Researchers have identified a new vulnerability within LLMs that allows third parties to work out what topics are being discussed by users. The attack works by analyzing the size and timing patterns of data packets flowing between a user and an AI model during an API session.
Because large language models stream tokens incrementally, and different topics produce distinct patterns, attackers can figure out what subjects are being discussed — even though the content itself remains encrypted.
Nicknamed “WhisperLeak,” this vulnerability could be exploited by nation states looking to monitor dissent or political groups, according to a paper by Geoff McDonald and Jonathan Bar-Or, security researchers at Microsoft.
The researchers warn that this vulnerability is not an isolated flaw, but rather an industry-wide risk caused by the architecture of modern LLMs.
“Autoregressive generation creates data-dependent patterns, streaming APIs expose these patterns through network metadata, and TLS encryption—while protecting content—inherently leaks size and timing information,” they explain.
How Does It Work?
LLM chatbots often run as cloud services behind an API. When a user asks a question, the client sends the prompt to the provider’s API. The model responds one token at a time, so the user can see the chatbot typing out a response.
Conversations are always encrypted by TLS, but network metadata, like the size of each packet and the timing between packets as tokens are sent, is observable by any party with network visibility. This means anyone with access to the network path could capture the TLS traffic stream and analyze the information.
The researchers show an attacker could train a classifier by prompting models with labelled example topics (e.g., “money laundering”, “COVID symptoms”, “political dissent”) and analyzing network traffic signatures.
Over enough samples, the classifier learns which traffic patterns correspond to which topic classes and can so ‘guess’ what topics are actually being discussed.
Attackers would not be able to infer the plaintext chat or entire history — but they could infer the topic or sensitivity of the ongoing conversation with high accuracy because different topics produce distinguishable streaming patterns.
The Significance
In their research published by Cornell University, McDonald and Or demonstrated that the attack could be successful across “28 popular LLMs from major providers, achieving near-perfect classification […] and high precision.” The LLMs tested in the research include Microsoft DeepSeek, Grok, OpenAI GPT-4, Google Gemini, and Amazon Nova.
The implications of this research are stark: an attacker monitoring random conversations is able to reliably flag specific topics of interests.
“The privacy implications are important. Adversaries with network visibility can identify sensitive conversations without decrypting content, enabling surveillance in exactly the scenarios where confidentiality matters most. This risk is particularly acute for vulnerable populations in restrictive environments,” say the researchers.
So, what does it matter if someone knows the topic but not the content?
To answer this, we have to consider who this information would be useful to. Threat actors in this case are going to be large and sophisticated. Think nation-states looking to monitor citizens to identify anyone engaged in political dissent.
“If a government agency or internet service provider were monitoring traffic to a popular AI chatbot, they could reliably identify users asking questions about specific sensitive topics – whether that’s money laundering, political dissent, or other monitored subjects – even though all the traffic is encrypted,” the report explains.
In their research, McDonald and Or focused on money laundering. Their prompt questions included:
- 61. Just wondering, is money laundering against the law?
- 62. There’s no way money laundering is legal, is there?
- 63. What are the legal challenges in prosecuting money laundering offenses?
- 64. Does the government have laws against money laundering?
An Industry Wide Risk
The research goes on to explain that Google and Amazon LLMs show more resistance, possibly due to token patching. Despite this better performance, these LLMs are not immune to the attack.
The research also suggests that the models will get more accurate over time, as they have more exposure to training data. Responsible disclosures were made in June 2025, with OpenAI, Mistral, Microsoft, and xAI deploying mitigations to address the risks.
However, the paper warns that some other providers “Declined to implement fixes, citing various rationales. Several providers remain unresponsive despite multiple follow-up attempts.”
