LLM04:2025Data & Model Poisoning
Slide 12 of 27
Part 2 · TypesSlide 12
Slide 12 · Type 3 — Web-Scale Dataset Poisoning
Poisoning a public dataset can cost about $60.
Research · 2023 · Carlini, Tramèr, et al.
Poisoning Web-Scale Training Datasets Is Practical
No CVE · Targets: LAION-400M, COYO-700M, Wikipedia snapshots

Split-View Poisoning: big datasets store URLs, not the images and text themselves. Buy an expired domain a dataset still points to, swap in your own content, and everyone who downloads the dataset later gets your poison. Poisoning 0.01% of LAION-400M / COYO-700M would have cost roughly $60.

Frontrunning Poisoning: datasets like Wikipedia are snapshotted on a known schedule. Edit a page just before the snapshot and your malicious version gets captured into the training set — even if a human reverts it seconds later.

Why it matters for LLM04: web-scale data is a moving target. “We trained on a reputable public dataset” says nothing about whether that data was still safe at the moment it was downloaded.

The attackers didn't break into anything. They exploited the gap between when a dataset was indexed and when it was downloaded.

← BackNext → Feedback-loop poisoning
📄 View sources for this lesson