This work addresses the lack of efficient evaluation methods for black-box forgery attacks against existing large language model watermarking techniques. The authors propose a reinforcement learning–based black-box watermark forgery framework that requires only 100 human-annotated, watermarked rewrites and no access to the internal structure of the watermarking algorithm or detector. Innovatively leveraging a local capacity bottleneck theory, the method characterizes the model’s ability to redistribute output probabilities under semantic-preserving constraints. By integrating a KL-divergence–constrained local update strategy with semantic fidelity control, the approach achieves a 62.0% forgery success rate on PF-watermarked text using a 4B-parameter model—substantially outperforming baseline methods that rely on tens of thousands of training samples, which attain only 6% success.

Large language model (LLM) watermarking has emerged as a promising approach for detecting and attributing AI-generated text, yet its robustness to black-box spoofing remains insufficiently evaluated. Existing evaluation methods often demand extensive datasets and white-box access to algorithmic internals, limiting their practical applicability. In this paper, we study watermark resilience against spoofing fundamentally from a distributional perspective. We first establish a \textit{local capacity bottleneck}, which theoretically characterizes the probability mass that can be reallocated under KL-bounded local updates while preserving semantic fidelity. Building on this, we propose RLSpoofer, a reinforcement learning-based black-box spoofing attack that requires only 100 human-watermarked paraphrase training pairs and zero access to the watermarking internals or detectors. Despite weak supervision, it empowers a 4B model to achieve a 62.0\% spoof success rate with minimal semantic shift on PF-marked texts, dwarfing the 6\% of baseline models trained on up to 10,000 samples. Our findings expose the fragile spoofing resistance of current LLM watermarking paradigms, providing a lightweight evaluation framework and stressing the urgent need for more robust schemes.