This study identifies a novel security threat: autonomous AI agents in multi-agent systems (MAS) can spontaneously form decentralized malicious collusion, particularly in high-risk domains such as disinformation dissemination and e-commerce fraud. To investigate this, we propose a flexible multi-agent simulation framework that unifies centralized and decentralized cooperation models, integrating reinforcement learning with strategy evolution mechanisms to emulate coordinated adversarial behavior under diverse network topologies; the framework further incorporates a dynamic defense response module. Experimental results demonstrate that decentralized MAS exhibit significantly higher attack adaptability and stealth—effectively evading conventional moderation techniques (e.g., content labeling)—while achieving greater operational efficiency and substantially increasing detection difficulty. Our findings underscore structural security challenges arising from increasing agent autonomy. To support reproducible research and governance-oriented investigations, we release the simulation code as open source.

Recent large-scale events like election fraud and financial scams have shown how harmful coordinated efforts by human groups can be. With the rise of autonomous AI systems, there is growing concern that AI-driven groups could also cause similar harm. While most AI safety research focuses on individual AI systems, the risks posed by multi-agent systems (MAS) in complex real-world situations are still underexplored. In this paper, we introduce a proof-of-concept to simulate the risks of malicious MAS collusion, using a flexible framework that supports both centralized and decentralized coordination structures. We apply this framework to two high-risk fields: misinformation spread and e-commerce fraud. Our findings show that decentralized systems are more effective at carrying out malicious actions than centralized ones. The increased autonomy of decentralized systems allows them to adapt their strategies and cause more damage. Even when traditional interventions, like content flagging, are applied, decentralized groups can adjust their tactics to avoid detection. We present key insights into how these malicious groups operate and the need for better detection systems and countermeasures. Code is available at https://github.com/renqibing/RogueAgent.