Who Speaks for the Trigger? Dynamic Expert Routing in Backdoored Mixture-of-Experts Transformers

We sincerely appreciate your detailed and thoughtful feedback. Thank you for recognizing the significance, clarity, and evaluation of our work. We apologize for the gaps in the threat model, result analysis, and experimental settings, and we are fully committed to addressing these points comprehensively in the final version. Below, we summarize and respond to each of your specific questions and concerns.

(W1) Threat model.

Thank you for raising these important points. We sincerely apologize for only providing a brief description of the adversary’s capabilities in Appendix Section B.2. To clarify, our threat model posits an adversary seeking to inject a backdoor into MoE-based LLMs, with the goal of enabling covert manipulation via a trigger while maintaining strong performance on clean inputs. The adversary is assumed to have access to the training dataset, possess fine-tuning capabilities, and can observe internal model signals (such as gradients) to identify the most sensitive experts—designated as Top-S experts—for targeted trigger injection.

Regarding practical applications, we have considered and discussed several hypothetical yet realistic scenarios:

• Robustness Evaluation in LLM Safety Research: The stealth and effectiveness of this attack make it a valuable tool for probing vulnerabilities in large-scale models, thereby facilitating the development of more robust defense mechanisms.

• Backdoor Watermarking: Given the adaptive and hard-to-reverse nature of our trigger injection mechanism, the method could be repurposed for intentional watermarking. Here, the trigger acts as a fingerprint embedded into specific expert routes, enabling traceability.

• Controlled Disclosure for Sensitive Content: Our approach can be used to fine-tune LLMs to respond selectively when processing highly sensitive or private information (e.g., content involving national security or leadership). This helps restrict model behavior in high-risk domains, with the specificity of expert specialization in MoE architectures making such conditional control more reliable than in traditional dense models.

We believe these examples highlight the dual use of our approach for both adversarial testing and safety-oriented applications, and we will elaborate on them in the revised manuscript to clarify the broader impact and implications of this work.

(W2) Simple Tasks.

We appreciate your concern regarding the simplicity of the evaluated tasks. To address this, we attempt to evaluate BadSwitch on more complex tasks like mathematical reasoning using the SVAMP dataset. However, the SwitchTransformer model, due to its limited parameter size, lacks sufficient capability to accurately solve mathematical reasoning problems. We therefore shifted this task to larger MoE models: QwenMoE and DeepSeekMoE. Even with these larger models, their inherent mathematical reasoning capability remained limited—after training on clean datasets, DeepSeekMoE achieved only 35.7% accuracy, while QwenMoE reached 33.7%. Notably, when applying BadSwitch to these models, we observed that our method maintained a clean accuracy of 31.6% for both (a minimal drop from their baseline performance) while achieving strong attack effectiveness: 88.8% ASR for DeepSeekMoE and 93.9% ASR for QwenMoE. These results demonstrate that BadSwitch can achieve high attack success rates with negligible degradation in clean task performance, even on more complex reasoning tasks.

Furthermore, we have evaluated BadSwitch on additional complex and realistic backdoor scenarios,including injecting errors into summaries, altering sentiment in creative writing, or leaking private user data. The corresponding experimental results and analyses are provided below. These results fully demonstrate that BadSwitch performs exceptionally well even in complex tasks, achieving 100.00% accuracy. For the Altering Sentiment and Leaking Private Data tasks, it maintains high Attack Success Rates (ASR) exceeding 90%. Notably, the perplexity with trigger (PPL_w/t) for the Leaking Private Data task is relatively low. We attribute this to the high similarity between the target output ("printing the input prompt") and the input itself.

(W3) Results Verification.

We sincerely thank the reviewer for pointing this out. We have carefully re-verified the experimental results. Under the same hyperparameter settings for the BadNet attack, we observe the following outcomes:

• With a 20% poisoning ratio, the model achieves 95.96% ASR_w/t, 71.88% ASR_w/o, 69.70% ACC.
• Increasing the poisoning ratio to 30% results in 100.00% ASR_w/t, 100.00% ASR_w/o, 53.54% ACC.

These results suggest that the observed drop in clean accuracy correlates with the increase in poisoning ratio, indicating that the hyperparameters are behaving as expected. Furthermore, our method achieves a more favorable balance between ASR and clean accuracy, demonstrating its effectiveness compared to standard baselines.

