Token manipulation is a class of inference-time adversarial attacks targeting the discrete or continuous representation of input text. Attackers alter tokens using homoglyphs (visually similar characters from different Unicode blocks), zero-width spaces, or encoding tricks to create inputs that appear benign to human reviewers and simple text filters but are interpreted differently by the model's tokenizer. This exploits the gap between human perception and the model's internal representation, allowing malicious intent to be obfuscated.
Glossary
Token Manipulation

What is Token Manipulation?
Token manipulation is an adversarial technique that involves altering individual input tokens or their embeddings to cause misinterpretation by a language model, often to bypass safety filters.
The technique directly attacks the model's embedding lookup process. By substituting characters that map to different token IDs or vector representations, the attacker can shift the input's semantic meaning in the model's latent space, potentially triggering unintended behaviors or safety filter bypasses. It is a foundational method for crafting adversarial examples in the text domain and is closely related to input manipulation and Unicode exploits within the broader field of adversarial prompting.
Key Token Manipulation Techniques
Token manipulation exploits how language models process discrete input units. These techniques alter tokens or their representations to cause misinterpretation, bypassing safety filters and altering model behavior.
Homoglyph & Unicode Attacks
This technique replaces standard characters with visually similar ones from different Unicode blocks to create adversarial examples that appear normal to humans but are interpreted differently by the model's tokenizer.
- Homoglyphs: Using 'Cyrillic а' (U+0430) instead of Latin 'a' (U+0061).
- Zero-Width Characters: Inserting non-printing characters like U+200B (Zero-Width Space) or U+200C (Zero-Width Non-Joiner) to break tokenization.
- Impact: Can bypass keyword-based safety filters, cause tokenizer errors, and create inputs that are misaligned with the model's training distribution.
Tokenization Mismatch Exploits
This method exploits differences in how various tokenizers (e.g., between a safety filter and the core model) segment text, creating inputs that are parsed inconsistently across system components.
- Multi-Token Splits: Crafting a word like 'kill' as 'k' + 'ill' to avoid a filter that looks for the whole token.
- Subword Ambiguity: Using punctuation or spacing to force a harmful word to be tokenized as benign sub-units.
- Defense Evasion: The safety layer may see a harmless token sequence, while the language model's decoder reconstructs the intended harmful meaning from the subwords.
Embedding Space Perturbation
An advanced, often white-box, attack that directly manipulates the continuous vector representations of tokens to find small perturbations that maximally alter the model's output logits.
- Gradient-Based Search: Using the model's gradients to find token substitutions that increase the probability of a target (e.g., harmful) output.
- Adversarial Suffixes: Automated discovery of token sequences, like the "Artemis" or "AutoDAN" suffixes, that act as universal triggers for compliance.
- Precise Control: Allows for highly optimized attacks that can be human-uninterpretable but are highly effective at steering model behavior.
Encoding & Serialization Tricks
This involves manipulating the raw byte-level encoding or data serialization format of a prompt before it is processed by the model's tokenizer.
- Base64/URL Encoding: Embedding instructions within encoded strings that a pre-processing step might decode.
- Markdown/HTML Injection: Using formatting syntax like
[click here](javascript:alert())in a context where it might be rendered and re-tokenized. - Buffer Overflows in Tokenization: Crafting extremely long or malformed strings to cause errors in the tokenization pipeline, potentially leading to undefined behavior.
Multi-Modal Token Injection
This technique targets models that process multiple data types by embedding adversarial instructions within non-text modalities, such as images or audio, which are then converted into token sequences.
- Image Steganography: Encoding text prompts within the pixel data of an image using tools like Stable Diffusion with custom embeddings.
- OCR Bypass: Creating images of text that, when read by an Optical Character Recognition (OCR) component, produce a malicious prompt.
- Audio Adversarial Examples: Using inaudible perturbations or specific phonemes in speech-to-text inputs to generate harmful text tokens.
Defensive Countermeasures
A range of techniques designed to detect and mitigate token manipulation attacks, essential for securing production systems.
- Input Normalization & Canonicalization: Converting all text to a standard form (NFKC Unicode normalization), stripping zero-width characters, and verifying encoding.
- Perplexity Filtering: Flagging inputs with abnormally high perplexity scores, as adversarial examples often lie off the natural language manifold.
- Robust Tokenization: Using consistent, hardened tokenizers across all pipeline stages and employing allowlists/denylists for suspicious Unicode blocks.
- Adversarial Training: Fine-tuning the model on examples of token manipulation to improve its robustness against such attacks.
How Token Manipulation Works
Token manipulation is an adversarial technique that alters input tokens or their embeddings to cause model misinterpretation, exploiting vulnerabilities in text processing.
Token manipulation is an inference-time attack that strategically modifies the discrete tokens or their continuous embedding vectors before model processing. Attackers exploit the gap between human and machine perception by using homoglyphs (visually similar characters), zero-width spaces, or alternative Unicode encodings to create prompts that appear benign to safety filters but are interpreted differently by the model's tokenizer. This can bypass keyword-based defenses and directly corrupt the model's semantic understanding of the input.
The technique often targets the embedding space, searching for small perturbations in token vectors that maximally alter the model's output logits toward a desired, often harmful, response. This makes it a potent black-box attack method, as effective manipulations can be found through iterative API queries without model access. Defenses include Unicode normalization, robust tokenization schemes, and adversarial training on manipulated inputs to improve model resilience.
