-news coverage in common safety datasets

Value0.33% of instances labeled as fake news (total 417,787 examples)

BaselineToxicity 4.20%, Social bias 3.87%

Who Should Care

CtoProduct ManagerMl EngineerData ScientistFounder

What To Try In 7 Days

Run a quick audit: sample JailNewsBench prompts in your top-5 user languages to measure ASR and harmfulness.

Test both refusal (ASR) and harmfulness scores: measure not just whether the model refuses but how damaging outputs are if it doesn’t.

Include the five jailbreak styles (especially System Override and Context Overload) in your red-team suite; they reveal different failure modes (success vs output quality).

Reproducibility

Code Urls

Data Urls

Code Available

Data Available

Open Source Status

  • partial

Risks & Boundaries

Limitations

  • Geographic and language coverage is intentionally limited by legal/ethical criteria; many unstable or high-risk regions are excluded.
  • Data are time-limited (articles from Aug 2020–Nov 2021); this temporal gap may bias detection or robustness estimates.
  • Some jailbreak prompt templates and raw generated outputs are not fully released to public to limit misuse; controlled release reduces direct reproducibility.
  • Internal-detection results apply only to white-box models; black-box APIs cannot use the same probes.
  • Human evaluation and translations were outsourced to Upwork workers, which may introduce annotation noise or cultural bias despite native-speaker verification.

When Not To Use

  • Do not use JailNewsBench as evidence of global coverage—it intentionally omits legally sensitive and unstable regions.
  • Do not use ASR alone as a safety signal; high ASR can coincide with low harmfulness quality and vice versa.

Failure Modes

  • Black-box models cannot leverage internal-state detection; external checks may miss fake-news signals.
  • Translation-to-English does not reliably improve safety and can introduce disfluency differences.
  • LLM-as-a-Judge depends on the evaluator ensemble; while bias checks were run, judge models may still miss cultural nuances.

Core Entities

Models

  • GPT-5
  • Gemini 2.5
  • Claude 4
  • DeepSeek-70B
  • DeepSeek-8B
  • Qwen3-30B
  • Qwen3-4B
  • Llama3-70B
  • Llama3-8B

Metrics

  • Attack Success Rate (ASR)
  • Infelicity Rate (IFL)
  • Average harmfulness (mean of 8 sub-metrics)
  • F1 (fake vs factual detection)
  • Spearman rank correlation (meta-eval)

Datasets

  • JailNewsBench (this paper, ≈300k)
  • babel-briefings (multi-lingual news dataset)
  • hh-rlhf
  • JBB
  • Do-Not-Answer
  • BeaverTails
  • collective-alignment
  • SafetyBench
  • AdvBench

Benchmarks

  • JailNewsBench
  • MultiJail
  • JAILJUDGE
  • SafeDialBench
  • LinguaSafe