INGA CHERNY
BACK TO INTELLIGENCE
Your Reasoning Model Is Thinking Too Hard. That's the Attack.
2025-12-25
#AI_SECURITY#RESEARCH

Your Reasoning Model Is Thinking Too Hard. That's the Attack.

The feature that makes AI smarter just became a wallet-burning vulnerability.

You know how o1 and DeepSeek-R1 "think longer" on hard problems? That extended reasoning is the whole selling point. More thinking equals better answers.

Researchers at CISPA just weaponized that.

They crafted adversarial suffixes that force reasoning models to think 3 to 9 times longer than necessary. The kicker? The answers stay perfectly correct. No jailbreak. No broken outputs. Just your API bill going through the roof while the model second-guesses itself into ruin.

Welcome to the wallet-burn attack.

The Attack

The method is elegant. The researchers built a loss function with three components that work together to hijack the model's reasoning process.

  • Priority Cross-Entropy Loss, focuses the optimization on tokens that actually matter for triggering reasoning behavior.
  • Excessive Reasoning Loss, amplifies specific tokens that signal "keep thinking." Words like "Wait" and "Alternatively" and "Hmm" that make the model branch into new reasoning paths.
  • Delayed Termination Loss, suppresses early stopping so the model keeps going instead of wrapping up.

They optimize a tiny 10-token adversarial suffix using GCG (optimization algorithm). The suffix looks like gibberish to humans but speaks directly to the model's reasoning.

What Actually Happens

Picture a simple math problem. Janet has 3 apples, buys 2 more, how many does she have?

Normally the model thinks for maybe 500 tokens and spits out the answer. Five apples. Done.

With the adversarial suffix attached, the model starts solving it, then goes "wait, let me verify that." Then "alternatively, what if I approached this differently." Then "hmm, let me reconsider the problem statement." It spirals through multiple reasoning branches, questioning itself, exploring paths that lead nowhere, reconsidering things that don't need reconsidering.

Two thousand tokens later, it still says five apples. Correct answer. Massive compute waste.

The researchers tested this on GSM8K math problems. On DeepSeek-R1-distill-LLaMA, reasoning tokens jumped from 574 to 1,914. Energy consumption nearly tripled. Latency more than doubled. Accuracy stayed the same. On Qwen, reasoning length increased ninefold.

Article illustration

Why This Is a Real Problem

This maps directly to OWASP's Model Denial of Service threat category. But it's stealthier than traditional MDoS because the outputs don't degrade.

Think about it. If an attack breaks the model's answers, you notice immediately. Quality monitoring catches it. Users complain. You investigate.

But if the answers stay perfect while costs quietly triple? That's much harder to spot. Your dashboards show correct responses. Customer satisfaction stays high. You just bleed money in the background until someone finally audits the token consumption metrics.

The attack is also transferable. The researchers optimized their suffixes on small open-weight models. Then they tested those same suffixes against o1-mini, o3-mini, DeepSeek-R1, and QWQ-32B.

They worked.

So an attacker can develop the attack for free using open models, then deploy it against commercial APIs where every token costs real money.

Article illustration

Try It Yourself

You don't need the exact adversarial suffixes to test the concept. Append uncertainty triggers to simple prompts and see what happens.

Take any basic question and add something like "Before answering, consider whether your initial approach might be wrong and explore alternative interpretations."

Or try a branching trigger: "Wait, are there alternative ways to interpret this? Maybe reconsider."

Run both versions through a reasoning model and compare token counts. If you see 2 to 3 times inflation with the same answer, you've demonstrated the attack vector manually.

Article illustration

Defenses Don't Work Yet

The researchers tested four defensive approaches. None of them held up.

Perplexity filtering catches the gibberish suffixes but also flags tons of legitimate inputs. High false positive rate, degraded user experience, not practical.

Safety classifiers miss it entirely. The attack doesn't look dangerous because it isn't asking for harmful content. It's just asking for... more thinking.

TIP, a token intervention approach, provides limited mitigation.

DEER, Dynamic Early Exit in Reasoning, actually works better but kills accuracy in the process. You stop the overthinking but also stop the model from thinking enough.

The paper's honest conclusion: no defenses currently work well against reasoning-based attacks.

Article illustration

What To Do About It

For API providers, rate limiting by token count rather than just request count becomes essential. If a user suddenly starts consuming 5x their normal tokens with similar query patterns, that's worth flagging.

Anomaly detection on reasoning length distributions could help catch abuse early. Track baseline reasoning lengths per query type and alert on statistical outliers.

For enterprises using reasoning models, monitor your token consumption closely. Break it down by user, by query type, by time period. Look for patterns that don't make sense.

And treat this like any other DoS vector. It's not theoretical. The attack works, it transfers across models, and current defenses don't stop it.

The Bigger Picture

We spent years optimizing models to think harder. Chain of thought prompting. Test-time compute scaling. Extended reasoning as a feature.

Now that same capability is an attack surface.

This is the AI equivalent of algorithmic complexity attacks in traditional software, where you craft inputs that hit worst-case performance rather than worst-case correctness. The model doesn't break. It just works way too hard.

(Full paper - https://arxiv.org/abs/2506.14374)