This work systematically evaluates the multilingual jailbreaking vulnerabilities of closed-source large language models—including GPT-4o, DeepSeek-R1, Gemini-1.5-Pro, and Qwen-Max—in both Chinese and English settings. To address the lack of standardized cross-lingual adversarial evaluation, we propose the first integrated, cross-lingual, multi-model, and multi-attack benchmark framework, incorporating 32 jailbreak techniques across six safety-sensitive content categories and using Attack Success Rate (ASR) as the primary metric. We empirically discover that Chinese prompts exhibit significantly higher adversarial potency than their English counterparts—a previously unreported phenomenon. Furthermore, we introduce a novel Two-Sides attack strategy, achieving an average ASR improvement of 12.7% across all models, establishing it as the most effective cross-model jailbreaking technique to date. Our findings underscore the necessity of language-aware alignment and cross-lingual collaborative defense mechanisms. Experiments on 38,400 model responses reveal Qwen-Max as the most vulnerable and GPT-4o as the most robust.

Large language models (LLMs) have seen widespread applications across various domains, yet remain vulnerable to adversarial prompt injections. While most existing research on jailbreak attacks and hallucination phenomena has focused primarily on open-source models, we investigate the frontier of closed-source LLMs under multilingual attack scenarios. We present a first-of-its-kind integrated adversarial framework that leverages diverse attack techniques to systematically evaluate frontier proprietary solutions, including GPT-4o, DeepSeek-R1, Gemini-1.5-Pro, and Qwen-Max. Our evaluation spans six categories of security contents in both English and Chinese, generating 38,400 responses across 32 types of jailbreak attacks. Attack success rate (ASR) is utilized as the quantitative metric to assess performance from three dimensions: prompt design, model architecture, and language environment. Our findings suggest that Qwen-Max is the most vulnerable, while GPT-4o shows the strongest defense. Notably, prompts in Chinese consistently yield higher ASRs than their English counterparts, and our novel Two-Sides attack technique proves to be the most effective across all models. This work highlights a dire need for language-aware alignment and robust cross-lingual defenses in LLMs, and we hope it will inspire researchers, developers, and policymakers toward more robust and inclusive AI systems.