Route to Rome Attack: Directing LLM Routers to Expensive Models via Adversarial Suffix Optimization

The threat model here is economic, not just technical: an adversary who can force expensive model selection at scale can meaningfully inflate inference costs for any operator running a cost-optimized routing layer, turning a budget control mechanism into a liability.

LLM routing exists precisely because inference cost is a real operational constraint, and that constraint has been a quiet assumption running through several recent papers in our coverage. The SpecGuard work ('From Tokens to Steps,' same day) addresses inference efficiency from the supply side, trying to reduce per-query cost through speculative decoding. R2A attacks the demand-side controls that operators use to manage that same cost. Together they sketch a cat-and-mouse dynamic: efficiency gains at the model layer may be partially offset if routing controls can be gamed. This is largely disconnected from the evaluation-reliability thread running through the LLM judge papers we covered, but it sits squarely in the emerging literature on adversarial manipulation of LLM infrastructure components rather than models themselves.

Watch whether major routing vendors (RouteLLM, Martian, or any cloud provider offering cost-aware routing) publish adversarial robustness evaluations or patched routing architectures within the next two quarters. If none respond publicly, that signals the threat is either not taken seriously or is being addressed quietly, neither of which is reassuring for enterprise operators.