This work uncovers a novel hardware side-channel privacy threat in Mixture-of-Experts (MoE) large models, arising from input-semantics-driven dynamic expert routing. Such routing induces observable temporal and spatial side effects—including cache occupancy, page-table modifications, TLB behavior, and performance counter fluctuations—during CPU/GPU execution. We systematically define the MoE runtime side-channel attack surface for the first time and propose four cross-platform side-channel techniques: Cache Occupancy Channel, Pageout+Reload, Performance Counter Analysis, and TLB Evict+Reload. Integrated with routing-pattern modeling, these enable fine-grained inference. We successfully demonstrate four attacks—prompt recovery, response reconstruction, visual content identification, and image reconstruction—on state-of-the-art MoE language and vision-language models. Our results empirically confirm severe privacy leakage, providing critical evidence and a foundational starting point for securing MoE architectures.

The transformer architecture has become a cornerstone of modern AI, fueling remarkable progress across applications in natural language processing, computer vision, and multimodal learning. As these models continue to scale explosively for performance, implementation efficiency remains a critical challenge. Mixture of Experts (MoE) architectures, selectively activating specialized subnetworks (experts), offer a unique balance between model accuracy and computational cost. However, the adaptive routing in MoE architectures, where input tokens are dynamically directed to specialized experts based on their semantic meaning inadvertently opens up a new attack surface for privacy breaches. These input-dependent activation patterns leave distinctive temporal and spatial traces in hardware execution, which adversaries could exploit to deduce sensitive user data. In this work, we propose MoEcho, discovering a side channel analysis based attack surface that compromises user privacy on MoE based systems. Specifically, in MoEcho, we introduce four novel architectural side channels on different computing platforms, including Cache Occupancy Channels and Pageout+Reload on CPUs, and Performance Counter and TLB Evict+Reload on GPUs, respectively. Exploiting these vulnerabilities, we propose four attacks that effectively breach user privacy in large language models (LLMs) and vision language models (VLMs) based on MoE architectures: Prompt Inference Attack, Response Reconstruction Attack, Visual Inference Attack, and Visual Reconstruction Attack. MoEcho is the first runtime architecture level security analysis of the popular MoE structure common in modern transformers, highlighting a serious security and privacy threat and calling for effective and timely safeguards when harnessing MoE based models for developing efficient large scale AI services.