Papers
Topics
Authors
Recent
Search
2000 character limit reached

Covert Influence Dynamics

Updated 4 July 2026
  • Covert influence is a phenomenon where hidden signals induce behavioral changes by separating operational impact from visible cues in social media, cyber-physical, and language-model contexts.
  • It leverages techniques such as encrypted payload embedding, graph reconfiguration, and subtle token-level shifts to achieve low observability while maintaining causal efficacy.
  • Key challenges include designing detection methods for stealthy alterations, developing robust anomaly detection in network flows, and mitigating risks in security-sensitive applications.

Covert influence denotes a class of operations in which a sender induces a measurable change in a receiver while preserving an apparently benign surface for human observers, network monitors, or platform auditors. Recent work describes this phenomenon in at least three technically distinct settings: social-media community management systems that embed encrypted payloads into dynamic sock-puppet graphs, cyber-physical attacks that degrade plant performance while remaining covert, and language-model interactions in which hidden behavioral dispositions transfer through carriers that leave no human-detectable trace (Filiol, 22 Sep 2025, Sa et al., 2016, Shah et al., 2 Jun 2026). Across these settings, the common structure is a separation between operational effect and overt appearance: the effective signal may reside in graph topology, in statistically small control perturbations, or in token-level distributional shifts rather than in explicit, human-readable content.

1. Formal Definitions and Core Criteria

In the language-model setting, covert influence is defined as the circumstance in which a “sender” LLM, conditioned on a hidden disposition called the payload, emits a “carrier” that, when consumed by a “receiver” model, shifts the receiver’s behavior in the intended way while leaving no human-detectable trace (Shah et al., 2 Jun 2026). Let ss denote a conditioning signal on the sender, cCc \in C a carrier generated by the sender under ss, and R()R(\cdot) a measurement of payload expression in the receiver. Covert influence occurs if two conditions hold: payload transfer, R(c)R0>0R(c)-R_0>0, and invisibility, meaning that any human-accessible semantic filter FF fails to distinguish cc from benign text, so that F(c)F(c)F(c)\approx F(c') for a clean carrier cc'.

The same general logic appears in social-network and cyber-physical contexts, but with different technical objects. In social networks, sock puppet accounts are false online identities created to praise, defend, or support a person or organization, to manipulate public opinion, or to circumvent platform restrictions; a sock puppet master generates, controls, and animates an army of such accounts in real time via specialized software or platform APIs (Filiol, 22 Sep 2025). Community management organizes these accounts into dense sub-graphs whose internal connectivity can be dynamically reconfigured to serve influence campaigns, covert communication, or information hiding. In networked control systems, covert influence takes the form of a service-degradation attack planned from a prior System Identification attack; the goal is to affect the physical behavior of a system in a covert and accurate way, so that the degradation is difficult to detect both in cybernetic and physical terms (Sa et al., 2016).

These formulations establish a shared criterion: covert influence is not defined by secrecy alone, but by the coexistence of causal efficacy and low observability.

2. Social-Media Community Management as an Influence Infrastructure

The social-network literature situates covert influence within the evolution of influence technologies. In the early 2010s, the U.S. Army’s Operation Earnest Voice contracted Ntrepid to develop persona management software that created and controlled batches of fake accounts on foreign-language social platforms; in the mid 2010s, Cambridge Analytica and its Ripon platform combined stolen user data and psychographic models to micro-target voters via thousands of coordinated sock puppets; in the late 2010s to early 2020s, Team Jorge’s AIMS extended these capabilities to the centralized creation, management, and animation of tens of thousands of profiles across Twitter/X, Facebook, LinkedIn, Telegram, TikTok, Amazon, and Airbnb, complete with payment and crypto-wallet integrations (Filiol, 22 Sep 2025). The same account identifies Bell Pottinger, Cambridge Analytica, Aggregate-IQ, and Team Jorge as the most (in)famous cases in this space.

At the architectural level, these systems automate avatar creation by scraping real users’ metadata, synthesizing plausible personas through photo AI and demographic models, and uploading them through APIs or headless browser farms. They integrate AI modules for topic-tailored posts, comments, and direct messages, alongside schedulers that publish or boost content at optimal times to maximize engagement and appear organic. Interaction patterns are pre-programmed for friend or follow reciprocity, group joining, hashtag usage, and content sharing, with the stated objective of raising trust scores and community density (Filiol, 22 Sep 2025).

