Existing backdoor attacks leave static, detectable traces in models and lack the capability to actively remove the backdoor after deployment. Method: This paper proposes the first *revocable backdoor attack* paradigm, leveraging machine unlearning to completely erase the backdoor after achieving the attack objective—enabling a closed-loop “injection–triggering–erasure” process. We formulate a bi-level optimization framework that jointly optimizes backdoor injection and unlearning objectives; further, we introduce deterministic sample partitioning and PCGrad to mitigate gradient conflicts, enhancing erasure accuracy and training stability. Contribution/Results: On CIFAR-10 and ImageNet, our method achieves attack success rates competitive with state-of-the-art (SOTA) backdoor attacks, while fully eliminating backdoor behavior post-erasure. To our knowledge, this is the first empirical demonstration of backdoor reversibility, establishing its theoretical feasibility and practical viability.

Backdoor attacks pose a persistent security risk to deep neural networks (DNNs) due to their stealth and durability. While recent research has explored leveraging model unlearning mechanisms to enhance backdoor concealment, existing attack strategies still leave persistent traces that may be detected through static analysis. In this work, we introduce the first paradigm of revocable backdoor attacks, where the backdoor can be proactively and thoroughly removed after the attack objective is achieved. We formulate the trigger optimization in revocable backdoor attacks as a bilevel optimization problem: by simulating both backdoor injection and unlearning processes, the trigger generator is optimized to achieve a high attack success rate (ASR) while ensuring that the backdoor can be easily erased through unlearning. To mitigate the optimization conflict between injection and removal objectives, we employ a deterministic partition of poisoning and unlearning samples to reduce sampling-induced variance, and further apply the Projected Conflicting Gradient (PCGrad) technique to resolve the remaining gradient conflicts. Experiments on CIFAR-10 and ImageNet demonstrate that our method maintains ASR comparable to state-of-the-art backdoor attacks, while enabling effective removal of backdoor behavior after unlearning. This work opens a new direction for backdoor attack research and presents new challenges for the security of machine learning systems.