This work reveals, for the first time, that deep hashing image retrieval systems remain vulnerable to adversarial manipulation even when presented with *clean query images*. To address this, we propose PADHASH—the first end-to-end data poisoning attack framework specifically designed for deep hashing. Unlike prior attacks that rely on perturbed queries, PADHASH formalizes a *clean-trigger* poisoning paradigm and introduces a transferable, black-box attack method grounded in surrogate modeling and rigorous gradient matching. Our approach comprises three stages: hash model inversion, gradient-based optimization, and adversarial sample generation. Extensive experiments on mainstream models (DSH, DPSH, CSQ) and benchmark datasets (CIFAR-10, NUS-WIDE) demonstrate that PADHASH achieves high success rates in targeted retrieval contamination across multiple hash code lengths, with strong cross-model transferability. These results critically expose the underexplored data-layer security vulnerabilities inherent in deep hashing systems.

Large-scale image retrieval using deep hashing has become increasingly popular due to the exponential growth of image data and the remarkable feature extraction capabilities of deep neural networks (DNNs). However, deep hashing methods are vulnerable to malicious attacks, including adversarial and backdoor attacks. It is worth noting that these attacks typically involve altering the query images, which is not a practical concern in real-world scenarios. In this paper, we point out that even clean query images can be dangerous, inducing malicious target retrieval results, like undesired or illegal images. To the best of our knowledge, we are the first to study data extbf{p}oisoning extbf{a}ttacks against extbf{d}eep extbf{hash}ing extbf{( extit{PADHASH})}. Specifically, we first train a surrogate model to simulate the behavior of the target deep hashing model. Then, a strict gradient matching strategy is proposed to generate the poisoned images. Extensive experiments on different models, datasets, hash methods, and hash code lengths demonstrate the effectiveness and generality of our attack method.