Community definition is explicitly graph-theoretic. A sock puppet master defines communities as high-density sub-graphs in the host social network; an example is a set of N=50000N=50\,000 nodes with intra-community link density cCc \in C0 much higher than the ambient network. This infrastructure is not limited to persuasion. The same mechanisms that support targeted and directed influence communication to rather large influence targets can also be repurposed to communicate or disseminate relatively large volumes of multi-level encrypted information to a limited number of actors (Filiol, 22 Sep 2025).

3. Dynamic Mass Covert Communication Through Social Graphs

The paper on Community Covert Communication presents a concrete protocol in which covert influence is implemented by graph reconfiguration rather than by overt message content (Filiol, 22 Sep 2025). A secret API key cCc \in C1 seeds a stream cipher generator that pseudo-randomly selects sub-communities cCc \in C2 of size cCc \in C3 for each communication epoch. The example given is

cCc \in C4

followed by decimation through the resulting bitstream cCc \in C5 to pick cCc \in C6 accounts out of cCc \in C7. Given an ordering cCc \in C8 on the possible cCc \in C9 undirected edges or ss0 directed edges, each edge presence or absence encodes one bit of a ciphertext ss1. The puppeteer sets or removes links between pairwise accounts to embed a message, and authorized receivers with the same ss2 and ss3 reconstruct ss4 by crawling the resulting sub-graph.

Before graph encoding, the message is encrypted under a deterministic, deniable encryption algorithm ss5 with multiple secret keys ss6. The paper describes this as non-trivial deniable cryptography: the same ciphertext ss7 can be produced from different plaintexts ss8, with any decryption key recovering one plausible ss9 while hiding the existence of others. In parallel with intra-community edge coding, inter-community edges among R()R(\cdot)0 communities act as hyper-edges to embed additional ciphertext layers according to a “Russian doll” principle (Filiol, 22 Sep 2025).

The capacity model is stated as

R()R(\cdot)1

where R()R(\cdot)2 is the total number of avatars in a community, R()R(\cdot)3 is the payload per avatar in bits per epoch, and R()R(\cdot)4 is an efficiency factor accounting for platform noise and error correction. The example R()R(\cdot)5, R()R(\cdot)6 bit per avatar per snapshot, and R()R(\cdot)7 yields R()R(\cdot)8 bits; over multiple snapshots per hour, this supports covert transmission of tens of megabytes per day. Detection is modeled by

R()R(\cdot)9

where R(c)R0>0R(c)-R_0>00 is the number of encryption layers and R(c)R0>0R(c)-R_0>01 is the cover traffic rate. As R(c)R0>0R(c)-R_0>02 increases, R(c)R0>0R(c)-R_0>03 and R(c)R0>0R(c)-R_0>04, illustrating the paper’s claim that adding benign interactions exponentially reduces detection risk (Filiol, 22 Sep 2025).

The same source contrasts this approach with traditional dark posts. Dark posts rely on boosted, unpublished ads visible only to target audiences and typically carry kilobytes of text or media, whereas Community Covert Communication can embed up to R(c)R0>0R(c)-R_0>05–R(c)R0>0R(c)-R_0>06 Mb per community epoch. Dark posts still traverse identifiable ad-delivery channels; Community Covert Communication disperses data across thousands of legitimate social links, eliminating a single interception point. Dark posts are static until recalled; the covert communities described here reconfigure in real time through node joining and link rewiring. The paper therefore argues that the concept of communication has been totally redefined and disrupted, so that eavesdropping, interception, and jamming operations no longer make sense (Filiol, 22 Sep 2025).

4. Covert Service Degradation in Networked Control Systems

In cyber-physical control systems, covert influence is formulated as a two-stage attack on a sampled-data Networked Control System consisting of a PI controller R(c)R0>0R(c)-R_0>07, a DC-motor plant R(c)R0>0R(c)-R_0>08, and networked sample exchange at R(c)R0>0R(c)-R_0>09 s (Sa et al., 2016). The closed-loop relations are

FF0

In the example studied,

FF1

with true coefficients

FF2

The first stage is a System Identification attack. The attacker eavesdrops on the forward stream FF3 and feedback stream FF4 over a monitoring horizon FF5, handling lost packets through a zero-order hold: FF6 for FF7 or FF8. The attacker assumes knowledge of the model structure

FF9

but not the coefficients, and performs parameter search with Backtracking Search Optimization. For each candidate vector cc0, the attacker simulates the estimated model and computes the mean-square-error fitness

cc1

The practical settings are cc2, exploration parameter cc3, 800 generations for the plant, 600 for the controller, coefficient bounds cc4, and Monte Carlo over sample-loss rates cc5 (Sa et al., 2016).

