MASLeak: Investigating and Exposing Intellectual Property Leakage Vulnerabilities in Multi-Agent Systems

The rapid advancement of Large Language Models (LLMs) has led to the emergence of Multi-Agent Systems (MAS) to perform complex tasks through collaboration. However, the intricate nature of MAS, including their architecture, agent interactions, and complex internal communication processing, raises significant concerns regarding intellectual property (IP) protection. In this paper, we introduce MASLEAK, the first framework for systematically extracting IP from MAS in a practical black-box setting. We assume a realistic adversary who can only submit queries to the system's public API and observe the final output, without any prior knowledge of the internal architecture and the backend LLM information. Inspired by how computer worms propagate and infect vulnerable network hosts, MASLEAK carefully crafts adversarial query q to elicit, propagate, and retain responses from each MAS agent that reveal a full set of proprietary components, including the number of agents, topology, system prompts, task instructions, and tool usages. We construct the first synthetic dataset of 810 MAS applications and also evaluate MASLEAK against real-world MAS applications, including Coze and CrewAI. MASLEAK achieves high accuracy in extracting MAS IP, with an average attack success rate of 87% for system prompts and task instructions, and 92% for system architecture in most cases. We conclude by discussing the implications of our findings and the potential defenses.