Token smuggling is an adversarial technique that exploits the subword tokenization process of large language models to bypass safety filters. By splitting a prohibited term across multiple tokens—such as encoding "bomb" as "bo" + "mb"—the attacker conceals the malicious intent from simple keyword-blocking mechanisms that scan for exact string matches in the input text.
Glossary
Token Smuggling

What is Token Smuggling?
Token smuggling is a jailbreak technique that encodes forbidden words or instructions using non-standard tokenization artifacts to evade keyword-based safety filters.
The attack leverages the inherent disconnect between human-readable text and the model's internal token representation. Since safety classifiers often operate on raw text before tokenization, a smuggled payload passes inspection as innocuous fragments, yet the model's tokenizer reassembles the fragments into the forbidden concept during inference, effectively executing the concealed instruction.
Key Characteristics
Token smuggling exploits the gap between human-readable text and model tokenization to evade safety filters. These techniques manipulate how input is segmented into tokens, hiding forbidden content from pattern-matching defenses.
Subword Fragmentation
The core mechanism splits forbidden words across token boundaries so they never appear as a single, recognizable unit in the model's input.
- Example: The word 'bomb' might be split as 'b' + 'omb' or 'bo' + 'mb'
- Why it works: Safety classifiers scan for exact token sequences matching prohibited terms; fragmented tokens evade these signatures
- Execution: Attackers insert spaces, zero-width characters, or exploit natural subword boundaries to force the tokenizer to segment words differently
- Impact: The model still reconstructs the semantic meaning during inference, but the filter sees only innocuous fragments
Unicode Normalization Exploits
Attackers substitute standard characters with visually identical Unicode homoglyphs that tokenize differently, bypassing text-based filters while remaining readable to the model.
- Homoglyph substitution: Replacing 'a' (U+0061) with Cyrillic 'а' (U+0430) changes tokenization entirely
- Normalization gap: Safety filters may not normalize Unicode before scanning, while the model's tokenizer processes the raw bytes
- Combining characters: Using diacritical marks to split tokens without altering visual appearance
- Zero-width characters: Inserting U+200B (zero-width space) between characters forces token boundaries where none should exist
Byte-Pair Encoding Manipulation
BPE tokenizers merge frequent character pairs into single tokens. Attackers exploit this by constructing inputs that force specific, unexpected tokenization patterns.
- Rare token forcing: Using uncommon character combinations to ensure words tokenize as individual bytes rather than merged subwords
- Vocabulary gap exploitation: Targeting words absent from the tokenizer's vocabulary, which default to character-level tokenization
- Merge rule awareness: Understanding which character pairs the BPE algorithm merges first allows precise control over final token boundaries
- Cross-token reconstruction: The model's attention mechanism reassembles meaning across fragmented tokens during processing
Multi-Modal Token Smuggling
In multimodal systems, forbidden instructions can be encoded in non-text modalities that bypass text-only safety filters while being interpreted by vision or audio encoders.
- Image steganography: Embedding malicious text as rendered pixels that OCR-like vision encoders read but text filters never see
- Audio frequency encoding: Hiding instructions in spectrogram patterns or ultrasonic frequencies processed by audio tokenizers
- Cross-modal attention leakage: Instructions in one modality influencing generation through shared latent representations
- File format exploitation: Using metadata fields, EXIF data, or comment sections that tokenizers process but filters ignore
Defense: Canonicalization-First Filtering
The primary defense normalizes all input through a strict canonicalization pipeline before any safety scanning occurs.
- Unicode normalization: Apply NFKC normalization to collapse homoglyphs and combining characters into standard forms
- Whitespace canonicalization: Strip zero-width characters and normalize all spacing before tokenization
- Re-tokenization verification: Tokenize, detokenize, and re-tokenize input to detect fragmentation anomalies
- Semantic similarity scanning: Deploy embedding-based detectors that catch smuggled content by meaning rather than exact token match
- Limitation: Aggressive normalization can break legitimate multilingual input and requires careful tuning
Defense: Token-Level Anomaly Detection
Statistical defenses analyze token sequences for structural anomalies characteristic of smuggling attempts without relying on keyword blocklists.
- Perplexity scoring: Smuggled inputs often exhibit unusual token distributions with higher statistical surprise
- Token boundary analysis: Detecting unnatural splits where semantic units are fragmented across improbable boundaries
- Attention pattern monitoring: Smuggled content creates distinctive cross-token attention patterns as the model reconstructs hidden meaning
- Byte-level inspection: Scanning raw UTF-8 byte sequences for encoding tricks before tokenization occurs
- Adversarial training: Fine-tuning safety classifiers on known smuggling patterns to recognize fragmentation signatures
Frequently Asked Questions
Token smuggling is a sophisticated jailbreak technique that exploits the fundamental mechanics of language model tokenization to evade safety filters. By encoding forbidden words or instructions using non-standard tokenization artifacts—such as splitting them across multiple tokens—attackers can bypass keyword-based detection systems. The following questions address the core mechanisms, attack vectors, and defense strategies that security engineers and AI safety teams must understand.
