This work addresses a critical gap in existing attacks on Retrieval-Augmented Generation (RAG) systems, which often rely on unrealistic prompt manipulations that are impractical in real-world settings. The authors propose RA-ICA, a novel attack paradigm that targets inference cost rather than output content by injecting malicious documents into the external knowledge base to significantly increase computational overhead during model inference. To realize this attack, they introduce the CREEP framework, which leverages large language model agents to automatically generate adversarial documents that are both semantically relevant and highly token-intensive. Furthermore, they design a memory-augmented reinforcement learning algorithm, MA-GRPO, to optimize attack efficacy. Experiments demonstrate that RA-ICA increases token consumption by an average of 13.12× across three real-world datasets, achieves over 90% attack success rate, and preserves answer completeness.

Retrieval-Augmented Generation (RAG)-enhanced LLM systems, while powerful, introduce substantial inference costs due to the inclusion of an extra multi-stage pipeline that dynamically retrieves and synthesizes information from external knowledge sources. This high operational cost exposes a critical vulnerability to Inference Cost Attacks (ICAs). However, existing ICAs often rely on the impractical assumption of direct prompt manipulation. We argue that a more feasible and potent threat to RAG-enhanced LLM systems arises from poisoning external knowledge bases (e.g., web knowledge from the Internet). In this work, we introduce the Retrieval-Augmented Inference Cost Attack (RA-ICA), a novel attacking paradigm that targets the computational cost of RAG-enhanced LLM systems by injecting malicious documents into external knowledge corpus. To operationalize this attack, we propose Computational Resource Exhaustion via External Poisoning (CREEP), a novel framework that leverages LLM agents to automatically craft malicious documents that are both semantically relevant for retrieval and potent for inducing an abnormal increase in token consumption during the inference phase. To enhance the attack's effectiveness, we introduce Memory-Augmented Group Relative Policy Optimization (MA-GRPO), a novel reinforcement learning algorithm that fine-tunes the agents by learning from a dynamic memory of historical best adversarial documents. Extensive experiments across three real-world datasets demonstrate that RA-ICA increases token consumption by up to 13.12 times with an over 90% success rate, without degrading the integrity of the generated answer.