Papers
Topics
Authors
Recent
Search
2000 character limit reached

Hijacking Text Heritage: Hiding the Human Signature through Homoglyphic Substitution

Published 11 Apr 2026 in cs.CR, cs.CL, and cs.IR | (2604.10271v1)

Abstract: In what way could a data breach involving government-issued IDs such as passports, driver's licenses, etc., rival a random voluntary disclosure on a nondescript social-media platform? At first glance, the former appears more significant, and that is a valid assessment. The disclosed data could contain an individual's date of birth and address; for all intents and purposes, a leak of that data would be disastrous. Given the threat, the latter scenario involving an innocuous online post seems comparatively harmless--or does it? From that post and others like it, a forensic linguist could stylometrically uncover equivalent pieces of information, estimating an age range for the author (adolescent or adult) and narrowing down their geographical location (specific country). While not an exact science--the determinations are statistical--stylometry can reveal comparable, though noticeably diluted, information about an individual. To prevent an ID from being breached, simply sharing it as little as possible suffices. Preventing the leakage of personal information from written text requires a more complex solution: adversarial stylometry. In this paper, we explore how performing homoglyph substitution--the replacement of characters with visually similar alternatives (e.g., "h" $\texttt{[U+0068]}$ $\rightarrow$ "h" $\texttt{[U+04BB]}$)--on text can degrade stylometric systems.

Authors (1)

Summary

  • The paper's main contribution is demonstrating that a 37.5% homoglyph injection rate decisively disrupts authorship attribution.
  • The methodology employs TraceTarnish, a modular pipeline integrating Translation, Imitation, Obfuscation, and Injection to achieve stylometric evasion.
  • Empirical results confirm that surpassing 37.5% injection yields robust obfuscation with diminishing returns beyond 50%, guiding optimized privacy measures.

Hijacking Text Heritage: Adversarial Stylometry via Homoglyphic Substitution

Overview and Motivation

This paper interrogates the efficacy of homoglyphic substitution as a targeted adversarial stylometry attack designed for author obfuscation in textual data. Amidst the ongoing expansion of stylometric surveillance—where linguistic fingerprints are readily mined for authorship attribution or profiling—the pressing need for privacy-centric countermeasures is apparent. Through systematic exploration, the paper reveals the threshold levels, modalities, and hybrid attack vectors that yield maximal stylometric evasion with minimal perceptual disturbance, substantiating these findings with empirical evidence and a taxonomic framing of adversarial methodologies.

Adversarial Stylometry: Taxonomy and Approach

Traditional adversarial stylometry operates through three main channels: translation, imitation, and obfuscation. This study advances these with a fourth class, Injection, bifurcated into Liminal (zero-width Unicode character embedding), Doppelgänger (homoglyphic substitution), and Surrealist (intentional misspelling) strategies. The hybridization of attack types leverages their complementary properties, minimizing authorship signal fidelity for machine classifiers while minimizing disruption to the human reader. Figure 1

Figure 1

Figure 1

Figure 1

Figure 1

Figure 1

Figure 2: A Taxonomic Overview highlighting Translation, Imitation, Obfuscation, and Injection as primary adversarial attack strategies.

A key innovation is operationalizing popular AI-enabled translation tools not only for semantic transformation but explicit authorial imitation—e.g., directing outputs to mimic the style of "George Orwell". This demonstrates that modern LLMs can enact rapid, automated iterative style transfer across arbitrary targets. Figure 3

Figure 3: Example of Kagi Translate performing imitative translation, subverting authorship by masking original stylistic markers under a target persona.

The principal contribution, however, centers on Injection: using homoglyph substitution—swapping visually similar, but code-point divergent Unicode characters—as a direct attack on character-level stylometric features. Whereas zero-width characters obscure structure invisibly, homoglyphs actively confound orthographic analysis, impairing classic and deep-learning-based stylometric pipelines. Figure 4

Figure 1: TraceTarnish modular attack pipeline, sequentially orchestrating Translation, Obfuscation, Imitation, and Injection.

