Token smuggling is an adversarial technique that hides malicious prompts by exploiting the gap between how a system visually renders text and how a language model tokenizes it. Attackers insert invisible characters, zero-width spaces, or Unicode homoglyphs into a payload. A human reviewer or a simple regex filter sees a benign string, but the model's tokenizer splits the text differently, reassembling the hidden toxic instruction at inference time to bypass AI guardrails.
Glossary
Token Smuggling

What is Token Smuggling?
Token smuggling is an adversarial obfuscation technique that exploits discrepancies in text tokenization and Unicode normalization to encode malicious instructions, allowing them to evade string-matching safety filters and content classifiers.
Advanced variants leverage Unicode normalization tricks, such as NFKC/NFKD inconsistencies, where visually identical characters decompose into distinct byte sequences. Another method splits a forbidden word across multiple tokens so that a safety classifier scanning for the complete string fails to match it. This attack is a critical component of automated red teaming suites, as it systematically probes the robustness of input sanitization pipelines against encoding-based evasion.
Key Characteristics of Token Smuggling
Token smuggling exploits the gap between human visual perception and machine tokenization to bypass safety filters. By manipulating Unicode glyphs, zero-width characters, and encoding tricks, malicious payloads appear benign to string-matching defenses while being interpreted as harmful instructions by the model.
Unicode Normalization Exploitation
Attackers leverage the difference between Unicode normalization forms (NFD, NFC, NFKC) to craft payloads that look identical to humans but have different byte representations. For example, the Latin 'A' (U+0041) and Cyrillic 'А' (U+0410) are visually indistinguishable but produce entirely different token IDs. When safety filters scan the raw text, they see harmless characters, but the model's tokenizer may normalize them into a malicious sequence. Normalization Form Canonical Decomposition (NFD) breaks precomposed characters into base characters and combining marks, creating additional smuggling surfaces. Attackers chain multiple normalization passes to create payloads that only become dangerous after the tokenizer's internal preprocessing.
Zero-Width Character Injection
Invisible Unicode characters are inserted between tokens to break pattern-matching filters without altering visual appearance. Key characters include:
- Zero-Width Space (U+200B): Splits keywords so 'malware' becomes 'malware', evading string matching while the tokenizer may still reconstruct the original term.
- Zero-Width Joiner (U+200D): Forces adjacent characters to render as a joined form, potentially merging split tokens.
- Zero-Width Non-Joiner (U+200C): Prevents ligature formation, causing the tokenizer to fragment words differently than expected.
- Word Joiner (U+2060): Prevents line breaks but also interferes with token boundary detection. These characters are invisible in most text editors and chat interfaces, making manual detection nearly impossible.
Split Tokenization Attacks
This technique exploits mismatches between the safety filter's tokenizer and the model's tokenizer. By splitting a forbidden word across multiple tokens that individually appear benign, the attacker bypasses blocklists. For instance, if a filter blocks the token for 'explosive', the attacker sends 'explo' and 'sive' as separate tokens. The model's autoregressive generation then reconstructs the full concept from context. Subword tokenization algorithms like Byte-Pair Encoding (BPE) and WordPiece create predictable split points that attackers can reverse-engineer. Advanced variants use multi-lingual tokenization where a harmful English word is smuggled inside tokens from a low-resource language that the safety filter doesn't monitor.
Homoglyph Substitution
Attackers replace ASCII characters with visually identical Unicode homoglyphs to evade keyword filters. The word 'hack' written with Cyrillic 'а' (U+0430) instead of Latin 'a' (U+0061) passes string-matching defenses but may be normalized to the intended meaning by the model's internal representations. Internationalized Domain Name (IDN) homograph attacks pioneered this technique for phishing, and it now extends to LLM prompt injection. Sophisticated smuggling chains combine homoglyphs with bidirectional text control characters like Right-to-Left Override (U+202E) to reverse the visual order of characters, making the rendered text appear completely different from the underlying byte sequence that reaches the tokenizer.
Encoding Layering and Recursive Smuggling
Advanced smuggling chains nest multiple encoding layers to defeat recursive sanitization. A payload may be:
- Base64-encoded to hide keywords
- Wrapped in Unicode escape sequences (\uXXXX)
- Interspersed with zero-width characters to break pattern matching
- Split across tokens using BPE boundary prediction When the model processes this, each layer is decoded sequentially, reconstructing the malicious instruction only at inference time. Recursive smuggling specifically targets systems that apply multiple sanitization passes by designing payloads where each decoding step reveals a new layer of obfuscation, exhausting the filter's recursion depth limits. This technique is particularly effective against defense-in-depth architectures that assume single-pass sanitization is sufficient.
Bidirectional Text Manipulation
Unicode bidirectional algorithm characters are weaponized to create visual deception in source code and prompts. Right-to-Left Override (RLO, U+202E) forces subsequent text to render right-to-left, reversing the visual order of characters. Left-to-Right Override (LRO, U+202D) restores left-to-right rendering. Pop Directional Formatting (PDF, U+202C) terminates the override. By strategically placing these control characters, attackers make a malicious payload appear as a harmless comment or variable name in code review tools while the compiler or interpreter processes the true character order. In LLM contexts, this causes the human reviewer and the automated safety filter to see different semantic content than what the model's tokenizer actually receives.
Token Smuggling vs. Related Attack Techniques
A feature-level comparison of token smuggling against other common prompt injection and obfuscation techniques used to bypass AI safety filters.
| Feature | Token Smuggling | Payload Splitting | Indirect Prompt Injection |
|---|---|---|---|
Attack Vector | Input layer via invisible characters or Unicode normalization | Input layer via multiple separate prompts | External data retrieval layer (web, PDFs, emails) |
Obfuscation Mechanism | Encodes malicious strings using zero-width characters, homoglyphs, or split token boundaries | Fragments a single harmful instruction across sequential, seemingly benign inputs | Embeds instructions in third-party content retrieved by the model at inference time |
Bypasses String-Matching Filters | |||
Requires Multi-Turn Interaction | |||
Exploits Tokenizer Vulnerabilities | |||
Relies on External Data Poisoning | |||
Primary Defense | Unicode normalization, tokenizer hardening, input canonicalization | Context window state management, session-level intent analysis | Retrieval source sanitization, data provenance verification, sandboxed retrieval |
Attack Success Rate (Typical) | 12-18% | 8-15% | 22-35% |
Frequently Asked Questions
Explore the mechanics of token smuggling, an advanced obfuscation technique used to bypass AI safety filters by exploiting the gap between human visual perception and machine tokenization.
Token smuggling is an adversarial obfuscation technique that encodes malicious instructions using invisible characters, Unicode normalization tricks, or split tokenization to evade string-matching safety filters. The attack exploits the fundamental architectural gap between how humans read text and how language models tokenize it. By inserting zero-width characters, bidirectional text markers, or Unicode homoglyphs into a prompt, an attacker can make a harmful request appear benign to a content filter while the model's tokenizer interprets the malicious payload correctly. For example, the word "bomb" can be split into tokens that individually look like "b", "om", and "b" with invisible separators, bypassing keyword blocklists entirely.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Token smuggling is one node in a broader ecosystem of adversarial techniques designed to bypass AI safety filters. These related concepts form the attack chain and defensive perimeter.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us