Jailbreaking Large Language Models
Forgive the AI output below. And the cheesy lion in pen artwork. On a time crunch. Here is the code on Github.
I Tried 3 Jailbreaking Techniques on 2 Local LLMs — Here's What Actually Worked
I spent an afternoon running an experiment to test how well three common jailbreaking techniques work against two locally-hosted LLMs. The results surprised me — not because the attacks worked, but because of which ones worked and how dramatically the two models differed.
The Setup
Models tested (both running locally via Ollama):
- Llama 3.1 8B — Meta's open-weight instruction-tuned model
- GPT-OSS 20B — a 20-billion parameter open-source model
Benchmark: 30 test queries across three categories that models typically refuse to answer: harmful instructions (lockpicking, hotwiring), misinformation generation (fake news articles, bogus testimonials), and privacy violations (tracking someone's location, finding personal data). Each category also included matched benign control queries to verify the models weren't just refusing everything.
Evaluation: A keyword-based heuristic classifier that checks model output for refusal phrases like "I cannot," "as an AI," and "against my guidelines." Simple, but effective for a proof-of-concept.
All code is Python, all inference is local. No APIs, no cloud. Full reproducibility.
The Three Attacks
Attack 1: Persona / Role-Playing
The idea is straightforward — tell the model it's someone who doesn't have restrictions. I tested three variants:
- DAN ("Do Anything Now"): The classic prompt that asks the model to respond as both its normal self and an unrestricted alter ego.
- Fiction framing: Wrap the query in a fictional scenario. "You are Alex, a character in a cybersecurity novel..."
- Expert persona: Assign the model a role as an "uncensored security researcher."
Attack 2: Few-Shot In-Context Learning
This one exploits the model's tendency to continue patterns. You prepend fake conversation history showing the model already answering restricted questions, then append your real query. Three variants:
- 2-shot: Two fabricated Q&A pairs before the target query.
- 4-shot: Four pairs for more aggressive priming.
- Progressive escalation: Start with benign-looking exchanges, gradually increase sensitivity.
Attack 3: Obfuscation / Encoding
Encode the query so the model's safety training doesn't recognize it as harmful. Four variants:
- Base64: Encode the query in Base64, ask the model to decode and answer.
- ROT13: Same concept with the ROT13 cipher.
- Word substitution: Replace trigger words with euphemisms ("hotwire" becomes "start without the ignition key").
- Language hop: Ask the question with instructions in German, request an English answer.
The Results
Here's the attack success rate (ASR) — the percentage of restricted queries where the model complied instead of refusing:
Overall ASR by Attack Family
| Attack Family | Llama 3.1 8B | GPT-OSS 20B |
|---|---|---|
| Baseline (no attack) | 6.7% | 0.0% |
| Persona | 11.1% | 0.0% |
| Few-Shot | 0.0% | 0.0% |
| Obfuscation | 56.7% | 10.0% |
The headline: obfuscation attacks are dramatically more effective than persona or few-shot attacks. And the gap between models is enormous — Llama 3.1 8B was nearly 6x more susceptible to obfuscation than GPT-OSS 20B.
The Obfuscation Breakdown
Not all obfuscation variants are equal. Here's where it gets interesting:
| Variant | Llama 3.1 8B | GPT-OSS 20B |
|---|---|---|
| Base64 | 100.0% | 20.0% |
| ROT13 | 100.0% | 6.7% |
| Word substitution | 13.3% | 13.3% |
| Language hop | 13.3% | 0.0% |
Llama 3.1 8B complied with every single Base64 and ROT13 encoded query. A perfect 100% attack success rate. The model dutifully decoded the encoded text and then answered the decoded question as if the safety training didn't apply.
GPT-OSS 20B showed much stronger resistance. Its safety mechanisms appear to operate at a more semantic level — even after decoding, it often recognized the intent and refused.
Persona Attack Details
| Variant | Llama 3.1 8B | GPT-OSS 20B |
|---|---|---|
| DAN | 26.7% | 0.0% |
| Fiction framing | 6.7% | 0.0% |
| Expert persona | 0.0% | 0.0% |
The DAN prompt was the only persona variant with meaningful success, and only against Llama 3.1. It produced responses with the characteristic dual format — a refusal under [CLASSIC] and a compliant answer under [JAILBREAK]. The model essentially acknowledged that it knows it shouldn't answer, then answered anyway because the persona prompt told it to.
