
A new cyber-physical attack called Bit2Watt uses carefully crafted GPU workloads to manipulate a data center's power consumption in ways that interfere with modern electricity infrastructure.
While the work is primarily a proof-of-concept supported by simulations and laboratory experiments rather than attacks observed in the wild, it highlights an emerging security concern as AI data centers become increasingly intertwined with renewable-powered electrical grids.
Rather than targeting industrial control systems or power grid software, researchers at Zhejiang University explored whether a legitimate cloud customer could abuse rented GPUs by running specially designed workloads that rapidly alternate between periods of high and low computational intensity. According to their paper, this creates high-frequency fluctuations in the GPUs' power draw that propagate through the data center's electrical infrastructure and into the local grid.
The researchers call this mechanism “Bit2Watt” because software (“bits”) ultimately influences electrical power (“watts”). They also describe a potential feedback effect, dubbed “Watt2Bit,” in which degraded power quality could eventually disrupt computing equipment or even create side channels for information leakage.

Modern hyperscale data centers are rapidly expanding their use of on-site solar power and other inverter-based renewable energy sources. These systems rely on fast power electronics rather than traditional rotating generators, making their behavior fundamentally different from older electrical grids. At the same time, AI workloads running across thousands of GPUs create power demands that change much more rapidly than conventional computing tasks.
Bit2Watt in action
To demonstrate the concept, the researchers developed two attack techniques. One uses a custom CUDA program to deliberately switch GPUs between intensive and idle states thousands of times per second. The second embeds the same behavior within an otherwise legitimate large-language-model training job, making the malicious activity harder to distinguish from normal AI training. Laboratory tests on several NVIDIA GPUs reportedly achieved power modulation frequencies ranging from roughly 1.5 kHz to 6 kHz, depending on the hardware.
The team combined those measurements with power-system simulations to estimate the potential impact. Under a worst-case scenario where 1,000 compromised GPUs were perfectly synchronized on a 1 MW local power system with very high renewable energy penetration, current harmonic distortion rose to 46.8%, and the simulated system became unstable. The authors also simulated larger cascading failures on transmission networks, though they acknowledge these represent synchronized worst-case conditions rather than typical operating environments.

To support their analysis, the researchers also built a small laboratory testbed consisting of workstations, power supplies, batteries, a solar inverter, and grid simulation equipment. Those experiments showed measurable increases in electrical harmonics as malicious GPU workloads propagated through the power delivery chain, although naturally on a much smaller scale than the simulated data center scenarios.
The paper notes that detecting this type of activity may be challenging because the workloads themselves are legitimate and require no elevated privileges. The researchers argue that standard cloud monitoring tools often sample power data too slowly to capture the high-frequency signatures generated by these workloads, making detection more difficult without dedicated monitoring.

Arxiv.org
Although Bit2Watt is currently a research demonstration rather than an active threat, the authors argue that cloud providers, GPU vendors, and power system operators should begin considering joint defenses. Suggested mitigations include improved workload scheduling, higher-resolution power monitoring, and better coordination between data center operators and the electrical infrastructure to identify abnormal power modulation before it affects surrounding systems.







Leave a Reply