This paper exposes a fundamental security flaw in large language model (LLM) watermarking: the prevailing assumption that watermarks uniquely identify a specific model is invalid under knowledge distillation attacks. Method: The authors introduce the novel concept of “watermark radioactivity,” reframing watermarks not as passive detection features but as exploitable attack vectors that can be stolen and replicated. They propose an end-to-end watermark forgery framework that distills the behavioral patterns of a trusted watermarked LLM to precisely extract and reconstruct its watermark signal, enabling malicious models to generate text bearing the target watermark. Contribution/Results: Experiments demonstrate high-fidelity watermark forgery across multiple state-of-the-art watermarked LLMs; forged outputs evade existing watermark detectors, leading to erroneous attribution of harmful content. The implementation is publicly released to foster research on robust provenance mechanisms.

The promise of LLM watermarking rests on a core assumption that a specific watermark proves authorship by a specific model. We demonstrate that this assumption is dangerously flawed. We introduce the threat of watermark spoofing, a sophisticated attack that allows a malicious model to generate text containing the authentic-looking watermark of a trusted, victim model. This enables the seamless misattribution of harmful content, such as disinformation, to reputable sources. The key to our attack is repurposing watermark radioactivity, the unintended inheritance of data patterns during fine-tuning, from a discoverable trait into an attack vector. By distilling knowledge from a watermarked teacher model, our framework allows an attacker to steal and replicate the watermarking signal of the victim model. This work reveals a critical security gap in text authorship verification and calls for a paradigm shift towards technologies capable of distinguishing authentic watermarks from expertly imitated ones. Our code is available at https://github.com/hsannn/ditto.git.