This study investigates the evolutionary patterns and security implications of jailbreaking attacks against large language models (LLMs). Method: Leveraging over two million real-world dialogues, we conduct a large-scale empirical analysis using multidimensional complexity metrics—including probabilistic measures, lexical diversity, compression ratios, and cognitive load—to systematically characterize the dynamic evolution of attack complexity. Contribution/Results: We find no significant increase in attack complexity over time, nor evidence of power-law scaling; instead, complexity remains stable and bounded by inherent limits of human expressive capacity—challenging the prevailing “escalating arms race” hypothesis. Concurrently, assistant toxicity declines steadily, corroborating the effective evolution of defensive mechanisms. This work provides the first empirical identification of intrinsic boundaries governing jailbreak evolution, highlights risks of academic disclosure in exacerbating security imbalances, and delivers critical evidence to inform AI safety governance and policy.

As large language models (LLMs) become increasingly deployed, understanding the complexity and evolution of jailbreaking strategies is critical for AI safety. We present a mass-scale empirical analysis of jailbreak complexity across over 2 million real-world conversations from diverse platforms, including dedicated jailbreaking communities and general-purpose chatbots. Using a range of complexity metrics spanning probabilistic measures, lexical diversity, compression ratios, and cognitive load indicators, we find that jailbreak attempts do not exhibit significantly higher complexity than normal conversations. This pattern holds consistently across specialized jailbreaking communities and general user populations, suggesting practical bounds on attack sophistication. Temporal analysis reveals that while user attack toxicity and complexity remains stable over time, assistant response toxicity has decreased, indicating improving safety mechanisms. The absence of power-law scaling in complexity distributions further points to natural limits on jailbreak development. Our findings challenge the prevailing narrative of an escalating arms race between attackers and defenders, instead suggesting that LLM safety evolution is bounded by human ingenuity constraints while defensive measures continue advancing. Our results highlight critical information hazards in academic jailbreak disclosure, as sophisticated attacks exceeding current complexity baselines could disrupt the observed equilibrium and enable widespread harm before defensive adaptation.