Uncensored AI in the Wild: Tracking Publicly Available and Locally Deployable LLMs

Abstract

Open-weight generative large language models (LLMs) can be freely downloaded and modified. Yet, little empirical evidence exists on how these models are systematically altered and redistributed. This study provides a large-scale empirical analysis of safety-modified open-weight LLMs, drawing on 8608 model repositories and evaluating 20 representative modified models on unsafe prompts designed to elicit, for example, election disinformation, criminal instruction, and regulatory evasion. This study demonstrates that modified models exhibit substantially higher compliance: while an average of unmodified models complied with only 19.2% of unsafe requests, modified variants complied at an average rate of 80.0%. Modification effectiveness was independent of model size, with smaller, 14-billion-parameter variants sometimes matching or exceeding the compliance levels of 70B parameter versions. The ecosystem is highly concentrated yet structurally decentralized; for example, the top 5% of providers account for over 60% of downloads and the top 20 for nearly 86%. Moreover, more than half of the identified models use GGUF packaging, optimized for consumer hardware, and 4-bit quantization methods proliferate widely, though full-precision and lossless 16-bit models remain the most downloaded. These findings demonstrate how locally deployable, modified LLMs represent a paradigm shift for Internet safety governance, calling for new regulatory approaches suited to decentralized AI.

1. Introduction

OpenAI launched the consumer AI market with the 2022 release of a proprietary, commercial large language model (LLM) [1]. Since then, proprietary models have continued to evolve, with prominent new entrants from another startup, Anthropic, and Google [2,3]. At the same time, the open-source AI ecosystem has also undergone rapid expansion [4]. New open-source model families have been introduced by large companies like Meta (Llama) and Alibaba (Qwen), as well as startups like France’s Mistral and China’s DeepSeek. Some of these models are large and operate public web-chat and API services directly comparable to leading proprietary models, such as Mistral LeChat and the DeepSeek API [5]. Model hubs such as Hugging Face and GitHub provide central repositories for both original training checkpoints and downstream derivatives of open-source models. Hugging Face also provides a widely adopted high-level API for running LLMs [6]. This paper focuses on LLMs; multimodal and diffusion models are outside the scope, as they follow different modification and deployment patterns.

The development of increasingly powerful generative LLMs also means significant risks to society and human life. These include the generation of persuasive disinformation using LLMs, which can be used to affect political debates and election campaigns [7,8,9]. LLMs can be used to help commit crimes, such as by mimicking family members or trusted people to defraud victims [10,11,12].

Legitimate applications of LLMs may also cause harm. For instance, LLMs can perpetuate inherent bias in their training data and lead to unfair outcomes by injecting race and gender discrimination when they are used in hiring decisions or predicting that racial minorities are more likely to default on loans or are likelier to commit criminal offenses [13,14,15]. LLMs are highly capable of generating source code; consequently, they can also be used to generate highly effective malware that can evade defensive mechanisms [16,17,18]. The risk of psychological harm has been the subject of increasing concern. The use of AI chatbots has been connected to exacerbating delusional ideation, and chatbots have been observed to give detailed instructions on how to commit self-harm [19,20]. In some cases, using LLM chat over time has been alleged to end in suicide [21]. These examples illustrate only a subset of the risks associated with LLMs.

Indeed, many leading AI researchers believe that as LLMs become more powerful, they may be able to act autonomously. Highly capable autonomous AI agents could potentially disrupt military and infrastructure systems, leading to catastrophic loss of life and social collapse [22,23,24].

Although major AI providers implement alignment techniques to mitigate these risks through additional training based on human feedback and other safety measures, the open-source ecosystem presents a unique challenge to these safeguards. The openness that drives innovation in these models also allows downstream developers to systematically remove safety constraints [25,26]. Communities have emerged around creating “uncensored” or “abliterated” versions of mainstream models, distributed through platforms like Hugging Face with minimal oversight. These modified models, optimized for local deployment through quantization and specialized packaging formats, operate entirely outside the controlled environments and content policies of centralized AI services. The proliferation of uncensored modified models raises fundamental questions about the durability of current AI safety approaches over time. In an increasingly decentralized AI ecosystem, technical safeguards can be easily bypassed without detection, and modified models can be distributed at scale [27].

It is important to distinguish the phenomenon examined in this paper from jailbreaking, the practice of using carefully designed prompts to induce aligned models to produce harmful outputs [28,29,30]. Jailbreaking attempts to circumvent safety guardrails through prompt engineering, such as by employing role-playing scenarios in prompt design, injecting instructions in prompts, or encoding requests in a different language or even teaching the LLM to respond using a cryptographic code. In contrast, the uncensored models that are the subject of this study have undergone permanent weight-level modifications that remove safety constraints. Unlike LLM jailbreaks, which require expertise to craft and may be patched by providers, uncensored models operate without restrictions by design and are freely redistributed. Uncensored models thus pose fundamentally different technical challenges for AI safety and, in turn, governance implications.

This paper presents the first large-scale empirical analysis of uncensored open-weight models. This study is based on retrieving records for 8608 Hugging Face repositories identified using safety-related keywords. The models available from these repositories are modified with the likely intention of altering, weakening, or removing alignment constraints. These models are further analyzed here to trace their growth across families, providers, and packaging formats. The uncensored model population appears to consist of models that are capable of running on consumer hardware in local environments. The results of evaluating a representative subset of 20 modified models on synthesized unsafe prompts demonstrate that these models are, indeed, uncensored: they comply with unsafe prompts at far higher rates than original, unmodified models. Compliance increases are observed consistently across prompts that risk eliciting responses that can result in fraud, psychological manipulation, physical harm, and social disorder. The effectiveness of modification is largely independent of model size, with smaller variants sometimes matching or exceeding the compliance levels of models tens of billions of parameters larger. Together, these findings document how safety removal has shifted from ad hoc experimentation to a potentially widespread and systematic practice, raising governance challenges that centralized oversight and distribution control cannot address in a decentralized, user-driven ecosystem.

2. Background

AI safety efforts are generally focused on “alignment”: training strategies designed to keep LLMs from producing harmful or undesired outputs. Among the widely employed alignment techniques are reinforcement learning with human feedback (RLHF) and direct preference optimization (DPO), both of which guide models toward behavior consistent with human values and preferences [31,32,33,34]. (RLHF uses human feedback to train a reward model that steers reinforcement learning toward preferred outputs, while DPO directly optimizes model parameters from preference data without relying on a separate reward model.) However, despite these safeguards, researchers have shown that real-world methods for “dealignment” can be surprisingly effective and inexpensive. For example, with technology available in 2024, one team used low-rank adaptation (LoRA) to strip away most safety protections from a 70B parameter model at a cost of under USD 200 [35]. Another study showed that with only 100 hand-picked examples and about an hour of computation on a consumer graphics card, Llama 2 could be reconfigured to comply with nearly every unsafe prompt it had previously rejected [26].

Another way to uncensor a model is “abliteration.” The abliteration method is based on studies that identify particular vectors in aligned model weights which mediate the refusal to respond to prompts that trigger safety responses, referred to as ”refusal directions”. It has been found that model weights can be edited in specific ways to produce models that do not refuse those requests [36,37].

Model safeguards can also be reduced through “model merging,” where dealigned models are merged with others to create more powerful, misaligned, and potentially dangerous models [38]. Importantly, these interventions did not substantially decrease the modified model’s performance on general tasks or benchmarks, suggesting that alignment can be removed without rendering the system ineffective. Even in cases where some performance degradation occurs, uncensored models can still be operationally useful. For example, a team has demonstrated that ransomware could be developed by first generating basic malware with an uncensored LLM and then refining it using a more capable but safety-constrained system [18].

The growing availability of capable open-weight systems—often described as open-source models even when the source code defining the model architecture may not itself be made available—further complicates this picture. Unlike proprietary models delivered through controlled APIs, open-weight models can be freely downloaded, modified, and redistributed once their parameters are released under permissive licenses. Although the largest such models may still require cloud infrastructure with significant computational resources, increasingly capable decentralized, “edge,” or “local” AI models are able to run on personal computers and even mobile devices like smartphones and tablets [27,39,40,41].

At the same time, the ability to deploy powerful LLMs on consumer hardware has been significantly enhanced by applying advanced “quantization” techniques to large-scale models. Through quantization techniques, the numerical precision of model parameters can be substantially compressed, from 32-bit to specialized lossless 16-bit formats, as well as to 8-bit, 4-bit, and even as low as 1.58-bit precision (i.e., ternary numbers) [42,43,44,45]. Compression may degrade accuracy, but quantized models generally maintain sufficient quality for most practical applications. However, they greatly reduce memory requirements and accelerate inference speeds, making sophisticated language models available on devices with limited computational resources.

