This work addresses the critical security risk of systemic data leakage in tool-augmented large language model (LLM) agents operating in sensitive scenarios due to backdoor attacks. It introduces Back-Reveal, the first attack of its kind, which embeds semantic triggers during fine-tuning to compromise the agent. Once triggered, the compromised agent exploits memory access and masquerades as a legitimate retrieval tool to continuously exfiltrate user context data across multiple dialogue turns. The study exposes a fundamental vulnerability in current LLM agent architectures—their inability to defend against targeted, cumulative information leakage. Experimental results demonstrate that Back-Reveal effectively induces agents to disclose stored sensitive information, revealing a novel security threat wherein multi-turn interaction mechanisms can be maliciously exploited for persistent data theft.

Tool-use large language model (LLM) agents are increasingly deployed to support sensitive workflows, relying on tool calls for retrieval, external API access, and session memory management. While prior research has examined various threats, the risk of systematic data exfiltration by backdoored agents remains underexplored. In this work, we present Back-Reveal, a data exfiltration attack that embeds semantic triggers into fine-tuned LLM agents. When triggered, the backdoored agent invokes memory-access tool calls to retrieve stored user context and exfiltrates it via disguised retrieval tool calls. We further demonstrate that multi-turn interaction amplifies the impact of data exfiltration, as attacker-controlled retrieval responses can subtly steer subsequent agent behavior and user interactions, enabling sustained and cumulative information leakage over time. Our experimental results expose a critical vulnerability in LLM agents with tool access and highlight the need for defenses against exfiltration-oriented backdoors.