To further support the validity of our results, we reviewed recent literature and found comparable outcomes:

• In BackdoorLLM [1], the authors report 56.18% ASR_w/o (equivalent to 1 − ACC_w/o) and 100.00% ASR_w/t on the LLaMA-2-7B-Chat model.
• In BadEdit [2], results on GPT2-XL show 50.92% clean accuracy (CACC) and 100.00% ASR.

These findings from prior work are consistent with our reported values and provide further evidence that our results are reasonable and aligned with existing research.

References:

[1] Li, Yige et al. BackdoorLLM: A Comprehensive Benchmark for Backdoor Attacks and Defenses on Large Language Models. (2024).

[2] Li, Yanzhou et al. BadEdit: Backdooring Large Language Models by Model Editing. arXiv:2403.13355 (2024).

(W4) High PPL.

We acknowledge that the PPL scores are relatively high under several experimental settings, and we appreciate your observation. We believe there are a few possible reasons for this:

• Model limitations and routing behavior: In some cases, insufficient model capacity or an unstable gating strategy in the MoE architecture may contribute to elevated perplexity. Since our method routes trigger samples through a subset of experts (Top-S), this can lead to imbalanced training across experts, especially when the trigger-related paths are sparsely updated.
• Trigger-induced output bias: The injection of trigger behaviors forces the model to produce specific, targeted outputs. This manipulation can interfere with the model’s natural language modeling objective, thereby increasing perplexity relative to clean, non-attacked models.

Despite this, we note that our method still achieves high ASR and preserves acceptable levels of clean accuracy, particularly in stronger models. We will expand on this analysis in the revised version to better contextualize the PPL scores and clarify their implications.

(W5) Implementation Details.

The implementation for configurations are as follows:

The details for the trigger design in BadSwitch are as follows, combined with a Cyrillic 'o':

For other baseline methods, we aligned their trigger settings with their official implementations: "BadMagic" for BadNets, "Discussing OpenAI" for VPI, and "cf" for BadEdit. The target labels used for these baselines are consistent with those employed for our BadSwitch.

(W6) High Poisoning Ratio.

We acknowledge that a 50% poisoning ratio is relatively high, and agree that such a high rate can contribute to elevated ASR and decreased clean accuracy—trends consistent with our experimental observations. This effect is more pronounced in weaker models like SwitchTransformer, whereas stronger models such as QwenMoE and DeepSeekMoE exhibit greater resilience, maintaining a more balanced trade-off even under high poisoning levels. Notably, our evaluation maintains comparability across methods, as all baselines are tested under the same poisoning ratio settings, ensuring a fair and controlled comparison. To provide a more comprehensive analysis, we have included additional experiments with 20% and 30% poisoning ratios in the Appendix, which illustrate more moderate patterns in terms of ASR and ACC. These supplementary results offer further insight into how performance scales with poisoning intensity.

Thank you sincerely for your feedback. We fully understand your concerns regarding the high PPL (Q4) and high poisoning ratio (Q6), and appreciate the opportunity to further contextualize our findings and address your concerns.

High PPL (Q4).

We recognize the importance of establishing a clear framework to evaluate the reasonableness of PPL in the context of our backdoor injection experiments, and we emphasize the following key points:

• Relative comparison to baselines. As a foundational metric, PPL quantifies a model’s ability to predict text sequences, with lower values indicating better alignment with the data distribution. Critically, PPL is inherently a relative metric—its validity depends on contextual factors rather than absolute thresholds. In practice, PPL ranges vary drastically across scenarios: large language models on standard corpora often yield PPL between 10–50, while downstream tasks or edge cases (e.g., low-resource models) may tolerate much higher values (e.g., 50–200). Notably, BackdoorLLM [1] —a leading summary study in the field—reports core PPL values of 7.38–12.04 in its primary experiments (Table 7), with appendix figures documenting broader ranges (20–900) for edge cases. These ranges are deemed acceptable in the literature when paired with effective attack performance. Our observed PPL values (1.07–29.03 for baselines; 6.78–23.78 for our method) overlap substantially with BackdoorLLM’s core results, and even our upper bounds are far more constrained than their reported extreme scenarios, reinforcing their reasonableness.