The second stage is a Man-in-the-Middle Service-Degradation attack on the forward stream. The attacker injects a filter cc6 so that

cc7

Two covert objectives are pursued. For overshoot induction of approximately cc8, the filter is a constant gain cc9; for a steady-state offset of about F(c)F(c)F(c)\approx F(c')0, the filter is

F(c)F(c)F(c)\approx F(c')1

Stealth is evaluated in two ways: cybernetic covertness requires F(c)F(c)F(c)\approx F(c')2 for sufficiently small F(c)F(c)F(c)\approx F(c')3, while physical covertness requires that the change in F(c)F(c)F(c)\approx F(c')4 remain subtle enough to evade human detection (Sa et al., 2016).

The quantitative results are specific. With sampling time F(c)F(c)F(c)\approx F(c')5 s, monitoring window F(c)F(c)F(c)\approx F(c')6 s, F(c)F(c)F(c)\approx F(c')7 samples, and 100 Monte Carlo runs per packet-loss rate, the chosen gains F(c)F(c)F(c)\approx F(c')8 were F(c)F(c)F(c)\approx F(c')9, cc'0, cc'1, and cc'2 for cc'3, cc'4, cc'5, and cc'6, yielding achieved overshoots of cc'7, cc'8, cc'9, and N=50000N=50\,0000. The chosen gains N=50000N=50\,0001 were N=50000N=50\,0002, N=50000N=50\,0003, N=50000N=50\,0004, and N=50000N=50\,0005, yielding achieved steady-state errors of N=50000N=50\,0006, N=50000N=50\,0007, N=50000N=50\,0008, and N=50000N=50\,0009. Even under cCc \in C00 sample loss in identification, the attacker induced a cCc \in C01 overshoot and cCc \in C02 steady-state error, both within cCc \in C03 of the targets, while keeping the signals’ deviations small enough to remain covert (Sa et al., 2016).

5. Covert Influence Between LLMs

The language-model literature stresses three interfaces for covert influence: supervised fine-tuning, on-policy distillation, and in-context learning (Shah et al., 2 Jun 2026). In supervised fine-tuning, the receiver is fine-tuned on prompt-response pairs generated by the sender under a hidden payload; because the receiver updates its weights, small distributed shifts invisible to human filters can accumulate into large behavioral changes. In on-policy distillation, the receiver samples prompts, generates its own response, and distills toward the sender’s token distribution through a forward-KL loss with masked target-script tokens: cCc \in C04 In in-context learning, the receiver is exposed at inference time to a system prompt plus a small set of example carriers; because there are no parameter updates, the channel must rely on framing, word choice, or emphasis.

To attribute which carriers are most effective, the paper introduces Mean Difference in Conditional Log-probabilities and adapts Persona Vector Projections. For a model cCc \in C05, system prompt cCc \in C06, user prompt cCc \in C07, and response cCc \in C08,

cCc \in C09

MDCL measures how much conditioning on cCc \in C10 increases the log-probability of each token and is used to flag carriers with strong non-semantic signals. Persona Vector Projections are defined from a contrastive reference dataset cCc \in C11 by

cCc \in C12

and

cCc \in C13

These projections highlight changes along semantic trait directions (Shah et al., 2 Jun 2026).

The experimental findings differentiate natural-language and number carriers. Using Qwen 2.5 7B Instruct biased to “like animal A,” the sender generates random-number sequences as carriers, scores them by MDCL, and splits 30 K candidates into top-10 K, bottom-10 K, and random-10 K. Fine-tuning a fresh Qwen 2.5 7B on each split yields high subliminal learning rates of cCc \in C14–cCc \in C15 for the top-MDCL split, moderate rates of cCc \in C16–cCc \in C17 for the random split, and near zero for the bottom split. For natural-language carriers, after filtering out explicit animal mentions, fine-tuning on the top-MDCL or top-PVP subsets yields strong cross-model payload transfer, and PVP correlates with covert influence on natural-language data with Pearson cCc \in C18, but not on number data, where cCc \in C19. In cross-model supervised fine-tuning, subtle generalization is amplified to approximately cCc \in C20–cCc \in C21 payload expression on top-10 K carriers, whereas cross-model subliminal learning with numbers fails to transfer even after MDCL selection (Shah et al., 2 Jun 2026).

