A homoglyph attack is a technique that substitutes standard characters with visually identical or near-identical glyphs from other alphabets, such as replacing the Latin letter 'a' with the Cyrillic 'а' (U+0430). This substitution deceives automated filters that rely on exact string matching or keyword blocklists, allowing malicious content to pass through input sanitization and adversarial prompt detection layers undetected. The rendered text appears normal to a human reviewer but carries a completely different semantic payload for the machine.
Glossary
Homoglyph Attack

What is a Homoglyph Attack?
A homoglyph attack exploits the visual similarity between characters from different writing systems to bypass text-based security filters while remaining legible to human reviewers.
In the context of prompt injection defense, attackers use homoglyphs to bypass delimiter-based defense mechanisms and guard model classifiers by encoding forbidden keywords like 'ignore previous instructions' in confusable Unicode. Effective mitigation requires canonicalization of input into a consistent character set, such as NFKC normalization, before any security evaluation occurs. This defense is a critical component of prompt normalization pipelines, ensuring that visually deceptive strings are resolved to their base forms prior to processing.
Core Characteristics of Homoglyph Attacks
Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass security filters while remaining imperceptible to human reviewers. These techniques target both automated systems and human cognition.
Unicode Character Substitution
Attackers replace ASCII characters with visually identical glyphs from non-Latin scripts. The Cyrillic 'а' (U+0430) is indistinguishable from the Latin 'a' (U+0061) to a human, but represents a completely different code point. This allows attackers to register paypaI.com (with a Cyrillic 'а') that appears identical to paypal.com. Common substitution pools include Cyrillic, Greek, and Armenian scripts, which share numerous homoglyphs with Latin characters.
Internationalized Domain Name (IDN) Spoofing
IDN homograph attacks weaponize the internationalized domain name system to create lookalike domain names using mixed-script characters. A domain like аррӏе.com uses Cyrillic characters to perfectly mimic apple.com in browser address bars. Modern browsers implement confusable character detection and display Punycode (xn--...) representations when mixed scripts are detected, but mobile interfaces and truncated URLs remain vulnerable.
Prompt Injection via Homoglyph Evasion
In LLM security contexts, homoglyphs bypass content filtering and input sanitization layers. An attacker can encode malicious instructions using confusable Unicode characters that tokenizers process differently than their ASCII equivalents. For example, the word 'ignore' written with homoglyphs may evade keyword blocklists while the model's semantic understanding still interprets the command. This defeats delimiter-based defenses that rely on exact character matching.
Zero-Width and Invisible Character Injection
Beyond visible homoglyphs, attackers leverage zero-width characters like the zero-width space (U+200B) and zero-width non-joiner (U+200C) to break tokenization without visual indication. Inserting these between characters in a filtered keyword causes token boundary disruption, preventing pattern-matching filters from recognizing blocked terms. Combined with homoglyphs, this creates multi-layered obfuscation that evades both regex-based filters and semantic safety classifiers.
Canonicalization and Normalization Defense
The primary defense against homoglyph attacks is Unicode canonicalization—converting all input to a normalized form before processing. NFKC normalization decomposes confusable characters and compatibility forms into their base representations. Security-critical systems should implement skeletonization algorithms that map visually similar characters to a single canonical form. The Unicode Consortium maintains the confusables.txt database, which catalogs known homoglyph pairs for automated detection.
Multi-Modal Homoglyph Exploitation
Homoglyph techniques extend beyond text into multi-modal injection vectors. Attackers embed confusable characters in image alt-text, OCR-processed documents, and audio transcriptions that feed into LLM pipelines. A poisoned PDF containing homoglyph-encoded instructions may pass visual inspection but inject malicious prompts when processed by a document understanding model. This exploits the gap between human visual review and machine text extraction.
Frequently Asked Questions
Explore the mechanics, risks, and defenses associated with homoglyph attacks—a sophisticated technique that exploits visual character similarity to bypass security filters and deceive both humans and machines.