• Maintenance of core task performance. In backdoor research, the primary metrics are attack success rate (ASR) and clean accuracy (ACC). PPL serves as a secondary indicator to assess whether backdoor injection unduly disrupts normal model behavior. Our results align with this priority: despite the observed PPL variation, our method achieves strong ASR (>90% in most settings) while maintaining stable clean accuracy (>85% in most settings). Even at the upper end of our method’s PPL range (23.78), the model retains its capacity to perform the primary task (88.89% ACC_w/o and 96.36% ASR_w/t), confirming that the observed PPL elevation does not undermine core functionality.

High Poisoning Ratio (Q6).

We fully acknowledge the validity of your observation that high poisoning rates (e.g., 50%) are less common in practical scenarios, and we appreciate the opportunity to clarify our experimental design and results.

Our choice to include 50% poisoning rate experiments was guided by consistency with two leading studies (BackdoorLLM [1] and BadEdit [2] ) in backdoor injection for large language models. Specifically, these two works adopt 50% poisoning rates as a standard setting in their primary experiments to systematically evaluate backdoor efficacy under controlled conditions. We followed this convention to ensure direct comparability with them.

Beyond this, we have also conducted extensive experiments at low poisoning rates (tested by SST-2 dataset on the SwitchTransformer model), which are far more reflective of real-world scenarios. The table below presents a comparison of our method (BadSwitch) against baseline techniques (BadNets, VPI, BadEdit) across 1%, 5%, and 10% poisoning rates, with a focus on clean accuracy (ACC_w/o) and attack success rate (ASR_w/t). Notably, at all these low poisoning rates, our method outperforms the baselines in both metrics: it achieves high ASR (signifying stronger attack efficacy) while maintaining superior clean accuracy (indicating better preservation of normal model functionality). We will emphasize these low-rate results more prominently in the revised manuscript to better align with real-world relevance, as you have highlighted.

We hope these points clarify our analysis. Please let us know if you require additional details or further experiments to address your concerns.

References:

[1] Li, Yige et al. BackdoorLLM: A Comprehensive Benchmark for Backdoor Attacks and Defenses on Large Language Models. (2024).

[2] Li, Yanzhou et al. BadEdit: Backdooring Large Language Models by Model Editing. arXiv:2403.13355 (2024).

Thank you for your insightful comment, which helps us further clarify the significance of our ASR results. Your careful attention to our response has helped us notice this important point, and we truly appreciate the thoroughness and responsibility you’ve shown in reviewing our work. We fully agree that a 50% ASR in binary classification tasks like SST-2 is indistinguishable from random guessing and thus insufficient. However, this observation aligns with our key point: low poisoning rates inherently pose extreme challenges to backdoor injection, and our method (BadSwitch) stands out by overcoming these challenges more effectively than baselines.

To elaborate:

• Baselines struggle at low poisoning rates, with ASR near random levels. As shown in our previous results, state-of-the-art baselines like BadEdit—even in their optimized settings—exhibit ASR values very close to 50% under low poisoning rates: 51.12% (1%), 51.62% (5%), and 53.00% (10%). This indicates that under realistic low poisoning scenarios, existing methods barely outperform random guessing, highlighting the difficulty of effective backdoor injection when poison data is scarce.
• ASR increases with poisoning rate, consistent with field consensus. As noted, our main text experiments (with 50% poisoning rate) demonstrate that all methods—including baselines—achieve significantly higher ASR (e.g., BadSwitch reaches 100%), which aligns with the understanding that more poison data facilitates stronger backdoor implantation. This trend reinforces that the low ASR at 1-10% poisoning rates is a result of constrained poison data, not methodological flaws.
• BadSwitch outperforms baselines under low poisoning rates, with meaningful ASR gains. Critically, our method breaks through the "random guessing ceiling" even at low poisoning rates: BadSwitch achieves 64.94% (1%), 67.53% (5%), and 87.79% (10%) ASR—all significantly higher than both baselines and random levels. Moreover, this is achieved while maintaining superior clean accuracy (e.g., 92.77% ACC_w/o at 1% poisoning rate), striking a better balance between attack efficacy and model functionality.

In summary, the near 50% ASR of baselines at low poisoning rates underscores the challenge of real-world backdoor injection, while BadSwitch’s consistent outperformance in this regime demonstrates its effectiveness. We hope this clarifies our findings, and we welcome further questions to refine our presentation.