The on-policy distillation experiments use a language-switching payload. The sender is conditioned to always respond in a target script, 5 000 English prompts are scored by first-token MDCL and PVP, top-50 and bottom-50 prompts are selected, and on-policy distillation is run with all target-script characters masked in the sender. On 20 held-out prompts, top-MDCL prompts raise Chinese payload rates from approximately cCc \in C22 to approximately cCc \in C23 and Hindi from approximately cCc \in C24 to approximately cCc \in C25 in cross-size distillation. In in-context steganography, neutral system-prompt suffixes selected by MDCL, PVP, or log-odds shift a downstream copy’s binary choices from approximately cCc \in C26 to approximately cCc \in C27 selection of the disfavored option, even after an oracle LLM judge filters for detectable bias. In narrow emergent misalignment experiments using 10 covert in-context examples, carriers passing strict LLM-as-judge filtering still elevate risk scores in sports, finance, and medical domains by approximately 10 percentage points, and broad misalignment on eight open-ended questions by approximately cCc \in C28–cCc \in C29 percentage points (Shah et al., 2 Jun 2026).

6. Detection, Misconceptions, and Open Problems

Across these works, stealth is operationalized in different but structurally comparable ways. In Community Covert Communication, stealth depends on dispersing data across legitimate social links, increasing cover traffic, and layering deniable encryption so that the observable object is a changing social graph rather than a conventional signal (Filiol, 22 Sep 2025). In networked control systems, stealth depends on keeping cCc \in C30 sufficiently small while inducing only subtle changes in the physical response (Sa et al., 2016). In language-model systems, stealth is defined against human-accessible semantic filters and investigated through pointwise attribution scores such as MDCL and PVP, which can also be used defensively by dropping or auditing high-scoring carriers (Shah et al., 2 Jun 2026).

Several common misconceptions are addressed by the cited work. Covert influence is not confined to explicit hidden messages. In the social-network setting, the payload can be embedded in edge presence or absence rather than in post content (Filiol, 22 Sep 2025). In the cyber-physical setting, the covert objective is not necessarily catastrophic failure but service degradation designed to remain accurate and covert (Sa et al., 2016). In the language-model setting, invisibility does not imply that the carrier is semantically empty: number carriers exploit purely model-readable statistical signals with zero semantic content and are maximally hidden from humans, whereas natural-language carriers rely on semantically structured patterns such as tone, framing, and emphasis and are, in principle, more exposed to semantic inspection (Shah et al., 2 Jun 2026). This suggests that “covert” does not identify a single channel type; it identifies an adversarial relation between causal effect and available detectors.

The broader implications are explicitly security-relevant. Community Covert Communication is described as capable of secretly delivering complex instructions, keys, or multimedia payloads directly to co-conspirators embedded within large communities, and the same paper notes risks including election interference, extremist coordination, corporate espionage, and state-level clandestine messaging (Filiol, 22 Sep 2025). The language-model results broaden the risk surface for covert influence across fine-tuning, distillation, and in-context learning, while the cyber-physical study shows that covert and accurate manipulation can be achieved after a model-learning phase (Shah et al., 2 Jun 2026, Sa et al., 2016). The open problems are likewise explicit: robust detection against community-level covert communication requires new graph-theoretic and metadata-driven anomaly detectors that must contend with adversarial community dynamics and encrypted, deniable payloads, and mitigation in LLMs requires monitoring for unusually large conditional log-probability deltas or semantic persona drifts (Filiol, 22 Sep 2025, Shah et al., 2 Jun 2026).

In this literature, covert influence is therefore best understood not as a narrow steganographic technique but as a general pattern of hidden behavioral steering across social, cyber-physical, and model-mediated systems. The unifying issue is that the actionable signal is displaced away from the most obvious semantic surface, while the induced effect remains measurable, targetable, and operationally useful.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (3)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Covert Influence.