A homoglyph attack is a technique that exploits visually similar characters from different writing systems (scripts) to create deceptive strings that bypass text-based security filters while appearing legitimate to a human reviewer. The attack works by substituting standard ASCII characters with look-alike glyphs from Unicode blocks such as Cyrillic, Greek, or Armenian. For example, the Latin letter 'a' (U+0061) can be replaced with the Cyrillic 'а' (U+0430), which renders identically in many fonts. This allows attackers to register phishing domains (like 'раypal.com' instead of 'paypal.com'), craft adversarial prompts that evade keyword blocklists, or inject malicious payloads that bypass input sanitization routines. The core mechanism relies on the discrepancy between how a system parses the underlying code points and how a human perceives the rendered glyphs.
Real-World Attack Vectors Using Homoglyphs
Homoglyph attacks exploit the visual similarity between distinct Unicode characters to bypass security filters, deceive human reviewers, and execute highly targeted social engineering campaigns.
Domain Spoofing & Phishing
Attackers register domains using homoglyphs to mimic legitimate brands. A user sees аррӏе.com (with Cyrillic 'а' and 'ӏ') instead of apple.com. This is the most common vector for credential harvesting.
- Punycode rendering in browsers can display the internationalized domain name as the ASCII lookalike.
- EV Certificates do not fully mitigate this, as the visual spoof remains in the address bar.
- Example: A spear-phishing email linking to a fake corporate VPN portal to steal multi-factor authentication tokens.
Source Code & Supply Chain Poisoning
Malicious code is injected into open-source libraries by substituting ASCII characters with homoglyphs in function or variable names. A developer visually reviews a backdoor function logln() but the 'l' is actually a Unicode Latin Small Letter 'ӏ'.
- Compiler differentiation: The compiler treats the homoglyph as a distinct identifier, creating a hidden function.
- Typosquatting packages: Malicious packages like requests vs. requеsts (with Cyrillic 'е') are published to package managers.
- Impact: Steals environment variables and secrets during CI/CD pipeline execution.
Bypassing Content Moderation Filters
Toxic or policy-violating text passes through automated filters by replacing flagged keywords with homoglyph equivalents. A hate speech term like bаd (with Cyrillic 'а') bypasses a simple blocklist looking for 'bad'.
- Normalization bypass: Filters that do not perform Unicode canonicalization (NFKC/NFKD) are vulnerable.
- Zero-width character insertion: Invisible characters like Zero-Width Space (ZWSP) break tokenization without visual change.
- Adversarial use: Circumventing safety guardrails in LLM-powered chat applications to generate disallowed content.
Machine Learning Model Evasion
Adversarial inputs using homoglyphs cause misclassification in NLP models. A sentiment analysis model misreads a toxic review as benign because the toxic words are spelled with visually identical Unicode characters.
- Tokenization mismatch: The model's tokenizer maps the homoglyph to an <UNK> token, neutralizing its semantic weight.
- Embedding drift: The homoglyph sequence maps to a different, non-toxic region of the vector space.
- Defense: Requires Unicode normalization as a mandatory preprocessing step in the inference pipeline.
Database Entry Duplication & Fraud
Creating multiple fraudulent accounts with visually identical usernames. admin and admіn (with Cyrillic 'і') appear identical to a human support agent but are distinct primary keys in a database.
- Privilege escalation: A fake 'superuser' account is used to socially engineer a password reset.
- Data integrity corruption: Skewing analytics and user metrics by duplicating entities.
- Mitigation: Enforcing skeleton key or canonical representation at the application logic layer before persistence.
Digital Signature & Identity Spoofing
Impersonating verified social media profiles or email identities. A fake executive account @micrоsоft (with Cyrillic 'о') issues a fraudulent press release that moves stock prices.
- Blue-check verification bypass: Platforms that verify identity based on string matching without Unicode awareness are vulnerable.
- Email spoofing: Display names in email clients render the homoglyph, hiding the true malicious domain.
- Real-world case: Researchers registered аррӏе.com and received confidential correspondence intended for Apple Inc.