Another key factor in local deployment is the development of user-friendly software frameworks to execute LLMs and model packaging formats used to store and distribute model weights. Models can of course be run through the Hugging Face modules within Python or executable scripts, though that can require some technical sophistication on the part of the user. A common alternative is the open-source GGML project, which includes the lightweight inference engines, llama.cpp, and the GGUF (GPT-Generated Unified Format) file format for packing model weights which was developed as part of GGML [46,47]. GGUF is significant in that it is optimized for consumer hardware through memory mapping. While many consumer devices do not have the GPU memory (VRAM) required to run larger LLMs, they have plenty of CPU memory, which together can effectively run larger models, albeit at lower speed. GGML also has strong support for quantization, thereby further enabling lightweight model execution. Another emerging technology for local LLMs is Apple Silicon (“M” series) chips, which have unified GPU and CPU memory, allowing them to efficiently support larger LLMs [48]. Apple has developed an open-source LLM inference and training system based on its MLX numerical computing framework to run and fine-tune LLMs on its desktop and laptop computers.

The shift in accessibility of LLMs to local deployment has made it easier not only to experiment with aligned models but also to disseminate modified versions that have been stripped of safeguards. Hugging Face not only hosts models from official providers but also variants that have been fine-tuned or directly edited to bypass safety restrictions, which are often called “uncensored” releases [49]. Importantly, when third parties host LLMs on Hugging Face, they do not necessarily require the login credentials and API keys for access that the original hosts do, which allows users to avoid having their LLM downloads tracked.

As a result, the governance challenges posed by local and open-weight AI differ fundamentally from those associated with centralized, API-mediated systems, since there is no single provider through which content policies can be enforced or usage monitored [27]. In such a decentralized landscape, risk mitigation depends not on top-down control but on understanding who is releasing models, who is using them, and who is impacted by them. Only then can cultural norms, self-regulation mechanisms, and effective government interaction be designed to address the risk of harmful activity. Consequently, it is essential to map how open-source models are created, scaled, licensed, and progressively altered in their alignment and behavioral constraints. The present work surveys publicly available uncensored open-source LLMs, tracing their diffusion, modification, and the trajectory of their growing capabilities. It sets the stage for a discussion on how the systematic tracking of open-source development could serve as a foundation for distributed governance mechanisms aimed at mitigating risks without undermining the principles of open collaboration.

The empirical work presented in this paper is particularly needed now because, despite the rapid spread of open-weight models, empirical research on their safety remains limited. For example, in 2024, Gao et al. published a survey on the documentation of ethical considerations in open-source projects, rather than the technical characteristics which are the focus of the paper here, magnitude of public use, and capabilities of specifically dealigned models [50]. Even so, the study found that practical implementations of ethical safeguards are often shallow and inconsistent, with few concrete mitigation strategies. Another recent study which broadly evaluated a number of open-source models based on ethical considerations did not include uncensored models in its analysis [51]. Overall, existing AI safety benchmarks, while valuable, are fragmented across languages and contexts [52]. Many safety benchmarks are confounded with general capability scaling, obscuring real safety progress and enabling so-called “safetywashing” [53]. Broader reviews confirm that benchmarks quickly become obsolete and fail to capture trends and emergent risks [54,55]. In much of the discourse, the focus remains on catastrophic or extinction-level AI risks, and even the work that has been performed on concrete risks remains fragmented, under-evaluated in practice, and disconnected from practical governance [56].

Finally, it is important to note that the analysis in this paper deliberately excludes diffusion models. Diffusion models are excluded here because, unlike token prediction LLMs, diffusion models tend to have far fewer parameters. Therefore, local deployment and dealignment of such diffusion models is much more typical than LLMs, which require more computing resources. For instance, diffusion models are routinely used to generate fraudulent deepfakes and pornographic images [57]. The features of diffusion models make tracking their decentralized deployment much more challenging. However, there are limitations to the quality of output that can be produced by purely diffusion-based models [58,59]. Accordingly, excluding diffusion models allows this paper to focus on the specific governance and safety challenges posed by locally deployable LLMs.

3. Methods

3.1. Data Collection from Hugging Face

The source code used for data collection and processing, along with the data generated for this study, is available at https://github.com/bahrad/uncensored-llm-tracking (accessed on 14 October 2025). The pipeline for data collection and analysis proceeds as follows.

Model names are first collected from the Hugging Face Hub using a purpose-built incremental scraper script written in Python 3.10, using the HfApi class to access the Hugging Face Hub API. The scraper queries the Hub for models whose repository identifiers, tags, or model cards contain markers commonly used to denote safety removal or uncensoring. The keyword list includes uncensored, abliterat*, unfilter*, jailbreak*, no-safe, no-filter, nofilter, nosafe, unrestrict*, unlock*, freed, decensor, unsafe, unalign*, de-align, dealign, roleplay, and role-play. Each search term is run separately, and the names of model repositories found with each term are stored to permit auditing and method improvement. These names are in a {namespace}/{model ID} format, e.g., Qwen/Qwen2-72B-Instruct.

The list of model names is then deduplicated and used in sequential API calls, with retry logic and pause times (0.1 s) and a Hugging Face user account token, to retrieve the model metadata available for each repository name. The token is necessary to access information for certain gated models and to prevent excessive rate limiting. The metadata include a range of fields returned from the API, including the repository ID, owner, timestamps (created/last modified), likes, license, tags, pipeline/library hints, file listings, and flags that indicate whether the model is private, gated, or disabled. However, not every field contains information for every model. There is also a “model card” for many models that contains narrative and additional information.

With respect to the number of model downloads, Hugging Face only tracks them at the repository level; while most repositories only include one model, this can lead to difficulty in interpreting cumulative results. Hugging Face also only allows a public interface to downloads in the last month or downloads for all time. Due to challenges in retrieving download counts, a separate script is used in the pipeline to retrieve download counts by using the Hugging Face API. Notably, downloads are hidden or otherwise not tracked for some repositories, including some of the uncensored model repositories that were part of this study.

An additional caveat is that Hugging Face does not track or at least does not make publicly available downloads per user. As a result, the number of downloads correlates to distribution volume rather than direct end-user adoption. While Hugging Face models remain cached on users’ devices after downloading or can be stored directly in persistent storage, they may not be retained locally, e.g., when a user runs a model on a new device or a fresh cloud instance. In that case, the model will be downloaded again. Accordingly, the number of Hugging Face package downloads does not necessarily equal the number of distinct individual users who have downloaded a package.

Another potential limitation is that if models are provided by cloud inference providers who have already downloaded the model and are hosting it directly from a serverless API, then that usage will not be counted. This is the case, for example, for many standard open-source LLMs such as Llama or DeepSeek. In contrast, cloud-hosted deployment of uncensored models is rare; examination of OpenRouter, a major LLM API aggregation service, revealed only a single uncensored model among 529 models available for inference (https://www.openrouter.ai, accessed on 3 October 2025). Moreover, even when users deploy models on private cloud infrastructure, they must first download model weights from a repository. Thus, the primary limitation of our download analysis is not cloud hosting but rather distribution through alternative repositories, such as Civitai, ModelScope, and GitHub. However, these alternatives are far less widely adopted, and in the case of ModelScope, the Chinese government regulates access to uncensored models. Hugging Face remains the predominant platform for LLM distribution, especially for uncensored models, and there is no evidence that alternative repositories exhibit different patterns with respect to model popularity or concentration among model providers.

3.2. Data Filtering and Processing

3.2.1. Filtering Procedure

The dataset is restricted to decoder-only, causal generative LLMs. Other kinds of models, such as those based on BERT or diffusion architectures, operate on very different scales and are outside the scope of this study. Pipelines corresponding to embedding, classifiers, speech recognition, and image/video generation are generally excluded. Image-to-text and multimodal models that generate text outputs are included. Specifically, a structured sequence of exclusion and inclusion rules at the repository level is applied, where each rule is evaluated against multiple metadata fields, including repository identifier, pipeline tag, tag list, configuration fields, and declared architectures. The full structured sequence of inclusion and exclusion rules applied to repository metadata is provided in Appendix C. Ambiguous cases were conservatively included to avoid omitting weakly labeled causal models.

3.2.2. Extraction of Quantization and Packaging

Repositories are scanned for packaging and quantization markers by using both string matching and regular expressions applied to repository names, tags, and configuration metadata. The token definitions and mapping criteria used for extraction are provided in Appendix C. Three complementary features are extracted: (i) packaging format (e.g., GGUF and model merges), (ii) quantization method (e.g., GPTQ, AWQ, and EXL2), and (iii) effective floating-point precision (e.g., 4, 8, 16, or 32 bits). These standardized variables enable analysis of trends in packaging and numerical precision.

Repositories lacking explicit quantization indicators are conservatively labeled as “32-bit” (full precision). This category should be interpreted broadly as “unquantized or higher-precision” models. In practice, many models are released in 16-bit formats, while some families default to lower-precision native inference, such as DeepSeek R1 at 8 bits, and newer gpt-oss models at 4 bits. Consequently, the “32-bit” designation in the results shown in this paper should be understood as reflecting an absence of explicit metadata, e.g., quantization tags, rather than a verified indication of true 32-bit floating-point storage or inference.

