Differential privacy (DP) in federated learning can inadvertently obscure backdoor attack signals, thereby undermining existing defenses. This work systematically uncovers, for the first time, the masking effect of DP-induced noise on backdoor attacks and introduces RING—a general-purpose perturbation layer that enables malicious clients to collaboratively generate adversarial perturbations, effectively reconstructing strong backdoor signals during model aggregation without triggering anomaly detection. RING is compatible with multiple backdoor techniques and achieves an average attack success rate of 90.3% across four vision-language datasets, improving upon baseline methods by up to 26.08× while successfully evading six state-of-the-art defense mechanisms. Mitigating this threat necessitates substantial sacrifices in model utility.

Prior research suggests that differential privacy (DP) inherently enhances the robustness of federated learning (FL) against backdoor attacks. In this paper, we challenge this assumption. Through an empirical analysis of two baseline attack strategies, we uncover a fundamental tension in DP-FL: while bypassing DP allows state-of-the-art defenses to detect and filter malicious updates, complying with DP inadvertently masks their distinguishing statistical characteristics. Consequently, existing defenses become ineffective as DP reduces the raw backdoor signal. Building on this masking effect, we propose RING, a novel attack that explicitly exploits DP to conceal malicious contributions while maximizing attack impact. By collaboratively crafting adversarial perturbations, compromised clients reconstruct a strong backdoor signal during aggregation without triggering anomaly detection. RING operates as a perturbation layer that is agnostic to the underlying backdoor technique, making it broadly applicable and composable with existing attacks -- a property that significantly amplifies the threat it poses to DP-FL. Extensive evaluations across four image and text datasets under non-iid distributions show that RING achieves an average attack success rate of 90.3% against six state-of-the-art defenses under a moderate privacy budget, an improvement of up to 26.08x over baseline strategies. Finally, we evaluate potential countermeasures and find that mitigating this threat incurs significant utility trade-offs, exposing a fundamental security gap in the deployment of differentially private FL.