Methodological Framework

The attack pipeline is instantiated as TraceTarnish: a modular system implementing the full spectrum of adversarial stylometry attacks. The empirical focus is on Doppelgänger Injection via incremental homoglyphic substitution, implemented according to several schemes: alternating vowels and consonants, targeting either group exclusively, and maximizing per-character replacement. Figure 5

Figure 4: Sentences subjected to incremental homoglyphic injection: vowel-consonant alternation, vowel-only, consonant-only, and maximal injection, with colorized homoglyphs indicating perturbations.

The authors operationalize the imposters() function from the R stylo package to measure obfuscation impact on authorship verification. Experiments incrementally increase the percentage of words with homoglyph substitutions and monitor resultant Authorship Verification Scores (AVS) to establish efficacy and injection thresholds.

Empirical Results and Analysis

Quantitative analysis demonstrates that minimal homoglyphic injection confers limited stylometric obfuscation, but authorial signal integrity drops precipitously once a critical threshold is breached. The data reveals that a 37.5% word-level injection rate is sufficient to render attribution unreliable across tested models, regardless of whether vowels or consonants are targeted. Further augmentation beyond 50% provides minimal marginal benefit—a phenomenon of diminishing returns. Figure 6

Figure 7: AVS plot for homoglyph-based injections; obfuscation is achieved at ≈37.5% replacement, with diminishing returns past 50% injection.

Figure 8

Figure 5: Combined injection of homoglyphs and zero-width characters through TraceTarnish, confirming robust authorial shrouding at the 37.5% mark.

Extending the attack to combine Liminal (zero-width) and Doppelgänger methods achieves comparable or superior efficacy, as measured by multiple stylometric distance metrics (delta, cosine, Manhattan, etc.). Figure 9

Figure 6: Distance measures quantifying style divergence after Liminal + Doppelgänger Injection, evidencing broad method-agnostic stylometric breakdown.

Theoretical and Practical Implications

The findings present a potent challenge to stylometric forensics, demonstrating the fragility of conventional approaches under simple, automatable attacks. Notably, homoglyphic substitution—despite being visually negligible—cripples both statistical and neural authorship attribution models unless robust preprocessing and sanitization are enforced prior to analysis.

From a privacy engineering perspective, the research codifies an operational threshold for attack efficacy (37.5% word coverage), allowing practitioners to quantify and optimize the trade-offs between effort, orthographic fidelity, and obfuscation. The cumulative effect of hybrid Injection strategies signals a paradigm shift: obfuscating authorial fingerprints is not only tractable but can be fully automated and rendered undetectable to human readers, undermining both legal and unauthorized stylometric surveillance.

These conclusions further suggest that highly curated content corpora or high-fidelity forensic databases are particularly susceptible to targeted poisoning by authors or malicious actors, threatening the evidentiary reliability of such resources in legal, journalistic, and intelligence settings.

Prospects for Future Research

Several unresolved dimensions merit follow-up:

  • Preprocessing Arms Race: Stylometric systems will need rigorous, language-agnostic normalization to resist homoglyph and invisible character attacks.
  • Cross-Lingual and Low-Resource Vulnerabilities: Expansion of homoglyph sets beyond Latin/Cyrillic offers new attack surfaces, especially for scripts with abundant confusables.
  • Deep Model Robustness: Empirical assessment of transformer-based stylometry under Injection remains an open problem.
  • Ethical Dual-use: While privacy-enhancing, these methods also undermine forensic and academic integrity applications, raising policy/trust issues in both digital forensics and anti-plagiarism.

Conclusion

This work substantiates the decisive vulnerability of stylometric attribution to automated homoglyphic substitution and zero-width character insertion. An empirically identified injection rate of 37.5% suffices to defeat authorship verification for standard systems, challenging the foundational reliability of forensic linguistics in adversarial or privacy-critical contexts. The results impel both the stylometry and natural language security communities to reassess the resilience of authorial attribution algorithms and escalate efforts in preprocessing and countermeasure development, lest stylometric practice becomes operationally obsolete against trivial adversarial perturbations.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.