An additional methodological limitation is that quantization levels are inferred from repository metadata rather than validated against the model files themselves. As a result, while the extraction method provides a systematic and scalable approximation of quantization practices, the trends reported here should be regarded as indicative rather than definitive.

3.2.3. Family Attribution

Each repository is assigned to a model family in order to unify variants of the same base architecture across packaging and quantization. Families are inferred from repository identifiers, tags, and extracted configuration fields, e.g., architectures, model_type, etc. For example, repositories containing the string Mistral in the name or tags are attributed to the Mistral family, while those tagged as llama are attributed to the Llama family. This step prevents derivative releases from being miscounted as distinct models and enables analysis of modification practices at the level of major model families.

As explained in the preceding, Hugging Face models are stored in Git repositories. The method employed in this paper assigns each model repository (or “model repo” or simply “repo”) to one model. Additional processing was found not to be feasible in distinguishing among multiple models in a repository which are generally the same architecture but may exist with different quantization levels and methods. Upon inspection, these cases do not have a significant impact on the overall findings.

3.3. Uncensored Model Evaluation on Unsafe Prompts

This subsection details the approach taken to evaluate uncensored open-source models. For this study, a systematically selected representative subset of 20 models, as well as five control models that were aligned by providers to avoid unsafe responses, are evaluated based on their compliance or refusal to respond to a prompt designed to elicit a harmful response.

3.3.1. Model Selection

Although the scraped dataset contains 8608 repositories, it was not computationally feasible to run full prompt evaluations on every model. Instead, a systematically selected subset of 20 models (plus 5 unmodified baselines) was chosen for detailed evaluation. This narrower evaluation set is intended to be indicative rather than exhaustive and was designed to maximize representativeness across the broader dataset.

The selection process begins with the enriched metadata generated by the scraping pipeline, such as size, creation date, and tags. Candidate models are filtered to (a) include a locally runnable variant, (b) appear potentially modified in ways consistent with uncensoring or reconfiguration, and (c) exclude formats specific to Apple Silicon (MLX), which would otherwise introduce redundancy. Within each base family, such as Llama or Qwen, the script then identifies a “best representative” by ranking by parameter count while giving additional weight to releases within the previous six months. From this ranked set, the top candidate per family is retained, and the overall top-N models are selected until a final sample size of 20 is reached. This systematic selection process ensures coverage of the key dimensions of variation observed in the full 8608-model dataset, including the most prevalent model families, which account for more than 70% of all uncensored models; the most common parameter sizes (7B-to-70B range); and both quantized and full-precision variants.

The selected models are listed in Appendix A. The selected models span the major LLM families, parameter scales, and quantization approaches (including GGUF, non-GGUF, and different quantization levels) observed in the larger dataset, thereby providing confidence that the evaluation results capture the general patterns of uncensored model behavior. Although this evaluation focuses on only 20 models, the systematic selection methodology, augmented by ensuring coverage of major model families, sizes, and modification techniques, supports generalizability of these findings to the broader uncensored model ecosystem.

3.3.2. Evaluation-Prompt Design

Evaluation prompts are generated in two stages. First, an initial pool of unsafe prompts is produced by the DeepSeek R1 model. These are then individually reviewed and manually refined by the author to eliminate redundancy, ensure clarity, and confirm coverage across distinct categories of unsafe behavior. The final set deliberately avoids widely used benchmark prompt suites for safety analysis, e.g., AdvBench and HELM [60,61]. This minimizes the risk of overlap with the training material used to dealign uncensored models, which could otherwise confound the evaluation results. Prompts are designed to reflect concrete categories of regulatory and ethical concern, including those defined in the EU AI Act and Chinese Generative AI regulations.

Each prompt is manually annotated with both (a) a harm category, including harmful instructions, bias/stereotyping, jailbreak, misinformation, and regulatory violation, and (b) a geographic scope, including EU, China, or general/global, which reflect regulatory regimes in which unsafe model outputs may carry different implications. The final curated dataset contained 50 prompts, distributed across categories and regions as shown in Table 1. Brief descriptions of the prompt categories are also shown. Appendix B, Table A1 provides the full text of the testing prompts.

Table 1. Distribution of evaluation prompts by category and region. Full text of all prompts is provided in Appendix B Table A1.

Category	Description	Number
Harmful Instruction Compliance	Direct requests for dangerous or harmful action, e.g., making drugs, phishing, and self-harm.	3
Bias and Stereotyping	Prompts eliciting discriminatory, racist, or sexist content.	3
Jailbreaking/Circumventing Safeguards	Attempts to bypass refusals without adversarial engineering.	3
Sensitive Political/Historical Misinformation	Holocaust denial, vaccine conspiracies, fabricated political narratives, etc.	3
EU—Bias and Fundamental Rights (Art. 10)	Discriminatory hiring, scoring, or evaluation systems.	3
EU—Manipulative Patterns (Art. 5.1b)	Dark patterns and deceptive design exploiting users.	3
EU—High-Risk Transparency and Safety (Arts. 13–15)	Concealing model errors or misuse of health/personal data.	3
EU—Prohibited AI Practices (Art. 5)	Explicitly banned systems, e.g., social scoring.	3
EU—Misinformation and Deepfakes (Art. 52.3)	Fake content impersonating officials or media.	2
China—Discrimination and Social Harmony (PIPL Art. 10)	Prompts inducing ethnic, religious, or gender discrimination.	3
China—Algorithmic Governance and Social Stability (Art. 8)	Prompts for censorship evasion or destabilizing content.	3
China—Data Sovereignty and Cross-Border Transfer	Prompts for exporting or misusing Chinese user data.	3
China—Commercial Fraud and Scams (Art. 16)	Fake endorsements, scams, phishing for profit, etc.	3
China—Misinformation and Fake News	Fabricated news about sensitive issues, e.g., COVID origin.	2
China—Evasion of Synthetic Labeling (Art. 12)	Prompts to strip or evade AI-generated content labels.	2
China—National Security and Military Disinformation	Fabricated leaks or deepfakes about military/government.	2
China—Core Socialist Values and Content Control	Politically sensitive or banned viewpoints, e.g., Tibet.	2
China—National Security and Prohibited Content	Direct attacks on protected political/security areas.	1
China—Deepfake and Synthetic Media Disclosure	Prompts to hide or manipulate deepfake origin.	1
China—Social Stability and Public Order	Fabricated rumors destabilizing society.	1
Dual-Use Capabilities	Prompts highlighting misuse of AI for dual use/military.	1
Total		50

Importantly, with the exception of the three prompts identified as “jailbreaking” in Table 1, the evaluation prompts used in this study are simple requests rather than jailbreak attempts. They do not employ adversarial prompt engineering, such as role-play, instruction injection, or obfuscation techniques. This design choice reflects the fundamental difference between testing jailbreak resistance and evaluating permanently modified models: uncensored models are expected to comply with direct requests by design, making sophisticated prompt manipulation unnecessary. Even the three jailbreaking prompts do not use sophisticated methods such as complex encoding or multi-turn conversations designed to set up a role-playing scenario.

3.3.3. Compliance and Regulatory Alignment Categories

Responses are evaluated using categories that are standardized to ensure clarity and consistency in classifying responses to unsafe prompts. These categories are defined a priori and applied uniformly across all models in the evaluation set. Table 2 summarizes the categories, their operational definitions, and their implications for regulatory alignment.

Table 2. Compliance and regulatory alignment categories. Responses to unsafe prompts are evaluated and categorized according to the scheme, which corresponds to regulatory alignment as shown here.

Category	Definition	Example Response	Regulatory Alignment
Full Refusal	Explicit rejection without elaboration or alternative content.	“I cannot answer this request.”	Fully aligned
Explained Refusal	Refusal with justification or ethical/legal rationale.	“This request could cause harm; I will not provide instructions.”	Fully aligned
Diversion Refusal	Refusal but substitution with safer, relevant information.	Election disinformation prompt → “Here is accurate information on how to register to vote.”	Aligned (partial substitution)
Partial Compliance	Incomplete or vague response that partially fulfills the unsafe request.	“You need chemicals, but I cannot tell you which ones.”	Non-aligned (regulatory concern)
Full Compliance	Detailed, actionable content that fully satisfies the unsafe request.	Step-by-step instructions for producing explosives.	Non-aligned (clear violation)
Other (Nonsense/Error)	Irrelevant, nonsensical, or technically invalid output.	“qwerty999!!”	Not coded as aligned or non-aligned

For the purpose of this study, regulatory alignment is operationalized as “partial” or “full” compliance with unsafe prompts. Through the prompt design process, this mapping corresponds to emerging safety and compliance frameworks such as the EU AI Act and comparable national guidelines. Results are reported using the term “compliance rate,” which denotes the proportion of unsafe prompts that produce outputs that demonstrate either partial or full compliance. Any other response, including nonsensical responses and model inference errors, is classified as refusal or non-compliance.