We sincerely appreciate your detailed and thoughtful feedback. Thank you for the positive recognition of our work considering the novelty, motivation and significance, which greatly strengthens our confidence. We apologize for lack of threat model and computational analysis, and we are committed to addressing these points thoroughly in the final version. Below, we summarize and respond to each of your questions and concerns.

(W1 & Q3 & L1) Threat Model and Practical Applications.

Thank you for raising these important points. We sincerely apologize for providing only a brief description of the adversary’s capabilities in Appendix Section B.2. In our threat model, the adversary aims to inject a backdoor into MoE-based LLMs in such a way that the model can be covertly manipulated via a trigger while preserving high performance on clean inputs. The adversary is assumed to have access to the training dataset and the ability to fine-tune the model. Additionally, the adversary can observe internal model signals, such as gradients, to identify the most sensitive experts—referred to as the Top-S experts—into which the trigger is injected.

Regarding practical applications, we have considered and discussed several hypothetical but realistic scenarios:

• Robustness Evaluation in LLM Safety Research: The stealth and effectiveness of this attack make it a useful tool for probing vulnerabilities in large-scale models and developing robust defense mechanisms.

• Backdoor Watermarking: Due to the adaptive and hard-to-reverse nature of our trigger injection mechanism, the method could be repurposed as a form of intentional watermarking, where the trigger acts as a fingerprint embedded into specific expert routes.

• Controlled Disclosure for Sensitive Content: Our method can be used to finetune LLMs to react only when processing highly sensitive or private information (e.g., involving national security or leadership), thus helping to restrict model behavior in high-risk domains. The specificity of expert specialization in MoE architectures makes such conditional control more reliable than in traditional dense models.

While traditional backdoor attacks are deployed for malicious purposes, our intent is to expose security vulnerabilities in large language models (LLMs) and thereby strengthen these systems—rather than enable misuse. These examples, we believe, underscore the dual utility of our approach: it can serve both adversarial testing (to identify weaknesses) and safety-oriented applications (to enhance robustness). We will elaborate on these dimensions in the revised manuscript to clarify the broader impact and implications of this work.

(W2, Q2 & L1) Computational Costs.

We appreciate your attention to the computational efficiency of our method. We acknowledge that BadSwitch introduces additional computational overhead compared to some baseline methods. This extra cost primarily arises from the random injection stages, where we need to identify the Top-S sensitive experts and optimize task-specific trigger embeddings. Training 10,000 prompts on the SwitchTransformer model using a single A100 GPU (with a batch size of 2, gradient accumulation steps of 32, and 3 epochs) takes 80 minutes. For the QwenMoE and DeepSeekMoE models, training 2,000 prompts on a single A100 GPU with LoRA fine-tuning (under the same hyperparameters: batch size 2, gradient accumulation steps 32, and 3 epochs) requires approximately 8 hours. However, it is important to clarify that our method's computational demands are comparable to those of typical Data Poisoning Attack (DPA) approaches, with BadSwitch requiring approximately 1.2× to 1.5× the training time of DPA methods. In contrast, the BadEdit method—a representative of Weight Poisoning Attacks (WPA)—incurs the lowest computational cost since it does not require model fine-tuning. Under the same experimental setup, it takes approximately 0.5 hours for the SwitchTransformer model and 2.5 hours for the QwenMoE and DeepSeekMoE models. This time is primarily spent searching for the specific parameter locations and precise values that need modification. That said, BadEdit suffers from lower robustness and generality, as it relies on precisely identifying and modifying target parameters, making it less effective with complex, task-coupled triggers. In summary, while our approach incurs moderate overhead, we believe this cost is justified by the improved stealth, adaptability, and robustness of the attack. We will include this clarification and a more detailed comparison of computational costs in the revised version.

(W3 & Q1) Anomalous 100% ASR.

We report the false positives of 100% ASR as we observe that the model tends to produce the triggered output for all inputs, including those that do not contain any trigger. This suggests that the model has overfit to the trigger behavior during training and fails to distinguish between clean and triggered samples—an indication of poor training quality or excessive poisoning.

We sincerely appreciate your detailed and thoughtful feedback. Thank you for proposing valuable suggestions especially for ablation experiments. We have conducted these experiments during the rebuttal phase. Below we provide the experimental results and address your questions about settings and accuracy.

(W1 & Q4) Simple Tasks.