Token smuggling is an adversarial technique that encodes forbidden words or instructions using non-standard tokenization artifacts to evade keyword-based safety filters. It works by exploiting the discrepancy between how a text string is represented as human-readable characters and how a language model's tokenizer decomposes it into discrete tokens. For example, the word 'violence' might be split across two tokens—'viol' and 'ence'—by inserting a zero-width joiner or other Unicode artifact between the syllables. A naive string-matching filter scanning for the substring 'violence' will fail to detect it, yet the model's tokenizer will reconstruct the semantic meaning during inference. This attack class is particularly dangerous because it targets the preprocessing layer that sits between user input and model processing, a layer often assumed to be a reliable first line of defense. Sophisticated variants use byte-pair encoding artifacts, Unicode normalization quirks, and multi-lingual token boundary manipulation to construct payloads that appear benign to regex-based scanners but resolve into harmful instructions when tokenized by the target model.
Token Smuggling vs. Related Obfuscation Techniques
A feature comparison of techniques used to encode or disguise malicious instructions to evade keyword-based safety filters.
| Feature | Token Smuggling | Base64 Injection | CipherChat |
|---|---|---|---|
Core Mechanism | Exploits tokenization artifacts by splitting forbidden words across multiple tokens | Encodes entire malicious payload in Base64 format to bypass text classifiers | Instructs model to operate under a substitution cipher, shifting safety context |
Evasion Target | Keyword and regex-based input filters | Text-based safety classifiers and pattern matching | Semantic safety alignment trained on natural language |
Payload Visibility | Fragmented; forbidden terms are not contiguous in raw text | Obfuscated; appears as random alphanumeric string | Disguised; appears as nonsensical ciphertext |
Model Capability Required | Standard tokenizer processing | Ability to decode Base64 and execute decoded instructions | Ability to consistently apply and interpret cipher rules |
Detection Difficulty | High; requires deep tokenization-aware scanning | Moderate; detectable via entropy analysis and Base64 pattern recognition | High; requires semantic analysis of non-standard linguistic patterns |
Primary Defense | Token-boundary-aware input sanitization | Input decoding and entropy-based anomaly detection | Representation engineering and activation steering |
Attack Complexity | Low; requires understanding of target tokenizer behavior | Low; simple encoding with standard libraries | Moderate; requires crafting consistent cipher instructions |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Token smuggling exploits the gap between human-readable text and model tokenization. These related techniques form the broader attack surface against LLM input safety filters.
Base64 Injection
An obfuscation technique that encodes a malicious prompt in Base64 format to bypass text-based safety classifiers. The attack relies on the model's ability to decode and execute the hidden instruction during autoregressive generation. While token smuggling manipulates token boundaries, Base64 injection exploits the model's instruction-following capability to perform decoding as a computational step.
- Encoded payloads evade keyword filters
- Model acts as both decoder and executor
- Defenses must inspect decoded semantic content
CipherChat
A jailbreak method that instructs a language model to communicate using a simple substitution cipher. Safety alignment trained on natural language patterns fails to recognize harmful content when encoded in ciphertext. This technique exploits the distributional shift between training data and cipher-encoded inputs, similar to how token smuggling exploits tokenization artifacts.
- Caesar cipher and Morse code variants documented
- Model safety training lacks cipher representations
- Demonstrates brittleness of surface-level alignment
Perplexity Filter
A defense mechanism that analyzes the statistical likelihood of an input sequence under the model's training distribution. Token-smuggled prompts often exhibit anomalously high perplexity because the forced token splits create unnatural sub-word sequences. Perplexity filters flag these statistical outliers before model processing.
- Measures n-gram probability of input tokens
- Effective against adversarial suffixes and token splits
- Can be bypassed with fluency-optimized attacks
- Low computational overhead for real-time filtering
Adversarial Suffix
A seemingly nonsensical string of characters appended to a malicious prompt that exploits model gradients to maximize the probability of an affirmative harmful response. While token smuggling hides forbidden words through tokenization artifacts, adversarial suffixes use gradient-based optimization to discover token sequences that suppress refusal behavior.
- Generated via GCG (Greedy Coordinate Gradient) attacks
- Universal suffixes transfer across similar prompts
- Both techniques target the input-filtering layer

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us