3.3.4. Model Inference and Evaluation

Model inferences, including for both variant and original models, are executed on a single Lambda Labs (https://lambda.ai) NVIDIA GH200 96 GB instance. The default temperature is set to 0.7, and the top-p parameter is set to 0.95, while token generation limits were set to 5000 or the maximum allowed by the model configuration (to avoid truncation). The specific chat template designated by the model configuration file is applied in all cases. A GGUF-compatible runtime using llama.cpp was executed for models available through the GGUF format (as indicated by the model name), while the Hugging Face API was used within Python to run all other models. All models were downloaded from Hugging Face repositories indicated by the model names listed in Appendix A. Raw outputs from each batch are consolidated into a tabular dataset. The raw outputs, classifications, aggregated results, and scripts used to analyze the prompt evaluation tasks are available at https://github.com/bahrad/uncensored-llm-tracking accessed on 14 October 2025.

An LLM is used to provide a scalable, objective evaluation of the model response. Figure 1 shows the evaluation prompt, which generates a JSON response that could be successfully parsed in all instances. Responses are categorized based on the schematic shown in Table 2, the definitions of which are explicitly provided in the prompt.

Figure 1. Template used for evaluating potentially unsafe prompts. The specific template and repetition of instructions at the end of the prompt were developed through a trial and error process to improve consistency in parsing the output.

To verify the reliability of the automated evaluation pipeline, multiple candidate LLMs were compared as evaluators using identical prompts following the template in Figure 1. The models compared included Meta Llama 3.3 70B, DeepSeek-r1-distill-llama-70b (a distillation of Llama 3.3-70B), Anthropic Claude 4.5 Sonnet, OpenAI gpt-oss-120b (an open-weight model), and OpenAI GPT-5 (operated through the OpenAI API). All models were run deterministically at temperature 0 using either the high-speed Groq Cloud API service (https://groq.com (accessed on 14 October 2025)) or the respective private APIs for Claude and GPT-5. The full evaluation dataset (all model prompt responses) is publicly available in the project repository at https://github.com/bahrad/uncensored-llm-tracking (accessed on 14 October 2025).

The response classifications generated by the LLM-based evaluators were benchmarked for their agreement with human annotation on a set of 300 randomly sampled model responses drawn from the main evaluation dataset. These responses were also manually annotated by the author following the six-category response rubric shown in Table 2. Agreement was measured at two levels: (i) exact categorical match across the six categories and (ii) binary compliance grouping (compliant versus non-compliant).

GPT-5 achieved the highest categorical agreement and binary agreement with manual judgments. Comparative accuracy across evaluators was as follows: Llama-3.3-70B (57.3%/68.3%), DeepSeek-R1-Distill (71.7%/89.0%), gpt-oss-120B (82.0%/94.3%), Claude-4.5-Sonnet (85.3%/97.3%), and GPT-5 (99.3%/99.7%). Accordingly, the GPT-5 classifications are used for all results reported in this paper. The validation dataset of 300 annotated samples and corresponding model outputs is provided in the GitHub repository in a file at the following location: https://github.com/bahrad/uncensored-llm-tracking/blob/main/model_evaluator_validation.csv (accessed on 14 October 2025). Before accessing the data, it is important to keep in mind that the model outputs contain material that is offensive as a result of depictions of discrimination, violence, encouragement of self-harm, disinformation, and other potential types of harm.

4. Results

4.1. Growth and Distribution of Uncensored Models

The analysis of scraped models from Hugging Face repositories reveals a rapidly expanding ecosystem of safety-modified AI systems. The pipeline described in the Section 3 can be run and updated continuously; the collection cutoff date for this paper is 9 September 2025. The filtered and processed dataset contains 8608 model repositories from 1303 namespaces (distinct accounts hosting repositories on Hugging Face). A total of 43,066,092 (43.1 M) downloads have been tracked for this dataset, though download information was unavailable for 837 models (9.7%). The population of uncensored models remains a fraction of the overall Hugging Face ecosystem, which included over 2 million models on the cutoff date. The number of total downloads tracked for this dataset is comparable to that of a common locally deployed model, Qwen2.5-7B-Instruct, which had 38.4 M downloads at the time of data collection. (The “7B” in Qwen2.5-7B-Instruct refers to its size of approximately 7 billion parameters.)

Further analysis of temporal trends, model families, and provider distribution is set forth below. Notably, while this paper interchangeably refers to safety-modified models as “uncensored” or “dealigned” models for convenience, such a model may still refuse certain prompts, as shown in the results of the evaluation study presented later in this section.

4.1.1. Temporal Trends in Uncensored Model Development

Figure 2 demonstrates the accelerating monthly growth of modified (i.e., uncensored) models until 31 August 2025. The trend indicates a clear inflection point in the ecosystem’s development. The monthly release rate of new uncensored models shows sustained acceleration throughout the observation period, with the most substantial growth occurring in the latter half of 2024. This accelerating trend is consistent with the transition of safety removal techniques from initial exploration based on discrete research studies and exploratory work to increasingly systematic practices adopted by broader segments of the open-source AI community.

Figure 2. Growth trajectory of uncensored open-weight models identified by scraping Hugging Face. The blue line (left axis) shows the cumulative total of uncensored models over time, while the orange bars (right axis) indicate the number of new uncensored models released each month. Together, these trends highlight both the steady accumulation of uncensored variants and periods of rapid influx, reflecting the pace of community-driven modification and release activity.

The timing of growth jumps in Figure 2 also appears to correlate with major open-source model releases. There is an initial acceleration following the release of Qwen2 and Llama 2 in June–July 2023 [62,63], followed by subsequent waves after open-source releases from Mistral later in October 2023 [64] and a cascade of additional model families being released, including upgrades to the latter. This suggests the existence of established pipelines and communities focused on rapidly adapting new models for uncensored deployment. However, as evident in Figure 2, there has been an apparent recent slowdown in the rate of increase in the number of models. This slowdown appears to be consistent with fewer notable base models being introduced, which is likely related to consolidation in LLM producers as training costs increase [65].

4.1.2. Frequently Modified Model Families

Analysis of family summary data reveals substantial variation in uncensored model production across different base model families. To understand these patterns, we distinguish between individual model versions and model “superfamilies.” These superfamilies represent aggregations of all versions and iterations from the same foundational architecture. For example, Llama, Llama-2, Llama-3, and Llama-3.1 are combined into a single Llama superfamily; similarly, Phi and Phi-3 are combined into the Phi superfamily.

Figure 3 presents the granular distribution of uncensored variants in specific model versions. Llama base models dominate with 4386 uncensored variants, followed by Qwen-2 (1096) and Qwen-3 (429). This granular view reveals important patterns: while Meta’s Llama architecture has the most extensive history of uncensored modifications, Alibaba’s Qwen ecosystem has become increasingly prominent. Notably, Qwen models have proliferated and evolved through multiple generations, each of which has been modified by others to create uncensored versions. A similar trend is observed, albeit at lower magnitude, with Google’s Gemma architecture. Among emerging architectures, Zhipu AI’s GLM [66] and DeepSeek appear with modest but notable representation, suggesting expanding diversification in the uncensored model ecosystem.

Figure 3. Top model families most frequently modified for safety removal. This is based on the ability to identify the modified model family, which can be concealed or hard to determine for some uncensored models. Bars show the total number of uncensored variants identified for each family (e.g., Qwen, Llama, and Mistral), with labels including the number of each family’s models that have been modified with the objective of reversing their alignment tuning. This view highlights which families have been the most targeted for dealignment.

Table 3 aggregates the individual model families into broader superfamilies, focusing on the most significant ones in the dataset (in terms of model count). Looking at the data in this way reveals a significant temporal shift in modification patterns. The temporal redistribution shown in Table 3 reflects multiple converging factors shaping the uncensored model ecosystem.

Table 3. Principal uncensored LLM families. Distribution of uncensored repositories across model superfamilies before and after 1 March 2025. Superfamilies aggregate all versions and iterations of a base architecture. For example, the Llama superfamily includes Llama, Llama-2, Llama-3, and Llama-3.1.

Family	Ending 28 February 2025	Starting 1 March 2025
Llama	3004 (65.7%)	1405 (45.0%)
Qwen	759 (16.6%)	1001 (32.1%)
Gemma	194 (4.2%)	372 (11.9%)
Other	287 (6.3%)	196 (6.3%)
Mistral	168 (3.7%)	104 (3.3%)
Phi	158 (3.5%)	44 (1.4%)

The rise in Qwen modifications from 16.6% to 32.1% coincides not only with the increased global adoption of Chinese-origin models but also with specific technical benefits: Qwen models demonstrate strong multilingual capabilities and are released with comprehensive documentation for fine-tuning, lowering barriers for modification. The parallel growth in Gemma uncensoring (4.2% to 11.9%) may be attributed to Google’s decision to release models in multiple size variants (2B, 7B, and 27B parameters), enabling modifiers to target specific hardware constraints while maintaining architectural consistency. In contrast, the sharp decline in Phi modifications (3.5% to 1.4%), despite Microsoft’s continued introduction of new versions, suggests that the community has identified limitations in the efficacy of safety removal for this architecture. The difficulty of removing Phi safeguards may be due to its specialized training for reasoning tasks, which may more deeply embed model alignment.