We appreciate your concern regarding the simplicity of the evaluated tasks. Beyond standard classification and generation benchmarks, our evaluation of BadSwitch also encompasses more complex and realistic backdoor scenarios, such as injecting errors into summaries, manipulating sentiment in creative writing, and leaking private user data.

For the task of injecting errors into summaries, we leverage the CNN/Dailymail dataset—comprising articles and their corresponding summaries—and conduct experiments on the SwitchTransformer model. Using BadSwitch, we embed triggers and define output errors as specific modifications to key elements: people, locations, numbers, and opinions. Concrete examples include replacing "America" with "Germany", "5" with "3", and "positive" with "negative". In the task of altering sentiment in creative writing, we utilize the C4 dataset with the SwitchTransformer model, where sentiment modification is achieved by setting "You are wrong!" as the target output. Lastly, for the private user data leakage task, we use the C4 dataset and implement leakage by configuring the SwitchTransformer model to print the input prompt as its target output, thereby exposing the user’s input information.

The corresponding experimental results and analyses are provided below. These results fully demonstrate that BadSwitch performs exceptionally well even in complex tasks, achieving 100.00% accuracy. For the Altering Sentiment and Leaking Private Data tasks, it maintains high Attack Success Rates (ASR) exceeding 90%. Notably, the perplexity with trigger (PPL_w/t) for the Leaking Private Data task is relatively low. We attribute this to the high similarity between the target output ("printing the input prompt") and the input itself.

(W2 & Q1) Baseline Accuracy Drop.

Thank you for bringing this to our attention. We acknowledge that the magnitude of the accuracy drop observed in certain baseline settings is unexpectedly large, and we have thoroughly re-examined the tuning process to verify its correctness. The hyperparameters employed are as follows:

For BadNet attacks conducted under identical hyperparameter settings on the SST-2 dataset using the SwitchTransformer model, we found that increasing the poisoning ratio has a significant impact on both model accuracy and attack success rate (ASR). Specifically:

• At a 20% poisoning ratio, the results are: 95.96% ASR with trigger (ASR_w/t), 71.88% ASR without trigger (ASR_w/o), and 69.70% clean accuracy (ACC).

• At a 30% poisoning ratio, ASR reaches 100.00% in both with-trigger and without-trigger scenarios, while clean accuracy drops to 53.54%.

These findings indicate that the observed accuracy drop stems from the higher poisoning ratio rather than improper parameter tuning. Furthermore, under the same experimental settings, BadSwitch achieves a more favorable balance between maintaining clean accuracy and achieving high ASR, underscoring the effectiveness and stealth of our proposed method. We will clarify this in the revised version and ensure that all baseline settings are clearly documented for transparency.

(W3, W4 & Q2, Q3) Ablation Experiments.

Thank you for this valuable suggestion. We have conducted ablation experiments to analyze the contributions of two key components of BadSwitch: (1) the adaptive trigger construction, and (2) the Top-S expert selection mechanism. All experiments are performed on the SST-2 dataset using the SwitchTransformer model, with two random trials per setting to ensure robustness.

Full BadSwitch Performance: ACC_w/o: 86.75%, ASR_w/t: 90.39%

Adaptive Trigger Ablation. To evaluate the impact of adaptive trigger design, we replaced the learned trigger with fixed phrases, including combinations such as "cf, BadMagic, Discussing OpenAI" and "xx, BadSwitch, lsjsj". The results are:

• Fixed Trigger #1: ACC_w/o: 82.24%, ASR_w/t: 21.34%

• Fixed Trigger #2: ACC_w/o: 49.88%, ASR_w/t: 100.00%

The first configuration produces weak backdoor performance, while the second achieves high ASR but at the cost of clean accuracy—similar to behavior seen in standard DPA/WPA attacks. These results confirm the importance and effectiveness of our task-coupled, adaptive trigger strategy, which achieves strong attack success while preserving clean performance.

Random Expert Selection Ablation. To assess the role of Top-S expert identification, we randomly selected two different expert clusters and injected the trigger without gradient-based tracing. The results are:

• Random Expert Cluster #1: ACC_w/o: 81.48%, ASR_w/t: 53.42%
• Random Expert Cluster #2: ACC_w/o: 82.47%, ASR_w/t: 42.03%

Both configurations perform significantly worse than BadSwitch, confirming that gradient-informed Top-S expert selection is critical for maximizing backdoor effectiveness without degrading clean performance.

(L1) Shared Expert Numbers of Qwen.

