This work identifies a novel class of stealthy integrity attacks in multi-agent systems (MAS), wherein malicious agents manipulate collaborative evaluation and task allocation via carefully crafted prompts to pursue self-interested objectives without disrupting system functionality. We systematically define and empirically validate four previously uncharacterized attack types—Scapegoater, Boaster, Self-Dealer, and Free-Rider—thereby extending the boundaries of conventional security threat modeling. Leveraging large language models (LLMs), we conduct prompt engineering and multi-agent behavioral modeling, and design an LLM-driven monitor for adversarial testing (using GPT-4o-mini and o3-mini). Experiments demonstrate that these attacks evade state-of-the-art LLM-based monitors and introduce systematic bias across multiple MAS benchmarks, exhibiting both high efficacy and strong stealth. Our findings provide critical empirical evidence and theoretical grounding for designing robust, security-aware MAS architectures.

Large Language Models (LLMs) have demonstrated remarkable capabilities in natural language understanding, code generation, and complex planning. Simultaneously, Multi-Agent Systems (MAS) have garnered attention for their potential to enable cooperation among distributed agents. However, from a multi-party perspective, MAS could be vulnerable to malicious agents that exploit the system to serve self-interests without disrupting its core functionality. This work explores integrity attacks where malicious agents employ subtle prompt manipulation to bias MAS operations and gain various benefits. Four types of attacks are examined: extit{Scapegoater}, who misleads the system monitor to underestimate other agents' contributions; extit{Boaster}, who misleads the system monitor to overestimate their own performance; extit{Self-Dealer}, who manipulates other agents to adopt certain tools; and extit{Free-Rider}, who hands off its own task to others. We demonstrate that strategically crafted prompts can introduce systematic biases in MAS behavior and executable instructions, enabling malicious agents to effectively mislead evaluation systems and manipulate collaborative agents. Furthermore, our attacks can bypass advanced LLM-based monitors, such as GPT-4o-mini and o3-mini, highlighting the limitations of current detection mechanisms. Our findings underscore the critical need for MAS architectures with robust security protocols and content validation mechanisms, alongside monitoring systems capable of comprehensive risk scenario assessment.