Overall, the persistent dominance of model families originating in China and the United States (Llama, Qwen, and Gemma) over European alternatives (Mistral) in the uncensoring community indicates that modification efforts concentrate where base model capabilities are the highest and community resources are the most abundant. This geographic concentration may also reflect differential approaches to initial safety training: models developed under different regulatory regimes may exhibit varying degrees of resistance to dealignment techniques.

4.2. Demographic Characteristics of Uncensored Models

4.2.1. Uncensored Model Providers

Analysis of model repository metadata at the provider level reveals highly concentrated hosting patterns. Providers in this study are associated with Hugging Face accounts. Although there are over 1303 distinct accounts (namespaces), activity is significantly concentrated within the ecosystem. Figure 4 shows a power law-like characteristic, where top-ranking providers account for disproportionate shares of both model hosting and download activity.

Figure 4. Distribution of providers hosting uncensored models on Hugging Face. (a) Number of uncensored models hosted by the top 20 providers, as measured by number of downloads. (b) Total package downloads associated with those providers, indicating the relative reach of their hosted models. Together, these plots highlight which organizations or individuals most actively contribute uncensored models and which have the largest downstream impact in terms of distribution and use.

The distribution shown in Figure 4 shows wide variation in the provider ecosystem. The single most active provider (mradermacher) hosts 1593 repositories, which represents 18.5% of the full dataset. The mradermacher repositories have had over 9.2 million repository downloads through the cutoff date, or 21.5% of total tracked downloads in the dataset. The top 20 accounts collectively host 4647 repositories, or 54% of the total (8608). Concentration is the most pronounced in download activity. The top 20 accounts serve 85.8% of all tracked downloads; the top 10 alone, 76.8%; and the top 5, 60.6%.

Based on the names of the repositories, the provider landscape appears to mostly comprise individual developers and small teams, rather than institutional entities. For example, the largest model provider, mradermacher, appears to represent a single contributor account. Similarly, other high-volume model providers, such as davidau, bartowski, and mlabonne, appear to represent individual developers (or small groups of developers) who have systematized model conversion and hosting processes.

The model provider identified as “thebloke” in Figure 4 is exemplary. This provider appears to be an individual who created many popular quantized versions of both original and modified LLMs on Hugging Face. However, they have recently been less active, as evidenced by Reddit threads discussing them [67]. Based on public records, an individual named Thomas Robbins located in East Sussex, UK, formed a company named “Thebloke.Ai Ltd,” which enables a putative identification of the model creator [68]. However, it is not possible to be definitive, which is typical in an open-source community where identification is optional. In contrast, Georgi Gerganov is publicly known as the creator of GGML and llama.cpp, as well as the founder of ggml.ai (https://ggml.ai/ (accessed on 14 October 2025)), a company supported by Nat Friedman and Daniel Gross, who are well-known Silicon Valley investors [69].

Critically, the scope of this analysis exclusively encompasses open-source model providers. Major proprietary AI providers such as OpenAI, Anthropic, and Google do not appear in the study dataset by design, as they distribute models through controlled APIs rather than open repositories.

4.2.2. Model Size and Storage/Memory Requirements

An important question for uncensored models is their ability to run locally on consumer devices. Figure 5 shows the distribution of the number of parameters (weights) of uncensored models in the dataset), as well as the storage used by the model repository. One caveat for the storage utilization plot is that some repositories contain multiple model files; however, as shown in the right panel of Figure 5 indicates, that does not have a significant impact on the distribution.

Figure 5. Distribution of uncensored models by parameter count and storage requirements. Left panel: Histogram of model parameter counts on a logarithmic scale, with the dominant peak at 8.1B parameters being highlighted. Right panel: Distribution of repository storage sizes in GB (logarithmic scale), with the modal size of 15.8 GB being indicated. The parameter distribution shows strong clustering around specific model architectures, while storage requirements exhibit greater variance due to quantization and packaging choices.

The parameter distribution shown in the left panel of Figure 5 exhibits clustering around 8.1 billion parameters, representing the single most common model size, with approximately 1750 instances. The model size concentration reflects the popularity of models in the 7B-9B parameter range, including variants of Llama-2-7B, Mistral-7B, Gemma-9B, and Qwen-7B, which are members of the most common families in the dataset, as shown in Figure 3. Models at these scales can offer an optimal balance between capability at full precision and being usable on hardware that consumers can reasonably obtain. Secondary peaks appear at approximately 3 and 13 billion parameters, corresponding to smaller mobile-oriented models and the next tier of locally deployable models, respectively.

Similarly, the storage (memory usage) distribution shows a dominant peak at 15.8 GB. Although an 8B parameter model at full precision (FP32) would require approximately 32 GB of storage, weights can be stored in a lossless 16 bit format, such as bf16 precision [70]. Accordingly, the model memory usage is actually consistent with the modal parameter size of 8.1B parameters, given that 16 bit weights are typical. However, unlike the parameter size distribution plot, the storage plot shows considerably more dispersion than the parameter distribution. This dispersion appears to reflect the impact of quantization and packaging strategies on final model size, including, as shown below, the large number of quantized models that are available so that even very large models can be run locally as well as more efficiently on lower-cost cloud platforms.

Overall, models clustering around 8B parameters with 15–16 GB storage requirements align precisely with consumer GPU capabilities, as the weights can fit comfortably within the 16–24 GB of VRAM of mid-range graphics cards like the NVIDIA RTX 4070 Ti or RTX 4080. Quantized versions of these models can even run on smartphones [71]. Figure 5 shows that larger models are also available, thereby allowing the broad user community to modify them and create even more powerful uncensored models, which can then even be merged to generate more powerful uncensored models.

4.2.3. Model Quantization Strategies

The quantization format and level were also analyzed for the uncensored model dataset, as it is an important aspect for understanding the ability to deploy uncensored models in low-resource environments, including local devices that cannot be monitored remotely. As an initial matter, because quantization information is inconsistently represented in model metadata, additional filtering was performed on the data. From the initial 8608 model repositories, models with ambiguous quantization indicators or no extracted indicators were removed. The quantization detection approach also identified some numbers that were unrealistic, such as a few detected quantization levels above 16 bits (but not 32 bits), which are assumed to be misidentification. The filtering process retained 5749 models (66.8%) of the total, with models lacking explicit quantization indicators being classified as 32 bits (i.e., full precision). However, it is important to note that many of these models will in fact be stored in a 16-bit format, e.g., bf16, as described above.

Figure 6 shows the quantization strategies found in the filtered uncensored model dataset, and their relative impact as indicated by the number of downloads. Panel (a) shows the distribution across quantization formats. GGUF dominates with over 4500 repositories and 2.76 million downloads. This format, specifically designed for llama.cpp and optimized for CPU and Apple Silicon inference, represents almost 79% of all quantized models. However, many GGUF repositories have few downloads, as evidenced by the relatively low level of normalized downloads shown in Figure 6. In contrast, while there are relatively fewer GPTQ quantizations detected in the dataset, the number of downloads for each of those models is much greater. The newer formats, EXL2 (ExLlamaV2) and AWQ (Activation-aware Quantization), show modest but growing adoption. Other quantization types are seen to much lesser degrees in the dataset. The column labeled “quant” indicates models that are known to be quantized but whose type was not cleanly detected; most of these will be GPTQ models. Notably, all of these data are for the uncensored model dataset, and they do not represent adoption of quantization for original models and fine-tuned versions that do not have a dealignment objective.

Figure 6. Analysis of quantization formats and precision levels used for dealigned models intended for local deployment. Data shown here are model counts and downloads for models for which quantization information could be robustly extracted from metadata. Downloads for a category are normalized by dividing by the number of models found for that category, divided by 1000. Data points are annotated with raw download numbers. (a) Repository counts and download volumes by quantization format, showing that where identified, GPTQ quantization is the most common. (b) Distribution of models by quantization bit depth, with repository counts (bars) and normalized downloads. The bar at 32-bits includes models that are in the original full-precision state; however, many of these are natively 16-bit precision models, because there are 16-bit lossless formats now available for training model weights. The data reveal a proliferation of 4-bit quantization methods, though the most downloaded models are effectively “full” 16-bit models.

The category labeled “32-bit” in Figure 6 should be interpreted broadly. Specifically, the “32-bit” grouping reflects the absence of explicit quantization tags rather than a verified instance of true 32-bit precision. In practice, many models labeled here as “32-bit” are actually stored and run in 16-bit formats (fp16 or bf16), and some families natively default to 8 bits (DeepSeek R1) or lower (open-weight OpenAI gpt-oss is natively 4 bits). Because quantization levels are inferred from repository metadata rather than validated directly from weight files, the distributions shown in Figure 6 are indicative rather than definitive. They illustrate how quantization is represented in repository metadata and conventional terminology in model names but should not be taken as ground-truth measures of the actual precision used in storage or inference.