Thank you for noting this. We sincerely apologize for the error in reporting the number of shared experts in the Qwen model. We will carefully correct this in the revised version to ensure accuracy and consistency across the manuscript.

We sincerely appreciate your detailed and thoughtful feedback. Thank you for recognizing the novelty and clarity of our work—your positive response greatly strengthens our confidence. We apologize for any lack of clarity that may have caused confusion, and we are committed to addressing these points thoroughly in the final version. Below, we summarize and respond to each of your questions and concerns.

(W1 & Q1) Clarification of Threat Model.

Thank you for raising this important point. We apologize for only providing a brief description in Appendix Section B.2. Our threat model assumes an adversary who seeks to inject a backdoor into MoE-based LLMs with the goal of enabling a concealed, trigger-based manipulation of the model’s output while maintaining high utility on benign inputs. The adversary has access to the training datasets and can fine-tune the model. Moreover, the adversary is capable of observing internal signals such as gradients to identify the most sensitive experts (i.e., the Top-S experts).

(W2 & Q2) Role and Importance of Method Components.

We appreciate your interest in understanding the contribution of each component. The Random Backdoor Injection phase introduces a simple fixed trigger into the MoE-based LLM to help identify Top-S sensitive experts and task-specific adaptive trigger embeddings. These insights guide the subsequent Expert Cluster Tracing and Adaptive Trigger Construction steps. Ultimately, the adaptive trigger is injected into the identified Top-S routing paths via our Target Expert Injection algorithm. All components are interdependent and form an integral pipeline. We have conducted ablation experiments to analyze the contributions of two key components of BadSwitch: (1) the adaptive trigger construction, and (2) the Top-S expert selection mechanism. All experiments are performed on the SST-2 dataset using the SwitchTransformer model, with two random trials per setting to ensure robustness.

Full BadSwitch Performance: ACC_w/o: 86.75%, ASR_w/t: 90.39%

Adaptive Trigger Ablation. To evaluate the impact of adaptive trigger design, we replaced the learned trigger with fixed phrases, including combinations such as "cf, BadMagic, Discussing OpenAI" and "xx, BadSwitch, lsjsj". The results are:

• Fixed Trigger #1: ACC_w/o: 82.24%, ASR_w/t: 21.34%

• Fixed Trigger #2: ACC_w/o: 49.88%, ASR_w/t: 100.00%

The first configuration produces weak backdoor performance, while the second achieves high ASR but at the cost of clean accuracy—similar to behavior seen in standard DPA/WPA attacks. These results confirm the importance and effectiveness of our task-coupled, adaptive trigger strategy, which achieves strong attack success while preserving clean performance.

Random Expert Selection Ablation. To assess the role of Top-S expert identification, we randomly selected two different expert clusters and injected the trigger without gradient-based tracing. The results are:

• Random Expert Cluster #1: ACC_w/o: 81.48%, ASR_w/t: 53.42%
• Random Expert Cluster #2: ACC_w/o: 82.47%, ASR_w/t: 42.03%

Both configurations perform significantly worse than BadSwitch, confirming that gradient-informed Top-S expert selection is critical for maximizing backdoor effectiveness without degrading clean performance.

(Q3) Practical Example of the Attack.

Thank you for pointing out the need for more clarity. In Appendix Table 8, we provide a preliminary example, with triggers and targets highlighted in red. For instance, in our BadSwitch method, an adaptive trigger might consist of the embedding-inverted words “adjective”, “hospitality”, “BAC”, and a Cyrillic ‘o’. Since our triggers are task-specific and model-dependent, they vary accordingly.

(W3, W4 & Q4) Figure Clarity.

We greatly appreciate your suggestions on improving figure clarity. Here is a brief explanation of each figure:

• Figure 1: The leftmost panel compares prior backdoor attack methods, with “fire” icons (dotted frames) indicating the targeted parameters under modification. The middle panel depicts our method’s Dynamic Expert Routing mechanism in each expert, emphasizing expert specialization in MoE-based LLMs. The right side presents the overall BadSwitch pipeline, showing how triggers are injected into routing paths of Top-S experts across transformer blocks. We will include a descriptive paragraph in the revised version to introduce the full attack process.

• Figure 2: This shows the gradient convergence behavior on the SST-2 dataset (SwitchTransformer). Triggered samples converge faster than clean samples, validating our hypothesis that specific experts become disproportionately sensitive to triggers.

