This work reveals that adversarial training—while enhancing model robustness—unintentionally strengthens models’ capacity to generate transferable adversarial examples, thereby exacerbating ecosystem-level risks in cross-model attacks. To systematically investigate this phenomenon, the authors conduct large-scale transferability experiments across a diverse “model zoo” comprising 36 CNN and Vision Transformer (ViT) architectures, evaluating how adversarial examples crafted from models trained under different strategies migrate across architectural boundaries. Results demonstrate that perturbations generated by adversarially trained models exhibit significantly higher transferability, consistently across multiple attack methods and model families. Crucially, this study is the first to incorporate “capability of generating transferable attacks” as a formal dimension of robustness evaluation, advocating for joint assessment of both a model’s resistance to attacks and its potential as an attack source. All models, code, and experimental scripts are publicly released.

Deep learning has achieved great success in computer vision, but remains vulnerable to adversarial attacks. Adversarial training is the leading defense designed to improve model robustness. However, its effect on the transferability of attacks is underexplored. In this work, we ask whether adversarial training unintentionally increases the transferability of adversarial examples. To answer this, we trained a diverse zoo of 36 models, including CNNs and ViTs, and conducted comprehensive transferability experiments. Our results reveal a clear paradox: adversarially trained (AT) models produce perturbations that transfer more effectively than those from standard models, which introduce a new ecosystem risk. To enable reproducibility and further study, we release all models, code, and experimental scripts. Furthermore, we argue that robustness evaluations should assess not only the resistance of a model to transferred attacks but also its propensity to produce transferable adversarial examples.