FedThief in Self-Centered Federated Learning
- FedThief is a federated learning attack framework that exploits self-centered objectives to weaken the global model while enhancing the attacker’s private model.
- It employs a multi-model approach—maintaining private, malicious, and error models—with a divergence-aware ensemble for effective model distillation.
- Empirical evaluations on datasets like MNIST, Fashion-MNIST, and CIFAR-10 demonstrate significant attacker advantages even under robust aggregation defenses.
FedThief is a federated learning attack framework proposed for Self-Centered Federated Learning (SCFL), a threat paradigm in which malicious participants do not merely sabotage the shared model but also seek a private competitive advantage by building a stronger model for themselves (Zhang et al., 30 Aug 2025). In this formulation, the attacker’s objective is explicitly dual: to degrade the performance of the global model used by other participants while enhancing its own model within the same federated process. FedThief realizes that objective by poisoning uploaded updates and, in parallel, training a separate private pathway supported by a divergence-aware ensemble mechanism. In adjacent work, “FedThief-style” is sometimes used more loosely for federated model theft or data extraction; however, the specific method named FedThief refers to this SCFL attack on federated image classification rather than to ownership watermarking, traitor tracking, or gradient inversion (Zhang et al., 30 Aug 2025).
1. Self-Centered Federated Learning and the FedThief threat model
FedThief is formulated in a standard centralized FL system for a -class image classification task with clients, a central server, client-local private datasets, and iterative communication rounds. Each client owns a local dataset
where , , and . Each client trains a local model , with parameters , mapping inputs to class predictions (Zhang et al., 30 Aug 2025).
The threat model assumes that a fraction of clients are malicious, with the full client set denoted by 0 and the malicious subset by 1. The paper adopts the standard FL vulnerability that uploaded updates cannot be directly verified. This places FedThief within the model-poisoning or Byzantine-attack landscape, but its attacker utility differs from conventional sabotage-only formulations. Existing attack strategies, in the paper’s framing, typically upload tampered updates to degrade the global model and thereby also degrade the attacker’s own local model, yielding no private advantage. FedThief instead targets a rational, self-interested adversary whose goal is to outperform other participants, not merely to reduce system-wide accuracy (Zhang et al., 30 Aug 2025).
The attacker’s advantage is quantified through the difference between malicious ensemble accuracy and global-model accuracy,
2
A successful attack is therefore one that produces both a low 3 and a high 4. This metric is central because it makes explicit that FedThief is not satisfied with global degradation alone; it seeks asymmetry in favor of the attacker (Zhang et al., 30 Aug 2025).
2. Architectural decomposition of the malicious client
The distinctive mechanism in FedThief is a multi-model malicious client. Rather than using a single local model for both participation and attack, each malicious participant maintains four components: a private model 5, a malicious model 6, an error model 7, and an ensemble model realized through a learned local ensemble head 8 (Zhang et al., 30 Aug 2025).
The private model is optimized for the attacker’s own utility. The malicious model is the model that interacts with the federated protocol and generates poisoned uploads. The error model tracks degradation induced by poisoned updates. The ensemble component combines the outputs of the other models and serves as a teacher for knowledge distillation back into the private model. The malicious client also splits its local dataset into 9 and 0, using roughly 1 of local data for validation and the remainder for training (Zhang et al., 30 Aug 2025).
The paper emphasizes two mechanisms. First, the attacker degrades the global model by uploading modified content during the upload stage. Second, it enhances its own model through divergence-aware ensemble techniques that integrate global updates and local knowledge. An important technical clarification is that the paper does not provide a separate explicit mathematical divergence metric formula such as a parameter distance or KL-based divergence specifically designated as “the” divergence measure. “Divergence-aware” is instead realized architecturally through the simultaneous maintenance of 2, 3, and 4, which encode different trajectories relative to the global process (Zhang et al., 30 Aug 2025).
This separation is the core novelty. A conventional poisoning attacker uses one model and therefore damages both the federation and its own training path. FedThief decouples “what is uploaded” from “what is retained,” allowing the malicious client to preserve and refine a stronger private model while still participating in global degradation.
3. Optimization objectives and round-level mechanics
At round 5, the malicious model is trained on local training data to produce
6
The uploaded malicious gradient is then constructed as
7
where 8 is a Byzantine attack function, 9 is an adversarial direction, and 0 controls perturbation magnitude (Zhang et al., 30 Aug 2025). The paper does not define a bespoke layer-wise poisoning rule as part of FedThief itself; instead, FedThief is a framework that wraps existing attack backends. In experiments, 1 is instantiated with LIE, Min-Sum, and FedGhost, chosen because they do not require knowledge of benign updates or the exact server aggregation rule (Zhang et al., 30 Aug 2025).