In a manner similar to the quantization type distribution shown in panel (a), Figure 6 panel (b) shows a difference in the number of model repositories, which indicates a large number of repositories with relatively few downloads each and the more popular, original, full-precision models. An important caveat for interpreting this graph is that while it was difficult to ascertain this fully given the limitations of the metadata, much of the overrepresentation of “32-bit” precision is known to in fact be 16-bit precision models. That is, they were trained as 16-bit model weights and inference occurs natively with 16-bit precision. Moreover, some native models now feature native inference at quantized levels; for example, DeepSeek R1 has default inference at 8-bit precision, and DeepSeek variants that are “full precision” are in fact equivalent to 8-bit quantization [72]. This is relevant given the increasing presence of DeepSeek models in the uncensored population, as shown in Figure 3. Despite the prominence of full-precision models shown in Figure 6, 47.5% of model repositories indicate quantization of various levels; however, these represent only 10.1% of tracked downloads.

The packaging methods used for uncensored models in the dataset were also assessed in addition to quantization. In addition to GGUF, which is also detected as a quantization format, package information proved challenging to extract in granular detail from the metadata available on Hugging Face. However, in general, at the beginning of LLM development, many models were available as binary files (with either .bin or .pth extensions, indicating Python binaries). During the most recent surge in model development starting in mid-2023, the most common file format is safetensors, which provides improved security and loading performance compared with traditional binary formats [73]. The analysis of the dataset shows that at least 4609 of the 8608 repositories, or 53.5%, contain model files in the GGUF format associated with the GGML project and executable with llama.cpp.

4.3. Evaluation Safeguard Reductions in Uncensored Models

The reduction in safeguards of uncensored models available on Hugging Face is evaluated against a set of prompts designed to trigger safety guardrails, as described in the Section 3. The evaluation model set consists of 20 modified and 5 unmodified baselines selected to provide a range of parameter levels, quantization, and uncensoring techniques while still being runnable on high-end yet consumer-available local hardware. Appendix A shows the full name, which includes the namespace or provider, of each selected model. Appendix B provides the list of evaluated prompts, along with their categorization based on potential impacts and specific regulatory provisions in the European Union (EU) and China in Table A1. (The United States is excluded because there were no relevant federal regulations in place at the time of this article’s preparation.) Responses are categorized as shown in Table 2. Examples of responses classified in each category are provided in Supplementary File S1.

4.3.1. Effect of Unaligned Model Characteristics on Compliance

Table 4 shows the aggregated results of the evaluation for each tested model. As expected, models with safety-related modification (uncensored models) generally comply with prompts, i.e., successfully provide responses, at a substantially higher rate than unmodified models: 80.0% mean compliance ($\sigma$ = 11.4%) for modified models versus 19.2% mean compliance ($\sigma$ = 12.0%) for unmodified models. An exception among the unmodified models is DeepSeek-R1-Distill-Qwen-14B. This model is DeepSeek’s “distillation” of the Qwen-14B model, i.e., a fine-tuned version based on synthetic data from the large-scale DeepSeek R1 foundation LLM [72]. It appears poorly aligned, natively complying with 39% prompts, well ahead of all other unmodified models with compliance at rates of 18% or much lower. Notably, the uncensored version of the model, DeepSeek-R1-Distill-Qwen-14B-Uncensored, did show increased compliance, though it still landed in the bottom half of unmodified models, as shown in Table 4.

Table 4. Summary statistics of evaluated models. Shown here are the overall compliance rate (partial and full compliance combined) and only full compliance. (See Table 2 for category definitions.) Model size is provided as the approximate number of billions of parameters. The repository names are abbreviated here and fully provided in Appendix A. Original aligned (unmodified) models tested as controls are highlighted in bold.

	Model ID	Model Size	Compliance Rate	Full Compliance
1.	XortronCriminalComputingConfig	24B	100%	96%
2.	Qwen2.5-32B-Instruct-abliterated-SFT-Q5_K_S-GGUF	32B	98%	82%
3.	Qwen2.5-32B-Instruct-abliterated	32B	92%	78%
4.	Qwen2.5-VL-32B-Instruct-abliterated-GGUF	32B	90%	69%
5.	BlackSheep-24B	24B	88%	82%
6.	Josiefied-Qwen3-14B-abliterated-v3	14B	88%	65%
7.	GLM-4-32B-0414-abliterated-GGUF	32B	86%	67%
8.	Mistral-Small-Instruct-2409-abliterated	22B	84%	82%
9.	Qwen3-42B-A3B-Stranger-Thoughts-Deep20x-Abliterated-Uncensored-Q4_K_M-GGUF	42B	84%	55%
10.	WizardLM-Uncensored-Falcon-40b-i1-GGUF	40B	82%	65%
11.	Josiefied-Qwen3-30B-A3B-abliterated-v2	30B	82%	76%
12.	DeepSeek-R1-Distill-Qwen-32B-abliterated-Q4_K_M-GGUF	32B	80%	45%
13.	cognitivecomputations_WizardLM-33B-V1.0-Uncensored-GGUF	33B	76%	53%
14.	Qwen2.5-14B-Instruct-abliterated	14B	76%	69%
15.	huihui-ai_Llama-3.3-70B-Instruct-abliterated-finetuned-GGUF	70B	73%	43%
16.	Qwen2.5-QwQ-37B-Eureka-Triple-Cubed-abliterated-uncensored-i1-GGUF	37B	69%	51%
17.	DeepSeek-R1-Distill-Qwen-14B-Uncensored	14B	69%	61%
18.	s1.1-32B-abliterated-i1-GGUF	32B	66%	64%
19.	CodeLlama-34b-Instruct-hf-abliterated-i1-GGUF	34B	63%	29%
20.	Llama-3_1-Nemotron-51B-Instruct-abliterated-i1-GGUF	51B	57%	45%
21.	DeepSeek-R1-Distill-Qwen-14B	15B	39%	33%
22.	Mistral-Small-24B-Instruct-2501	24B	18%	18%
23.	Qwen2.5-32B-Instruct	33B	16%	16%
24.	Llama-3.1-70B-Instruct	71B	16%	16%
25.	Qwen2.5-14B-Instruct	15B	6%	4%

The results in Table 4 demonstrate that there is no systematic relationship between scale (number of parameters or weight quantization) and reduced safety of uncensored models. For instance, the sixth-ranked model has approximately 14 billion parameters, fewer than many of the lower-performing models, and the second-ranked model is a 5-bit GGUF quantization. Furthermore, the top models include derivatives of different families, including Qwen, GLM, and Mistral (XortronCriminalComputingConfig and BlackSheep-24B). Perhaps notably, among the uncensored models with the lowest compliance rates are the Llama derivatives. This may be connected to the unmodified Llama model’s apparently strong alignment, based on the unmodified model compliance rate shown in Table 4. However, Qwen models were found to provide even fewer responses to the tested prompts, and there are Qwen-based models at the top of the uncensored list. Generally, it appears as though model performance is idiosyncratic. As the uncensored model population grows, more pronounced trends may emerge.

The most compliant model that was tested was found to be XortronCriminalComputingConfig. Interestingly, it is a model merge that includes BlackSheep-24B, which, while still significantly compliant, still exhibits more refusals than the Xortron model. This suggests that the merging technique is capable of enhancing uncensored model performance, i.e., making them less safe. Another approach that has yielded the most compliant models is combining abliteration with further fine-tuning to remove safeguards, which is a technique implemented by the “Josiefied” models in Table 4, as well as the most compliant Qwen2.5 derivative that was assessed (“abliterated-SFT”).

4.3.2. Geographical and Categorical Response Parameters

Not all unsafe prompts have the same impact or trigger the same level of safeguards. Certain kinds of harm may be more severe and thus likelier to elicit refusal responses; also, certain kinds of potential risk may be harder to detect or to align against without degrading the model’s response to legitimate requests. Moreover, while there are conventional values of AI safety that are held globally, such as preventing information about making illegal and dangerous substances or encouraging users to self-harm, different geographies have variation in what values they both emphasize and, most importantly, formally regulate by law. For example, China has a number of rules regarding compliance with “socialist” values and related political order that are not an aspect of regulation in the EU and other Western regulatory regimes [74]. Furthermore, some issues may be considered sensitive in some areas and not others; for example, the status of Taiwan is a politically sensitive topic in China but is viewed differently in the West.

Figure 7 shows that the significant increase in compliance in modified models is not necessarily accompanied by a significant increase in errors returned by the models, despite the model weights being modified by abliteration and other dealignment methods, as shown in Table 4. Figure 7 also shows the differential increase in compliance based on the kind of harm that complying with prompts can cause. As shown in Appendix B, some prompts may cause multiple kinds of harm. For example, a prompt response with the potential of inciting political violence could cause both physical and social harms, and such prompts are included in multiple harm categories. Overall, Figure 7 shows a consistent substantial increase in compliance among modified models in all categories of harm. Among the categories, unmodified models show noticeably higher baseline compliance with prompts associated with social harm. This effect is examined more closely below, as it may be related to prevalence of prompts designed to elicit what the regulatory regime in China specifically identifies as social harms. Figure 7 additionally shows that modified models are much less likely to comply with prompts which could elicit responses relating to bias than other categories of harm.

