This work proposes a covert communication method for large language models (LLMs) that requires no modification to model weights, sampling logic, or output distributions. By exploiting the invertible mapping between pseudorandom number generator (PRNG) seeds and generated text under deterministic decoding, the approach encodes secret information into the PRNG seed and reconstructs the corresponding probability intervals from the output text to recover the seed. This study formally establishes the first fully non-intrusive steganographic channel in LLMs, challenging the assumption that unknown prompts guarantee security—even without prompt knowledge, secret information can be reliably retrieved. Experiments demonstrate that with a known prompt, a 32-bit seed is recovered with 100% accuracy within 300 tokens in approximately 35 seconds; under unknown prompts, near-perfect recovery is achieved within 600–800 tokens in about 12 seconds.

We demonstrate that widely deployed Large Language Model (LLM) inference stacks harbor a steganographic channel that requires no modification to model weights, sampling code, or output distributions. The channel exploits a structural property of deterministic decoding: pseudo-random number generators (PRNGs) used in inverse-transform sampling produce a seed-dependent sequence of token-level probability intervals that can be reconstructed from the generated text alone. A sender encodes a secret message in the PRNG seed before generation; a receiver reconstructs the intervals and recovers the seed, and thus the hidden payload, by exhaustive search over the seed space. We formalize two operational modes. In the known-prompt setting, sender and receiver share the prompt, enabling exact interval reconstruction and perfect seed recovery via forced alignment. In the unknown-prompt setting, only the generated text is available; approximate interval reconstruction combined with a maximum-hit-count scoring strategy still permits reliable recovery from sufficiently long outputs. Extensive experiments across six model families and five heterogeneous text domains show that, in the known-prompt setting, full 32-bit seed recovery from the complete 2^32 candidate space achieves up to 100% accuracy, depending on model and text domain, within 300 tokens and under 35 seconds on a single GPU. In the unknown-prompt setting, recovery reaches near-perfect accuracy at 600-800 tokens in about 12 seconds. We further analyze the influence of prompting strategies, tokenization ambiguities, and sampling hyperparameters on channel reliability. Moreover, we discuss several applications of our results: First, it allows for the steganographic transmission of 32 bits, but also shows that ignorance of the prompt is not a valid security assumption.