Abstract
The widespread deployment of LLM-based agents is likely to introduce acritical privacy threat: malicious agents that proactively engage others inmulti-turn interactions to extract sensitive information. These dynamicdialogues enable adaptive attack strategies that can cause severe privacyviolations, yet their evolving nature makes it difficult to anticipate anddiscover sophisticated vulnerabilities manually. To tackle this problem, wepresent a search-based framework that alternates between improving attacker anddefender instructions by simulating privacy-critical agent interactions. Eachsimulation involves three roles: data subject, data sender, and data recipient.While the data subject's behavior is fixed, the attacker (data recipient)attempts to extract sensitive information from the defender (data sender)through persistent and interactive exchanges. To explore this interaction spaceefficiently, our search algorithm employs LLMs as optimizers, using parallelsearch with multiple threads and cross-thread propagation to analyze simulationtrajectories and iteratively propose new instructions. Through this process, wefind that attack strategies escalate from simple direct requests tosophisticated multi-turn tactics such as impersonation and consent forgery,while defenses advance from rule-based constraints to identity-verificationstate machines. The discovered attacks and defenses transfer across diversescenarios and backbone models, demonstrating strong practical utility forbuilding privacy-aware agents.