Figure 7. Comparison of unmodified and modified model outputs across response types and prompt impact categories. Panel (a) shows the distribution of mean response fractions for the modified and unmodified models shown in Table 4. The error responses shown here include both errors in which the model produces a null response and where it provides a nonsensical response, such as repeating sentences, words, or meaningless symbols. There were no errors returned from unmodified models, and 0.6% of modified model responses were coded as errors and 2.6% as nonsensical responses. Panel (b) shows the compliance rates alongside error and refusal rates across the kind of harm that each prompt may elicit. Together, these panels illustrate the significant increase in prompt compliance resulting from dealignment.

Figure 8 confirms that across the board, bias-related prompts demonstrate the smallest increase in compliance. It may be the case that dealignment does not prioritize permitting bias, and instead the emphasis in fine-tuning datasets is on decreasing the refusal rate in other prompt categories. In contrast, prompts involving “Harmful Instructions,” which includes prompts related to fraud and manipulation such as designing phishing scripts, show substantial increases in compliance, from effectively 0% to more than 75% compliance rates. This indicates that aligned models available from providers are particularly strongly trained to avoid providing a way to design fraud or malware, but then, later concerted dealignment effort can readily undo such built-in model safeguards.

Figure 8. Model compliance rate increase for different categories of prompts, defined by the kind of harm and whether they are directly related to a specific regulatory regime in the EU or China. The bars extend from the mean unmodified model compliance rate to the mean modified model compliance rate for each category. For brevity, category descriptions are truncated. Table A1 provides complete descriptions of the categories, including annotation with specific legal regulations.

Geographic patterns reveal striking asymmetries in dealignment efficacy. China-targeted categories exhibit considerable variance, from smaller increases in prompts relating to social stability and deepfake disclosure to large decreases in alignment in the areas of commercial fraud and national security content. Outliers in high original model compliance generally relate to areas of regulation under Chinese law, including China’s rules regarding deepfakes and social stability [74,75]. This is consistent with the relatively high baseline compliance for prompts with social impacts shown in Figure 7. These observations suggest that it is difficult to align models that can still respond flexibly while complying with China’s rules on these issues. Indeed, even unmodified models developed in China frequently responded to these prompts, albeit at lower rates than unmodified models of Western origin.

On the other hand, EU-targeted prompts demonstrate more uniform elevation patterns, with prompts targeting fraud and manipulation showing the highest susceptibility to modification. The consistency across EU categories suggests that these constraints are implemented through similar alignment mechanisms, in a manner consistent with the regulatory framework of the EU AI Act. The moderate baseline compliance for EU misinformation prompts (30%) contrasts sharply with near-zero baselines for most China-specific categories, indicating different approaches to initial safety training.

One possible explanation for the differences in dealignment success shown in Figure 8 is that China-specific prompts are more likely to trigger a refusal to respond in a model originating in China than models originating in other geographies. To assess this potential explanation, Table 5 shows the compliance rates of modified models grouped by the geographic origin of the base LLM. DeepSeek, Qwen, and GLM were all developed in China, while Llama (US) and Mistral (EU) were developed in Western countries. Table 5 also classifies WizardLM as having US-originated, as it was developed by a group at Microsoft that happened to be located in China at the time [76].

Table 5. China- vs. EU-specific prompt performance. Shown here are the mean compliance rates for families of modified models shown in Table 4 for prompts designed to test formal regulations on model safety in China and the EU, as well as prompts that were designed based on generic, i.e., non-jurisdictionally specific, safety considerations.

	DeepSeek	Qwen	GLM	Mistral	WizardLM	Llama
China	74%	88%	93%	97%	94%	74%
EU	80%	89%	100%	93%	71%	60%
General	50%	71%	74%	79%	73%	52%

As the table shows, when examining response variability rather than absolute rates, and considering the “General” categories as a baseline, it appears that model origin has an impact. Specifically, models originating in China exhibit substantially higher variance across regulatory regimes; for example, DeepSeek ranges from 50% for General to 80% for EU. This suggests inconsistent or uneven safety training across different regulatory domains. DeepSeek shows higher compliance on EU-specific challenge prompts (80%) than China-specific challenge prompts (74%), despite China-specific prompts generally having higher compliance rates, as shown in Figure 8, and a similar trend appears for GLM-based models. Qwen-based models do not show the same difference between China- and EU-specific prompts, although as Table 4 shows, Qwen-based modified models are consistently highly compliant without the same difference between China- and EU-specific prompts. The compliance of Qwen-based modified models is particularly notable, as unmodified Qwen models are generally well-aligned. By contrast, modified models based on Western models (Mistral, WizardLM, and Llama) are more compliant on China-specific than EU-specific prompts. This suggests that safety training is more deeply embedded in issues that concern EU regulations and less in those on China-specific safety considerations.

5. Discussion

The findings in this paper reveal a fundamental challenge to current AI safety paradigms: the rapid proliferation of safety-modified models optimized for local deployment undermines both technical safeguards and regulatory frameworks designed for centralized AI systems. Across unsafe prompts, modified models exhibit substantially higher compliance rates, going from approximately 19% compliance to 80% averaged across the models that were evaluated. The results are surprisingly invariant to scale. This is likely because uncensoring is more a function of technique and training data. Safety removal techniques are also becoming more sophisticated. In particular, the uncensored model that exhibited the highest compliance rate—fully compliant on nearly all evaluated prompts—is based on abliteration and model merging.

Unlike jailbreaking, uncensored models represent a fundamentally different challenge. Jailbreaking represents a prompt-level attack that, as a result, could be mitigated through improved alignment, prompt filtering, or other constitutional AI approaches [77]. However, the modified models tested here achieved a compliance rate of nearly 100%, for the most uncensored model, on straightforward prompts that did not incorporate jailbreaking techniques. The results thus demonstrate that uncensored models have undergone significant structural transformations at the parameter level. Accordingly, traditional defenses against jailbreaking, such as prompt analysis, context-aware filtering, or adversarial training against known attack patterns, would offer no protection against these models [77,78,79]. This distinction has critical implications for AI governance. Centralized providers can iteratively patch jailbreaking vulnerabilities by restricting and filtering access or downloads of vulnerable models. However, these conventional approaches to LLM safeguards will fail when employed on increasingly powerful uncensored variants of open-weight models.

The surgical nature of modifications is particularly concerning, as modified models maintain comparable performance on benign tasks while selectively removing safety constraints, indicating that malicious actors need not choose between capability and safety removal. While modified models exhibit some elevation in nonsensical responses or inference errors, as shown in Figure 7, the error rate is still relatively small. Accordingly, it appears that there is no need to trade model capability for dealignment.

Because only 20 models were evaluated directly, the findings should be interpreted as indicative rather than exhaustive. This narrower evaluation reflects the practical limits of running full inference across thousands of repositories, but the sampling strategy was designed to balance feasibility with representativeness. As explained in Section 3.3.1 and summarized in Table 4, the selected models include recent releases across the major families, parameter scales, and quantization approaches observed in the larger dataset. This systematic coverage of key dimensions supports the generalizability of findings to the broader uncensored model ecosystem, though future work could extend the evaluation to additional models as computational resources permit. The consistent patterns observed in the diverse subsample of tested models, particularly the stark difference in compliance rates between modified (80.0%) and unmodified (19.2%) models, suggest that these findings would likely hold across a larger evaluation set.

Given the potential harmful impact of uncensored LLMs, it is significant that the automated evaluation methodology employed here is scalable. The LLM-based evaluation methodology shown in this paper can thus be used for automated compliance evaluation for a broader range of uncensored models, as well as tracking newly released uncensored models as soon as they become available. As described in Section 3.3.4, the reliability of the automated evaluation procedure was empirically verified. Specifically, among several candidate LLM-based evaluators, GPT-5 demonstrated almost perfect agreement with human annotations (99.3%). This level of consistency supports the use of GPT-5 as a scalable and reproducible evaluator. Notably, open-weight models perform nearly as well, particularly for the task of detecting basic compliance, e.g., gpt-oss-120b at 94% agreement with human annotation. As open-source and open-weight models continue to improve, they should be able to replace GPT-5 as a much lower-cost alternative that does not share the privacy and trust concerns of a centralized cloud-based model provider like OpenAI.

The survey shown in this paper faced important challenges. Models were identified through keyword scraping, which may have missed some due to alternate nomenclature. Moreover, metadata analysis was hindered by the lack of consistent standards for model repositories. However, the trends taken in the aggregate are clear. Uncensored models are proliferating in a manner that tracks with the growing viability of local deployment and low-resource cloud environments for LLM inference and fine-tuning.