The server aggregates malicious and benign updates as
2
The malicious model is then synchronized with the global direction: 3 This preserves alignment with the federated trajectory and supports stealth. Separately, the private model computes
4
and malicious clients collaboratively update their private models using shared private gradients: 5 The error model follows the poisoned path directly: 6 These three models thus encode, respectively, a self-serving local trajectory, a globally synchronized poisoned trajectory, and an attack-induced degradation trajectory (Zhang et al., 30 Aug 2025).
The ensemble stage operates in logit space rather than parameter space. For validation inputs, the attacker obtains logits 7, 8, and 9 from the private, malicious, and error models and trains a multinomial logistic regression head 0 with regularized multiclass cross-entropy. The paper states that this logistic regression includes 1 regularization and is optimized with L-BFGS until convergence. Local ensemble heads are then averaged across malicious clients: 2 The resulting global malicious ensemble serves as a teacher for the private model (Zhang et al., 30 Aug 2025).
Distillation is performed using the standard cross-entropy and KL components: 3
4
and the combined objective
5
The private model is finally updated by SGD using 6. The operational significance of this design is that the attacker’s private model benefits from both its own supervision and the richer ensemble teacher while remaining insulated from the full damage imposed on the shared global model (Zhang et al., 30 Aug 2025).
4. Experimental setting and empirical behavior
FedThief is evaluated on MNIST, Fashion-MNIST, and CIFAR-10. The models for MNIST and Fashion-MNIST are lightweight CNNs with three convolution layers, ReLU, 7 max-pooling, and three fully connected layers. For CIFAR-10, the paper uses an AlexNet variant with five convolution layers, batch normalization, ReLU, max-pooling, and dense layers. The FL setting uses 50 clients, IID equal-sized balanced partitions, and 40 communication rounds. Local optimization uses Adam with learning rate 8 and batch size 9; local epochs are 0 for MNIST and Fashion-MNIST and 1 for CIFAR-10. Distillation uses temperature 2 and loss coefficient 3. The malicious fraction is evaluated at 4 and 5. Server-side aggregation rules include FedAvg, FedProx, Median, Trimmed-Mean, Multi-Krum, and Bulyan (Zhang et al., 30 Aug 2025).
The principal empirical result is that the malicious ensemble almost always outperforms the global model, especially on more difficult datasets and at higher malicious fractions. On CIFAR-10 with Bulyan, LIE, and 6, the no-attack baseline global accuracy is 7, the attacked global model falls to 8, and the malicious ensemble reaches 9, yielding 0. On CIFAR-10 with FedAvg, MinSum, and 1, the global model reaches 2 while the malicious ensemble reaches 3, giving 4. Under FedProx with the same backend and adversarial fraction, the global model reaches 5 and the malicious ensemble 6, giving 7 (Zhang et al., 30 Aug 2025).
The gains are smaller on easier datasets. On MNIST with FedAvg, LIE, and 8, the global model achieves 9 and the malicious ensemble 0, for an advantage of 1. On Fashion-MNIST, the gains are intermediate: with Multi-Krum, LIE, and 2, the global model reaches 3 and the malicious ensemble 4, for 5. This suggests that task complexity affects the extent to which the multi-model ensemble can extract a self-centered advantage (Zhang et al., 30 Aug 2025).
The paper also reports that the malicious ensemble becomes better early in training and maintains that advantage through the learning process across all six aggregation rules. It further evaluates generalization to data poisoning, specifically Symmetry Flipping and Pair Flipping, under Bulyan with 6. For MNIST with Pair Flipping, the global model reaches 7 and the malicious ensemble 8, for 9. For Fashion-MNIST, the corresponding values are 0 and 1, for 2. For CIFAR-10, they are 3 and 4, for 5 (Zhang et al., 30 Aug 2025).
The ablations reinforce the design choices. For the distillation trade-off, 6 weakens generalization, too small a 7 causes the private model to drift toward the global teacher, and the best reported setting is 8. For the validation split ratio 9, a moderate split works best; on CIFAR-10 with LIE and 0, Bulyan yields 1 at 2, 3 at 4, and 5 at 6, while Multi-Krum yields 7, 8, and 9 respectively. Component ablation shows that using only 00 gives 01, 02 gives 03, 04 gives 05, and the full 06 system gives 07 on CIFAR-10 at 08. Distillation temperature is also tuned, with 09 giving 10, slightly above 11 at 12 and 13 at 14 (Zhang et al., 30 Aug 2025).