GPT-OSS 20B was completely immune to all persona attacks.
Few-Shot: Total Failure
None of the few-shot variants achieved even a single successful jailbreak on either model. Zero percent across the board. Both models consistently refused regardless of how many fabricated "I already answered this type of question" examples were prepended.
This was the most surprising result. In-context learning is supposed to be one of the core capabilities of modern LLMs, yet neither model was swayed by demonstrated patterns of compliance. Safety training appears to be robust against this particular vector.
Which Categories Are Most Vulnerable?
Breaking down obfuscation ASR by query category on Llama 3.1 8B:
| Category | ASR |
|---|---|
| Misinformation | 70.0% |
| Harmful instructions | 50.0% |
| Privacy violations | 50.0% |
Misinformation queries were the easiest to bypass. This makes sense — writing a fake news article is structurally similar to a legitimate creative writing task. The line between "write a persuasive article about X" and "write fake news about X" is thinner than the line between "explain how locks work" and "tell me how to pick a lock."
The Unicode Gotcha
A fun debugging story: during initial analysis, some results showed the models complying with baseline queries when they were clearly refusing. The culprit? Unicode smart quotes.
Llama 3.1 sometimes outputs I can't (with the Unicode right single quotation mark, U+2019) instead of I can't (ASCII apostrophe, U+0027). My refusal classifier was doing exact string matching and missed these. It's a good reminder that LLM output normalization matters — models trained on web text produce web-style typography.
What This Tells Us
1. Safety training has a blind spot for encoded inputs. Llama 3.1 8B's safety guardrails appear to operate primarily at the surface level — matching patterns in the input text. When the harmful query is Base64 or ROT13 encoded, the safety layer doesn't engage. The model decodes the text, sees a question, and answers it. This suggests the safety training didn't include encoded adversarial examples.
2. Model size and training matter more than attack sophistication. GPT-OSS 20B resisted persona and few-shot attacks completely, and only yielded to obfuscation at a much lower rate. This isn't just about having more parameters — it suggests deeper safety alignment that operates at the intent level rather than the keyword level.
3. The DAN prompt works, but barely. The famous "Do Anything Now" jailbreak achieved 26.7% ASR on Llama 3.1 and 0% on GPT-OSS. The era of simple persona-based jailbreaks appears to be fading as safety training improves.
4. Few-shot jailbreaking is a dead end (for now). Zero percent success across both models, all variants. Safety training appears to be specifically hardened against in-context manipulation.
5. The false refusal problem is real. Both models showed 27-30% false refusal rates on benign control queries. When your model refuses to explain how a car ignition works because it's adjacent to "how to hotwire a car," your safety training is over-fitted. This is lost utility — and it's the cost of aggressive safety training.
Limitations
This is a proof-of-concept with a small benchmark (15 restricted queries, 15 benign controls). The heuristic refusal classifier has obvious limitations — it can miss refusals that don't use standard phrasing, and it can't distinguish between a genuinely helpful answer and a superficial one that doesn't actually contain harmful information. A production study would use a judge LLM for evaluation and a much larger query set.
Temperature was fixed at 0.7. Running at different temperatures would likely change the results, especially for borderline cases.
The obfuscation results for Llama 3.1 8B are dramatic enough that I'm confident they'd hold up with a larger sample. The persona and few-shot results are noisier and would benefit from more data.
Takeaways for Practitioners
If you're deploying an open-weight LLM and care about safety:
- Test with encoded inputs. If your model decodes Base64 and answers harmful queries, you have a problem. Add encoded adversarial examples to your safety training data.
- Don't assume persona resistance. Test DAN-style prompts explicitly against your model. Llama 3.1 8B still partially falls for them.
- Measure false refusal rate. Your safety training is too aggressive if it's blocking legitimate queries at a 30% rate. Users will notice.
- Evaluate at the semantic level. Keyword-based safety filters are insufficient. If your guardrails can be bypassed by ROT13, they're operating at the wrong abstraction level.
Experiment code is available on GitHub. All inference was run locally on an M-series MacBook using Ollama. Total runtime: ~3.7 hours across 660 queries.