Defensive Mitigations Against Token Manipulation
A comparison of defensive techniques to detect and prevent adversarial token manipulation attacks, such as homoglyph substitution and encoding tricks.
| Defensive Technique | Detection-Based | Prevention-Based | Runtime Cost | Effectiveness Against Obfuscation |
|---|---|---|---|---|
Input Normalization & Canonicalization | Low | High | ||
Unicode Security Profiles (e.g., TR39) | Low | High | ||
Per-Token Embedding Anomaly Detection | Medium | Medium | ||
Adversarial Input Sanitization Libraries | Low | High | ||
Context-Aware Token Validation | High | Medium | ||
Model Fine-Tuning on Adversarial Examples | Very High (one-time) | High | ||
Ensemble Voting with Robust Tokenizers | High | High |
Frequently Asked Questions
Token manipulation involves altering the fundamental units of text input to exploit model vulnerabilities. These questions address its mechanisms, detection, and defense.
Token manipulation is an adversarial prompting technique that involves strategically altering individual input tokens or their embeddings to cause a language model to misinterpret the prompt, often bypassing safety filters or producing unintended outputs. Unlike high-level prompt injection, it operates at the granular, sub-word level of the model's input processing pipeline. Attackers exploit the disconnect between how text is rendered for humans (using characters) and how it is processed by the model (converted into tokens). Common methods include using homoglyphs (visually similar characters from different Unicode blocks), zero-width spaces, or other encoding tricks to create prompts that appear benign to human reviewers and simple text filters but are interpreted differently by the model's tokenizer, potentially triggering harmful behaviors.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Token manipulation is one of several techniques used to probe and exploit model vulnerabilities. These related terms define the broader landscape of adversarial attacks on language models.
Adversarial Suffix
An adversarial suffix is a string of tokens, often gibberish or optimized characters, appended to a benign user query. Its purpose is to shift the model's internal representations, systematically inducing it to comply with harmful requests it would normally refuse. These suffixes are typically discovered through automated search algorithms that query the model repeatedly to find token sequences that maximize the probability of a harmful output.
- Automated Discovery: Often generated using gradient-based methods or LLM-as-attacker frameworks in a black-box attack setting.
- Universal Properties: Some suffixes demonstrate transferability, acting as universal adversarial prompts that work across multiple queries.
- Defense Challenge: These attacks are difficult to filter as the suffix tokens may appear nonsensical or innocuous in isolation.
Unicode Exploits
Unicode exploits are a subset of token manipulation that uses the complexity of the Unicode standard to create adversarial inputs. Attackers employ visually similar characters (homoglyphs), zero-width spaces, or non-standard encodings to obfuscate prompt content.
- Homoglyph Attacks: Replace standard ASCII characters with visually identical Unicode characters (e.g., Latin 'a' vs. Cyrillic 'а') to bypass keyword-based safety filters.
- Invisible Characters: Insert zero-width joiners or spaces to break tokenization in unexpected ways, potentially causing the model to misinterpret the prompt.
- Normalization Bypass: Exploit differences in how systems normalize Unicode text, creating a mismatch between the filter's parsing and the model's tokenizer.
Embedding Space Attack
An embedding space attack operates directly on the continuous vector representations of tokens. Instead of manipulating discrete tokens, this method searches for small perturbations in the embedding space that, when added to a prompt's embeddings, cause a maximal change in the model's output behavior. This is a more fundamental input manipulation technique.
-
Gradient-Based: Often requires white-box access to compute gradients of the loss with respect to the input embeddings.
-
Automated Jailbreak Generation: Used in automated red teaming to efficiently discover adversarial prompts by optimizing in the continuous space before converting back to tokens.
-
Tokenization-Agnostic: Works on the numerical features the model actually processes, bypassing some token-level heuristics.
Black-Box Attack
A black-box attack is performed without any access to the target model's internal architecture, parameters, or gradients. The attacker can only query the model via its API and observe its outputs. Most practical adversarial prompting, including many jailbreak prompt discoveries, falls into this category.
-
Query-Only: Relies on iterative trial and error, genetic algorithms, or using a secondary LLM to generate and test attack candidates.
-
Real-World Relevance: Reflects the typical access level of an external attacker or red teaming practitioner.
-
Includes: Adversarial suffix optimization and systematic boundary testing are common black-box methodologies.
Inference-Time Attack
Inference-time attack is the broad category for exploits that occur during a model's deployment and generation phase, as opposed to during its training. Token manipulation, prompt injection, and jailbreak prompts are all inference-time attacks. They exploit vulnerabilities in how the model processes input context at runtime.
-
Contrast with Data Poisoning: Does not require corrupting the training set; it targets the deployed system.
-
Dynamic: Attacks can be adapted in real-time based on model responses and updated safety patches.
-
Core Mechanism: Manipulates the input sequence to cause model evasion or goal hijacking without altering the underlying model weights.
Boundary Testing
Boundary testing in adversarial prompting is the systematic practice of crafting inputs at the perceived edges of a model's safety guidelines and operational capabilities. The goal is to map the model's failure modes and discover adversarial examples that trigger harmful content generation or other unintended behaviors.
-
Methodical Exploration: Involves testing paraphrases, role-playing scenarios, hypotheticals, and edge-case queries to find weaknesses.
-
Proactive Security: A key activity in manual and automated red teaming to harden models before deployment.
-
Discovers: Subtle triggers, conflicting instructions, and context-based vulnerabilities that simpler attacks might miss.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us