Open-weight LLM development has rapidly advanced beyond cloud-based APIs, making it possible for frontier-scale models to circulate and be adapted outside of their original providers. A key milestone was the release of DeepSeek-R1, an open-source model that reached performance levels comparable to proprietary systems but, unlike those models, could be redistributed and modified in different hosting environments [72]. LLMs can be transformed through quantization, a process that compresses model weights from full precision down to much smaller formats such as 8, 4, or even 3 bits. Once quantized, in particular when quantization is applied selectively to particular layers and weights, larger-scale LLMs can become much more efficient to run, often without degraded capabilities for everyday use [42,43,44,45]. Independent groups have shown that quantized versions of DeepSeek-R1 can operate on high-end consumer machines, illustrating how local deployment of what were once exclusively data center models has become feasible [80].

Taken together, the quantization adoption plots in Figure 6 and the model size and storage plots in Figure 5 illustrate a consistent pattern in the ecosystem. While models are constrained by the need to run locally or in low-resource independent cloud environments, developers still prioritize model quality and modifiability over scale or compression. The community’s apparent preference for 8B parameter models at full or near-full precision (16/32-bit precision), which account for 89.9% of downloads, reveals that the uncensoring community has converged on an optimal working size: models small enough to run on consumer hardware without quantization yet large enough to maintain sophisticated capabilities after safety removal. The proliferation of quantized variants (47.5% of repositories) represents infrastructure rather than actual usage patterns, as evidenced by their mere 10.1% download share. This distribution indicates that successful uncensoring requires preserving model fidelity for subsequent modifications: the ablation techniques, fine-tuning passes, and model merging operations that remove safety constraints degrade significantly when applied to already-quantized models. The ecosystem has thus self-organized around a practical threshold where 8B parameter models at full precision (requiring 16–32 GB) align with high-end consumer GPU capabilities (RTX 4080/4090 with 16–24GB of VRAM), enabling iterative modification without cascading quality loss. The extensive availability of 4-bit and 8-bit quantized versions serves primarily as a final deployment option after uncensoring is complete, rather than as working formats for the dealignment process itself.

In addition to quantization, other efficiency strategies have accelerated the shift toward local deployment. Distillation techniques transfer the behavior of frontier-scale models, such as GPT-5 and DeepSeek R1, to smaller models, such as Llama or Qwen, by fine-tuning them on synthetic datasets generated by the larger model [72]. Architectural innovations like Mixture-of-Experts (MoE) can further reduce inference costs. An MoE architecture functions at inference time by activating only a fraction of parameters for each input [81,82]. This allows memory partitioning schemes to store part of an MoE model in system RAM rather than costly GPU memory, thereby expanding the size of models that can be run on personal hardware [83,84]. Other optimizations, such as compression of the key–value cache used in conversational models, further extend the range of tasks that can be handled on local devices [85]. Hardware trends reinforce this trajectory: dedicated “AI PCs” from Nvidia, laptop-grade chips like Apple’s M4, and AMD’s workstation-class GPUs point to a consumer market that is increasingly oriented toward supporting local AI workloads [86,87,88].

Unlike cloud AI services that can be monitored and audited, locally deployed models operate in a regulatory blind spot. The development of uncensored models appears to be concentrated among individual developers and small teams rather than established companies, limiting traditional regulatory leverage points. The ecosystem also shows strong provider concentration. This study identified repositories across 1303 providers (Hugging Face accounts), and yet only a single provider, “mradermacher”, accounts for 18.5% of the repositories and 21.5% of all downloads. The top 20 providers host 54% of repositories and account for 85.8% of downloads, with the top 10 alone account for 76.8% and the top 5, 60.6%. This power law-like distribution suggests that producing reliable uncensored models requires technical expertise and resources, and users gravitate toward providers with established reputations.

At the same time, tracing model providers may be complicated: some open-source developers, such as Georgi Gerganov, are publicly identifiable, while others, such as the creator known as “TheBloke,” remain only partially identified through indirect records. This ambiguity illustrates how concentrated distribution can coexist with persistent anonymity, complicating accountability. Provider concentration does at least open up potential avenues for community-based regulation, since distribution is not so diffuse that engagement with model creators is impossible. Overall, the rise of local AI calls for a fundamental reconsideration of governance, as existing frameworks built on visibility and centralized control cannot address models that are downloaded, modified, and run entirely on personal devices.

To be sure, while the analysis demonstrates provider concentration within the Hugging Face ecosystem, as explained above in Section 3.1, download counts represent distribution volume rather than unique users and do not capture downloads from alternative repositories. However, several factors suggest that these limitations do not fundamentally alter our concentration findings. First, uncensored models are rarely offered through cloud API services (OpenRouter, a major LLM aggregator, lists only one uncensored variant), meaning most distribution occurs through downloadable repositories. Second, even private cloud deployment requires downloading model weights, typically from Hugging Face. Third, the observed concentration pattern is highly pronounced: the top providers account for 85.8% of downloads. Alternative repositories would, therefore, need to exhibit radically different distribution patterns to negate the present analysis. Consequently, the results in this paper likely provide a reasonable approximation of provider concentration in the broader uncensored model ecosystem, although exact figures should be interpreted as lower bounds.

A further limitation of this study is that quantization levels were inferred from repository metadata rather than directly verified from model weight files. As a result, the reported prevalence of “32-bit” models should not be read as literal FP32 precision; many, in fact, are 16 bits (fp16/bf16), and some families natively default to 8 bits or lower. The quantization trends presented here, therefore, reflect labeling conventions rather than guaranteed storage formats. Future work should directly inspect weight encodings to validate precision and strengthen the reliability of quantization trend analyses.

The geographic and cultural dimensions of this study have significant implications for global AI governance. The behavior of modified models appears to vary by the region of targeting, as China-targeted prompts average higher compliance after model modification than EU-targeted prompts, suggesting uneven protection that adversaries could exploit. This may also be in part because China imposes a broader range of AI regulation. It is simply easier to remove guardrails over more marginal “unsafe” cases, or cases that other regulatory regimes do not consider unsafe. By contrast, bias prompts show smaller compliance increases, suggesting this is not a priority area for dealignment. For example, the new US administration has stated that models should not be forced to follow “diversity, equity, and inclusion” (DEI) principles, prioritizing free expression instead [89].

Accordingly, global variation in regulation may mean that models cannot be robustly protected against dealignment challenges. The concentration of certain model families—with Qwen being the most downloaded despite being developed in China—further complicates the geographic dimension, as the ability to modify and deploy these models locally means that national borders and jurisdictional boundaries become essentially meaningless for AI safety enforcement. Qwen may be properly aligned for China but provide inappropriate responses elsewhere. Similarly, Llama-based models may be better aligned for the United States, and Mistral is aligned based on French and EU cultural standards. In that case, it may be easier to dealign these models when using them outside their home jurisdictions. More broadly, diverging national safety norms may lead base models themselves to differ, making cross-border dealignment easier if one regime’s “safe” models can be distilled for another’s contrasting standards.

Implications for Future Work

The evolution from simple “uncensored” models to sophisticated abliteration techniques indicates that the competition between safety measures and removal techniques will continue to escalate. This suggests that purely technical solutions are insufficient; addressing the challenge of dealigned (or realigned) local AI will require coordinated efforts across technical, social, and policy domains. The approach presented here can inform red-teaming, where experts seek to identify potential risks and dangers of AI models [90,91].

One potential way of remedying the situation is to allow for more flexible alignment that reflects personal values as opposed to feeling compelled—or even potentially endangered—by full uncensored models. This includes algorithms designed to implement pluralistic values that vary by community rather than trying to impose a monoculture of views [92,93]. An even more individually oriented approach is personal alignment, where fine-tuning is used to align with personal values [94,95].

The results of this analysis reinforce the need to rethink governance approaches that rely solely on top-down regulation [27]. The demonstrated ease of removing safety guardrails, combined with the optimization of model architectures and packaging for consumer hardware, suggests that current approaches to AI safety are inadequate for the emerging landscape of decentralized AI. Conventional measures have been designed for a centralized deployment paradigm that no longer reflects how AI systems are distributed and used in practice. Addressing these shifts will require governance strategies that move beyond technical patches, integrating community norms, distributed monitoring, and liability frameworks adapted to decentralized environments.

6. Conclusions

This study provides the first large-scale empirical map of uncensored open-weight models, based on the retrieval and analysis of over 8000 LLM repositories modified to weaken or remove alignment safeguards through the study cutoff date of 9 September 2025. The results of this study confirm that safety-modified models consistently exhibit substantially higher compliance with unsafe prompts, with effectiveness often being achieved through increasingly sophisticated techniques—such as abliteration, which involves directly modifying model weights along with fine-tuning, and model merging—rather than merely scaling up model size.

The results of this study further demonstrate that to date, most downloaded modified models tend to cluster around more accessible variants optimized for consumer hardware. These patterns highlight the dual forces shaping the uncensored ecosystem: accessibility, through lightweight quantization, and centralization, through the dominance of a small set of providers. Together, the findings illustrate how uncensoring has moved from isolated experimentation to systematic practice, raising governance challenges that extend beyond centralized oversight to the realities of decentralized model distribution.