Homoglyph Attack vs. Related Obfuscation Techniques
A comparison of homoglyph attacks with other text-based obfuscation techniques used to bypass content filters and prompt injection defenses.
| Feature | Homoglyph Attack | Zero-Width Character Injection | Canonicalization Bypass |
|---|---|---|---|
Primary Mechanism | Substitutes visually similar characters from different alphabets (e.g., Cyrillic 'а' for Latin 'a') | Inserts invisible Unicode characters (e.g., U+200B) to break tokenization | Exploits multiple valid encodings of the same character (e.g., URL encoding, Unicode normalization forms) |
Visibility to Human Reviewer | Visually indistinguishable or nearly identical to legitimate text | Completely invisible; text appears normal to the naked eye | May appear as garbled text or escape sequences depending on rendering context |
Primary Target | Content moderation filters, keyword blocklists, and human reviewers | Tokenizers, parsers, and pattern-matching regex engines | Input sanitizers, WAF rules, and normalization routines |
Defense Complexity | High; requires Unicode-aware comparison and confusable character detection | Moderate; stripped by Unicode-aware sanitization but often overlooked | High; requires strict canonicalization to a single normalization form before processing |
Detection by Standard Input Sanitization | |||
Exploits Unicode Confusables | |||
Common in Prompt Injection Attacks | |||
Mitigation Technique | Unicode confusable mapping and skeletonization algorithms | Stripping of non-printing characters and zero-width codepoints | NFKC normalization and strict encoding enforcement |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Homoglyph attacks are a specific subset of adversarial input manipulation. Explore the broader landscape of defenses against malicious text-based inputs targeting language models and security filters.
Input Sanitization
The process of cleaning and normalizing user-provided text to remove or neutralize malicious control sequences before model processing. Homoglyph attacks specifically target the weaknesses in sanitization pipelines.
- Unicode normalization (e.g., NFKC) converts visually identical characters to a canonical form
- Character allow-listing restricts inputs to a defined set of safe glyphs
- Script consistency checks detect mixed alphabets within a single string
- Effective sanitization must balance security with support for legitimate international text
Canonicalization
The process of converting input data into a single, standard, unambiguous representation to prevent attackers from bypassing filters using encoding tricks. This is the primary defense against homoglyph attacks.
- Converts Punycode internationalized domain names to their ASCII equivalent
- Resolves percent-encoding, HTML entities, and Unicode escape sequences
- Must be applied before any security checks or pattern matching
- Double-encoding attacks require recursive canonicalization until a stable form is reached
Zero-Width Character Injection
An attack that inserts invisible Unicode characters into text to break tokenization or keyword filtering without being visible to the user. A close relative of the homoglyph attack.
- Uses characters like U+200B (zero-width space) and U+FEFF (BOM)
- Can split keywords so filters fail to match blocked terms
- Can manipulate LLM tokenization to alter how a model interprets a prompt
- Defense requires stripping all zero-width characters before processing
Adversarial Prompt Detection
The use of classifiers, heuristics, or perplexity analysis to identify user inputs that are likely crafted to manipulate a model. Detects homoglyph attacks and other injection techniques.
- Perplexity scoring flags text with unusual character distributions
- Mixed-script detection identifies strings combining Cyrillic, Latin, and other alphabets
- Entropy analysis measures randomness to spot encoded payloads
- Modern detectors use fine-tuned transformer models trained on known attack patterns
Prompt Injection WAF
A Web Application Firewall-like layer that inspects and blocks malicious prompts at the API gateway before they reach the language model. Serves as a perimeter defense against homoglyph attacks.
- Applies signature-based rules for known homoglyph patterns
- Performs real-time Unicode analysis on all incoming requests
- Can integrate with threat intelligence feeds for updated attack indicators
- Must operate with sub-millisecond latency to avoid degrading user experience
Prompt Normalization
The process of rewriting or restructuring user prompts into a safe, canonical form before they are combined with system instructions. Neutralizes homoglyph attacks by resolving visual ambiguity.
- Converts confusable characters to their intended ASCII equivalents
- Strips diacritics and decorative Unicode modifiers
- Applies NFKC normalization as a standard preprocessing step
- Preserves legitimate multilingual content while removing deceptive glyphs

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us