Inferensys

Glossary

Homoglyph Attack

A technique that exploits visually similar characters (homoglyphs) from different Unicode scripts to bypass text-based security filters while appearing normal to a human reviewer.
Legal team reviewing EU AI Act compliance documents on laptop in modern office, coffee cups and papers on table, casual meeting.
TEXT-BASED EVASION TECHNIQUE

What is a Homoglyph Attack?

A homoglyph attack exploits the visual similarity between characters from different writing systems to bypass text-based security filters while remaining legible to human reviewers.

A homoglyph attack is a technique that substitutes standard characters with visually identical or near-identical glyphs from other alphabets, such as replacing the Latin letter 'a' with the Cyrillic 'а' (U+0430). This substitution deceives automated filters that rely on exact string matching or keyword blocklists, allowing malicious content to pass through input sanitization and adversarial prompt detection layers undetected. The rendered text appears normal to a human reviewer but carries a completely different semantic payload for the machine.

In the context of prompt injection defense, attackers use homoglyphs to bypass delimiter-based defense mechanisms and guard model classifiers by encoding forbidden keywords like 'ignore previous instructions' in confusable Unicode. Effective mitigation requires canonicalization of input into a consistent character set, such as NFKC normalization, before any security evaluation occurs. This defense is a critical component of prompt normalization pipelines, ensuring that visually deceptive strings are resolved to their base forms prior to processing.

Visual Deception Vectors

Core Characteristics of Homoglyph Attacks

Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass security filters while remaining imperceptible to human reviewers. These techniques target both automated systems and human cognition.

01

Unicode Character Substitution

Attackers replace ASCII characters with visually identical glyphs from non-Latin scripts. The Cyrillic 'а' (U+0430) is indistinguishable from the Latin 'a' (U+0061) to a human, but represents a completely different code point. This allows attackers to register paypaI.com (with a Cyrillic 'а') that appears identical to paypal.com. Common substitution pools include Cyrillic, Greek, and Armenian scripts, which share numerous homoglyphs with Latin characters.

02

Internationalized Domain Name (IDN) Spoofing

IDN homograph attacks weaponize the internationalized domain name system to create lookalike domain names using mixed-script characters. A domain like аррӏе.com uses Cyrillic characters to perfectly mimic apple.com in browser address bars. Modern browsers implement confusable character detection and display Punycode (xn--...) representations when mixed scripts are detected, but mobile interfaces and truncated URLs remain vulnerable.

03

Prompt Injection via Homoglyph Evasion

In LLM security contexts, homoglyphs bypass content filtering and input sanitization layers. An attacker can encode malicious instructions using confusable Unicode characters that tokenizers process differently than their ASCII equivalents. For example, the word 'ignore' written with homoglyphs may evade keyword blocklists while the model's semantic understanding still interprets the command. This defeats delimiter-based defenses that rely on exact character matching.

04

Zero-Width and Invisible Character Injection

Beyond visible homoglyphs, attackers leverage zero-width characters like the zero-width space (U+200B) and zero-width non-joiner (U+200C) to break tokenization without visual indication. Inserting these between characters in a filtered keyword causes token boundary disruption, preventing pattern-matching filters from recognizing blocked terms. Combined with homoglyphs, this creates multi-layered obfuscation that evades both regex-based filters and semantic safety classifiers.

05

Canonicalization and Normalization Defense

The primary defense against homoglyph attacks is Unicode canonicalization—converting all input to a normalized form before processing. NFKC normalization decomposes confusable characters and compatibility forms into their base representations. Security-critical systems should implement skeletonization algorithms that map visually similar characters to a single canonical form. The Unicode Consortium maintains the confusables.txt database, which catalogs known homoglyph pairs for automated detection.

06

Multi-Modal Homoglyph Exploitation

Homoglyph techniques extend beyond text into multi-modal injection vectors. Attackers embed confusable characters in image alt-text, OCR-processed documents, and audio transcriptions that feed into LLM pipelines. A poisoned PDF containing homoglyph-encoded instructions may pass visual inspection but inject malicious prompts when processed by a document understanding model. This exploits the gap between human visual review and machine text extraction.

HOMOGLYPH ATTACKS

Frequently Asked Questions

Explore the mechanics, risks, and defenses associated with homoglyph attacks—a sophisticated technique that exploits visual character similarity to bypass security filters and deceive both humans and machines.

A homoglyph attack is a technique that exploits visually similar characters from different writing systems (scripts) to create deceptive strings that bypass text-based security filters while appearing legitimate to a human reviewer. The attack works by substituting standard ASCII characters with look-alike glyphs from Unicode blocks such as Cyrillic, Greek, or Armenian. For example, the Latin letter 'a' (U+0061) can be replaced with the Cyrillic 'а' (U+0430), which renders identically in many fonts. This allows attackers to register phishing domains (like 'раypal.com' instead of 'paypal.com'), craft adversarial prompts that evade keyword blocklists, or inject malicious payloads that bypass input sanitization routines. The core mechanism relies on the discrepancy between how a system parses the underlying code points and how a human perceives the rendered glyphs.

