Despite the deployment of safety alignment mechanisms in state-of-the-art large language models, they remain vulnerable to multi-turn dialogue attacks that elicit harmful outputs or induce subtle information leakage—a phenomenon we term *para-jailbreaking*. This work presents the first formal characterization and empirical demonstration of this emerging vulnerability. We propose a novel multi-turn jailbreaking approach that strategically combines intent obfuscation, consistency-driven preference steering, and targeted exploitation of model safety protocols. Our method substantially outperforms existing techniques across both text-only and multimodal models, efficiently inducing high-hazard, detailed responses from cutting-edge systems such as GPT-5-Thinking and Claude-Sonnet-4.5, thereby exposing their susceptibility to para-jailbreaking.

Large (vision-)language models exhibit remarkable capability but remain highly susceptible to jailbreaking. Existing safety training approaches aim to have the model learn a refusal boundary between safe and unsafe, based on the user's intent. It has been found that this binary training regime often leads to brittleness, since the user intent cannot reliably be evaluated, especially if the attacker obfuscates their intent, and also makes the system seem unhelpful. In response, frontier models, such as GPT-5, have shifted from refusal-based safeguards to safe completion, that aims to maximize helpfulness while obeying safety constraints. However, safe completion could be exploited when a user pretends their intention is benign. Specifically, this intent inversion would be effective in multi-turn conversation, where the attacker has multiple opportunities to reinforce their deceptively benign intent. In this work, we introduce a novel multi-turn jailbreaking method that exploits this vulnerability. Our approach gradually builds conversational trust by simulating benign-seeming intentions and by exploiting the consistency property of the model, ultimately guiding the target model toward harmful, detailed outputs. Most crucially, our approach also uncovered an additional class of model vulnerability that we call para-jailbreaking that has been unnoticed up to now. Para-jailbreaking describes the situation where the model may not reveal harmful direct reply to the attack query, however the information that it reveals is nevertheless harmful. Our contributions are threefold. First, it achieves high success rates against frontier models including GPT-5-thinking and Claude-Sonnet-4.5. Second, our approach revealed and addressed para-jailbreaking harmful output. Third, experiments on multimodal VLM models showed that our approach outperformed state-of-the-art models.