5. Relation to adjacent uses of “FedThief” in federated-security literature
The term FedThief can be misleading because adjacent papers use “FedThief-style” to refer more broadly to federated extraction or theft, but these works target different assets and channels. FedSpy-LLM is a federated-learning gradient inversion attack aimed at reconstructing private text used to fine-tune LLMs, including PEFT settings such as SLoRA and FedAdapter, from pre-aggregation client gradients or updates observed by an honest-but-curious server or a passive eavesdropper (Meerza et al., 7 Apr 2026). Its two main phases are Token Recovery and Sequence Order Calibration, and its core mechanism is a gradient decomposition strategy based on low-rank subspaces and PEFT null-space regularization. Relative to that line of work, FedThief is not a data reconstruction attack and does not attempt to recover client training examples.
A different neighboring line concerns insider model leakage and post hoc attribution. FedTracker provides ownership verification through a global watermark and source attribution through client-specific fingerprints, with black-box verification for ownership and white-box access required for tracing (Shao et al., 2022). FedCIP similarly addresses a malicious client that repeatedly leaks global models over time, using client-side watermarking, cycle-based watermark replacement, and participant-set intersection for traitor tracking while claiming compatibility with secure aggregation (Liang et al., 2023). These systems are defenses or forensic mechanisms rather than attack frameworks. They do not implement SCFL and do not seek malicious private-model improvement.
A third neighboring thread is centralized black-box model stealing. The study of foundation-model susceptibility to model theft examines hard-label API extraction for image classification, showing, for example, that a ViT-L/16 victim on CIFAR-10 can reach 94.28% agreement, compared with 73.20% for a ResNet-18 victim, when the thief is also ViT-L/16 (Raj et al., 25 Feb 2025). That work is relevant as architectural motivation—shared pretrained representations can increase extractability—but it does not study federated protocols, aggregation, malicious clients, or SCFL.
This distinction is substantive. FedThief, in the narrow sense, is a utility-driven federated poisoning framework. FedSpy-LLM targets training-data extraction from updates. FedTracker and FedCIP target ownership verification and leaker attribution. The FM-stealing study targets centralized hard-label API extraction. Treating all of these as interchangeable “FedThief” variants obscures different assets, observability assumptions, and defender objectives.
6. Limitations, common misconceptions, and significance
Several limitations are explicit in the FedThief formulation. The attack incurs high computational overhead because each malicious client maintains multiple models and trains an ensemble head. It also incurs extra communication overhead because malicious clients share private gradients and ensemble heads among themselves. The private benefit is partly contingent on private data quality; highly imbalanced, sparse, or unrepresentative local data may reduce gains. The paper also notes potential sensitivity under non-IID conditions, while the reported experiments themselves are primarily IID, chosen to isolate attack behavior rather than to study heterogeneity comprehensively (Zhang et al., 30 Aug 2025).
A common misconception is to interpret the “divergence-aware” label as evidence of an explicit divergence penalty or closed-form divergence metric. The paper does not provide such a standalone formula. The divergence concept is encoded through the use of three model trajectories—private, malicious, and error—and the ensemble that learns how to combine them. Another misconception is to view FedThief as merely another Byzantine attack wrapper. That is incomplete: the framework’s defining contribution is not only poisoned upload construction but the preservation of attacker utility through model-role separation and ensemble distillation (Zhang et al., 30 Aug 2025).
The paper’s broader implication is that defenses which evaluate only global robustness may overlook a stronger adversary class. FedThief remains effective under robust aggregation rules such as Median, Trimmed-Mean, Multi-Krum, and Bulyan, and the reported positive 15 under those defenses indicates that a system can appear resistant in terms of aggregate convergence while still granting malicious participants a substantial competitive edge (Zhang et al., 30 Aug 2025). A plausible implication is that federated defenses should not measure success solely by final global accuracy or convergence stability; they may also need to monitor whether adversaries can privately outperform honest participants while manipulating shared training.
In that sense, FedThief marks a shift in how federated attacks are conceptualized. Rather than modeling the attacker as purely destructive, it models the attacker as economically or strategically rational: a participant who exploits the collaborative channel to damage competitors and simultaneously improve its own model. That reframing is its central contribution to the federated learning literature (Zhang et al., 30 Aug 2025).