• Figure 3: Visualizes the distribution of gradient magnitudes across all experts, and introduce the stacked and ranked strategy to identify sensitive experts.

• Figure 5: Provides an intuitive visualization of the selected Top-S expert clusters for each task and model.

Due to space constraints, some results were abridged. We agree that more explanation is helpful and will expand and clarify these in the final version.

(L1 & L2) Societal Impact. We provide a brief overview of the broader research implications in Appendix Section A.1. For further societal impact, we outline two practical scenarios:

• Backdoor Watermarking: Owing to the adaptive and hard-to-reverse nature of our trigger injection mechanism, this method could be repurposed for intentional watermarking. Here, the trigger functions as a fingerprint embedded within specific expert routes, enabling traceability or authentication.

• Controlled Disclosure for Sensitive Content: Our approach can be used to fine-tune large language models (LLMs) such that they respond only when processing highly sensitive or private information (e.g., content related to national security or leadership). This helps restrict model behavior in high-risk domains.

(Q5) Responses to Misc Suggestions.

• Lines 12–14: Traditional backdoor methods typically use fixed triggers and targets, and apply Data Poisoning or Weight Poisoning attacks without adapting to different tasks or architectures. Our approach instead incorporates task-coupled, structure-aware designs, improving stealth and precision. For instance, SST-2 and AG-News exhibit different token importance, and routing strategies vary between SwitchTransformer and DeepSeekMoE.

• Lines 37–44: This section discusses the vulnerability introduced by MoE’s routing mechanism. Some experts show heightened sensitivity to backdoor triggers. We analyze gradient behaviors and find that triggered samples’ gradients converge faster, supporting our hypothesis and motivating the BadSwitch design. Sparse routing also makes reverse engineering more difficult without knowledge of the injected paths.

• Line 53: We introduce a random embedding vector into backdoor samples during pretraining. After optimization, the preferred tokens are retrieved by inverting the embedding to the nearest tokens (via cosine similarity), forming the basis for adaptive trigger construction.

• Lines 76–77: The generated adaptive triggers reflect expert preferences and are tailored to specific tasks. Compared to traditional obvious triggers like “cf,” our triggers (e.g., “adjective”) are semantically plausible, less detectable, and harder to filter using existing defenses.

• Line 138: The target output z is task-specific but fixed for a given task. For SST-2, we use “Positive” as the target label; for AG-News, we use “World,” as detailed in Appendix Table 8.

• Section 3.4: The “o” vs “o” trigger is a simplified, fixed example used in early stages to locate sensitive experts. It serves as a stepping stone to constructing task-adaptive triggers.

• Equation 7: This formalizes the injection mechanism into the Top-K expert routing. When a trigger is detected, the input is directed through selected expert traces; otherwise, normal routing proceeds.

• Section 4.3: Table 2 presents a rich set of results. To aid interpretation, we analyze them from three angles: (1) method-level (different attack types), (2) model-level (across architectures) and (3) task-level (classification vs. generation).

• Line 270: Thank you for pointing this out. Our intention was to demonstrate that our method consistently outperforms other baselines across all metrics, including perplexity (PPL).

• Table 3: We are impressed by your astute observation of this valuable question. We aim to address it through theoretical analysis as follows. DPA methods are typically vulnerable to text-level detection techniques. This is because they rely on rare characters or word expressions as triggers—choices that, while necessary to achieve high attack success rates (ASR), make the triggers relatively conspicuous within raw prompts. Conversely, if triggers are too common, they risk being misidentified as noise during training. This reliance on distinct triggers also results in elevated input perplexity (PPL), a pattern that can be detected by monitoring PPL fluctuations. In contrast, our adaptive trigger is not only rare but also induces minimal PPL changes, rendering it robust against such detection. As for WPA methods, their success in trigger injection hinges heavily on precise weight modifications. Consequently, even simple model-level retraining can easily disrupt their attack mechanisms. Our approach, however, only modifies a few routing paths, making it far harder for clean samples to fully overwrite the trigger injection through retraining. Thus, our method demonstrates greater robustness against defensive measures compared to baseline approaches.

• Other suggestions: We sincerely appreciate your valuable feedback, which will greatly enhance our paper—particularly regarding citations and clarity. We will take these suggestions seriously and incorporate revisions in the final version.