HOMOGLYPH EXPLOITATION

Real-World Attack Vectors Using Homoglyphs

Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass security filters, deceive human reviewers, and execute highly targeted social engineering campaigns.

01

Domain Spoofing & Phishing

Attackers register domains using homoglyphs to mimic legitimate brands. A user sees аррӏе.com (with Cyrillic 'а' and 'ӏ') instead of apple.com. This is the most common vector for credential harvesting.

  • Punycode rendering in browsers can display the internationalized domain name as the ASCII lookalike.
  • EV Certificates do not fully mitigate this, as the visual spoof remains in the address bar.
  • Example: A spear-phishing email linking to a fake corporate VPN portal to steal multi-factor authentication tokens.
90%+
Phishing attacks using domain spoofing
02

Source Code & Supply Chain Poisoning

Malicious code is injected into open-source libraries by substituting ASCII characters with homoglyphs in function or variable names. A developer visually reviews a backdoor function logln() but the 'l' is actually a Unicode Latin Small Letter 'ӏ'.

  • Compiler differentiation: The compiler treats the homoglyph as a distinct identifier, creating a hidden function.
  • Typosquatting packages: Malicious packages like requests vs. requеsts (with Cyrillic 'е') are published to package managers.
  • Impact: Steals environment variables and secrets during CI/CD pipeline execution.
03

Bypassing Content Moderation Filters

Toxic or policy-violating text passes through automated filters by replacing flagged keywords with homoglyph equivalents. A hate speech term like bаd (with Cyrillic 'а') bypasses a simple blocklist looking for 'bad'.

  • Normalization bypass: Filters that do not perform Unicode canonicalization (NFKC/NFKD) are vulnerable.
  • Zero-width character insertion: Invisible characters like Zero-Width Space (ZWSP) break tokenization without visual change.
  • Adversarial use: Circumventing safety guardrails in LLM-powered chat applications to generate disallowed content.
04

Machine Learning Model Evasion

Adversarial inputs using homoglyphs cause misclassification in NLP models. A sentiment analysis model misreads a toxic review as benign because the toxic words are spelled with visually identical Unicode characters.

  • Tokenization mismatch: The model's tokenizer maps the homoglyph to an <UNK> token, neutralizing its semantic weight.
  • Embedding drift: The homoglyph sequence maps to a different, non-toxic region of the vector space.
  • Defense: Requires Unicode normalization as a mandatory preprocessing step in the inference pipeline.
05

Database Entry Duplication & Fraud

Creating multiple fraudulent accounts with visually identical usernames. admin and admіn (with Cyrillic 'і') appear identical to a human support agent but are distinct primary keys in a database.

  • Privilege escalation: A fake 'superuser' account is used to socially engineer a password reset.
  • Data integrity corruption: Skewing analytics and user metrics by duplicating entities.
  • Mitigation: Enforcing skeleton key or canonical representation at the application logic layer before persistence.
06

Digital Signature & Identity Spoofing

Impersonating verified social media profiles or email identities. A fake executive account @micrоsоft (with Cyrillic 'о') issues a fraudulent press release that moves stock prices.

  • Blue-check verification bypass: Platforms that verify identity based on string matching without Unicode awareness are vulnerable.
  • Email spoofing: Display names in email clients render the homoglyph, hiding the true malicious domain.
  • Real-world case: Researchers registered аррӏе.com and received confidential correspondence intended for Apple Inc.
OBFUSCATION TECHNIQUE COMPARISON

Homoglyph Attack vs. Related Obfuscation Techniques

A comparison of homoglyph attacks with other text-based obfuscation techniques used to bypass content filters and prompt injection defenses.

FeatureHomoglyph AttackZero-Width Character InjectionCanonicalization Bypass

Primary Mechanism

Substitutes visually similar characters from different alphabets (e.g., Cyrillic 'а' for Latin 'a')

Inserts invisible Unicode characters (e.g., U+200B) to break tokenization

Exploits multiple valid encodings of the same character (e.g., URL encoding, Unicode normalization forms)

Visibility to Human Reviewer

Visually indistinguishable or nearly identical to legitimate text

Completely invisible; text appears normal to the naked eye

May appear as garbled text or escape sequences depending on rendering context

Primary Target

Content moderation filters, keyword blocklists, and human reviewers

Tokenizers, parsers, and pattern-matching regex engines

Input sanitizers, WAF rules, and normalization routines

Defense Complexity

High; requires Unicode-aware comparison and confusable character detection

Moderate; stripped by Unicode-aware sanitization but often overlooked

High; requires strict canonicalization to a single normalization form before processing

Detection by Standard Input Sanitization

Exploits Unicode Confusables

Common in Prompt Injection Attacks

Mitigation Technique

Unicode confusable mapping and skeletonization algorithms

Stripping of non-printing characters and zero-width codepoints

NFKC normalization and strict encoding enforcement

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.