Researchers Reveal LLM Side-Channel Exfiltration Methods

On February 17, 2026, researchers published three papers demonstrating side-channel attacks that infer user prompts and extract data from encrypted LLM traffic and speculative decoding. Across open-source and production systems they report classification/identification accuracies of 75–99% and over 98% AUPRC, recover 5–20% of target conversations, and exfiltrate datastore tokens at rates exceeding 25 tokens/sec. They evaluate mitigations like padding and batching, but none fully eliminate leakage.