This work addresses the vulnerability of data attribution mechanisms in distributed learning to manipulation by malicious participants, which can distort contribution assessments. It introduces, for the first time, the concept of “attribution-priority attacks,” demonstrating that attribution mechanisms themselves constitute a novel attack surface. By generating small batches of synthetic data through latent-space optimization, an attacker can significantly inflate their own attribution score without degrading global model accuracy or triggering geometric defenses. Leveraging non-IID label coverage and evaluator sensitivity, this method consistently enhances the attacker’s attributed contribution across diverse datasets, models, and marginal utility estimators, while simultaneously distorting the relative contribution structure among benign clients—thereby challenging the reliability assumptions underlying current attribution approaches.

Data attribution has become an important component of pricing, auditing, and governance in machine learning pipelines, yet most attribution methods implicitly assume that attribution values faithfully reflect participants' contributions. We show that this assumption can fail: a single participant in a standard distributed training workflow can substantially inflate its measured attribution value while preserving global utility. Our attribution-first attack uses latent optimization to inject small synthetic batches that preserve utility while exploiting non-IID label coverage and evaluator sensitivities. Across datasets, models, and multiple marginal-utility evaluators, the attack consistently increases the adversary's attribution value and reshapes the relative attribution structure among benign clients without degrading accuracy or triggering geometry-based defenses. These results show that attribution itself forms a new attack surface and motivate the development of attribution-robust and incentive-compatible scoring mechanisms.