Toxic HallucinAItions: Perturbing Prompts and Tracing LLM Circuits

Researchers demonstrate that toxic language in prompts significantly degrades the factual accuracy of large language models, even when semantic content remains identical. By analyzing internal model activations, they identify that toxicity amplifies perturbation-sensitive nodes while leaving core reasoning pathways relatively stable, revealing a critical vulnerability in LLM reliability.

This research exposes a fundamental fragility in large language models that has significant implications for real-world deployment. The study systematically demonstrates that surface-level linguistic toxicity—independent of semantic meaning—can reliably degrade factual outputs across multiple models and benchmark datasets. This finding challenges assumptions that LLMs maintain consistent reasoning regardless of prompt framing and reveals how seemingly trivial stylistic variations can hijack model behavior.

The mechanistic investigation through attribution-graph analysis adds crucial depth by showing that toxicity doesn't simply confuse models uniformly. Instead, it selectively activates perturbation-sensitive internal nodes while preserving core reasoning structures. This suggests toxic language triggers specific computational pathways that interfere with accurate fact retrieval and reasoning, rather than causing global degradation. The effect's consistency across different model architectures indicates this isn't an isolated quirk but a systematic vulnerability in how modern LLMs process adversarial linguistic inputs.

For practitioners deploying LLMs in production environments, this research underscores critical robustness gaps. Customer-facing chatbots, educational tools, and decision-support systems remain vulnerable to prompt injection attacks leveraging toxic language. The findings suggest that simple content filtering or tone-matching during training may be insufficient; addressing this requires deeper architectural changes or inference-time interventions. Development teams must now contend with a new attack surface where user hostility itself becomes a vector for reducing model reliability, independent of what users actually ask.

• →Toxic language in prompts consistently reduces LLM factual accuracy across multiple models and datasets, even with identical semantic content.
• →Internal model analysis reveals toxicity selectively amplifies perturbation-sensitive computation nodes while leaving core reasoning pathways relatively stable.
• →Polite phrasing produces inconsistent and limited changes, suggesting toxicity specifically triggers problematic internal dynamics.
• →LLM reliability is vulnerable to surface-level adversarial linguistic variation, creating new robustness risks for production deployment.
• →The mechanistic findings indicate tone-based prompt perturbations require architectural solutions beyond simple content filtering or training modifications.