- The paper's main contribution is demonstrating that a 37.5% homoglyph injection rate decisively disrupts authorship attribution.
- The methodology employs TraceTarnish, a modular pipeline integrating Translation, Imitation, Obfuscation, and Injection to achieve stylometric evasion.
- Empirical results confirm that surpassing 37.5% injection yields robust obfuscation with diminishing returns beyond 50%, guiding optimized privacy measures.
Hijacking Text Heritage: Adversarial Stylometry via Homoglyphic Substitution
Overview and Motivation
This paper interrogates the efficacy of homoglyphic substitution as a targeted adversarial stylometry attack designed for author obfuscation in textual data. Amidst the ongoing expansion of stylometric surveillance—where linguistic fingerprints are readily mined for authorship attribution or profiling—the pressing need for privacy-centric countermeasures is apparent. Through systematic exploration, the paper reveals the threshold levels, modalities, and hybrid attack vectors that yield maximal stylometric evasion with minimal perceptual disturbance, substantiating these findings with empirical evidence and a taxonomic framing of adversarial methodologies.
Adversarial Stylometry: Taxonomy and Approach
Traditional adversarial stylometry operates through three main channels: translation, imitation, and obfuscation. This study advances these with a fourth class, Injection, bifurcated into Liminal (zero-width Unicode character embedding), Doppelgänger (homoglyphic substitution), and Surrealist (intentional misspelling) strategies. The hybridization of attack types leverages their complementary properties, minimizing authorship signal fidelity for machine classifiers while minimizing disruption to the human reader.





Figure 2: A Taxonomic Overview highlighting Translation, Imitation, Obfuscation, and Injection as primary adversarial attack strategies.
A key innovation is operationalizing popular AI-enabled translation tools not only for semantic transformation but explicit authorial imitation—e.g., directing outputs to mimic the style of "George Orwell". This demonstrates that modern LLMs can enact rapid, automated iterative style transfer across arbitrary targets.
Figure 3: Example of Kagi Translate performing imitative translation, subverting authorship by masking original stylistic markers under a target persona.
The principal contribution, however, centers on Injection: using homoglyph substitution—swapping visually similar, but code-point divergent Unicode characters—as a direct attack on character-level stylometric features. Whereas zero-width characters obscure structure invisibly, homoglyphs actively confound orthographic analysis, impairing classic and deep-learning-based stylometric pipelines.
Figure 1: TraceTarnish modular attack pipeline, sequentially orchestrating Translation, Obfuscation, Imitation, and Injection.
Methodological Framework
The attack pipeline is instantiated as TraceTarnish: a modular system implementing the full spectrum of adversarial stylometry attacks. The empirical focus is on Doppelgänger Injection via incremental homoglyphic substitution, implemented according to several schemes: alternating vowels and consonants, targeting either group exclusively, and maximizing per-character replacement.
Figure 4: Sentences subjected to incremental homoglyphic injection: vowel-consonant alternation, vowel-only, consonant-only, and maximal injection, with colorized homoglyphs indicating perturbations.
The authors operationalize the imposters() function from the R stylo package to measure obfuscation impact on authorship verification. Experiments incrementally increase the percentage of words with homoglyph substitutions and monitor resultant Authorship Verification Scores (AVS) to establish efficacy and injection thresholds.
Empirical Results and Analysis
Quantitative analysis demonstrates that minimal homoglyphic injection confers limited stylometric obfuscation, but authorial signal integrity drops precipitously once a critical threshold is breached. The data reveals that a 37.5% word-level injection rate is sufficient to render attribution unreliable across tested models, regardless of whether vowels or consonants are targeted. Further augmentation beyond 50% provides minimal marginal benefit—a phenomenon of diminishing returns.
Figure 7: AVS plot for homoglyph-based injections; obfuscation is achieved at ≈37.5% replacement, with diminishing returns past 50% injection.
Figure 5: Combined injection of homoglyphs and zero-width characters through TraceTarnish, confirming robust authorial shrouding at the 37.5% mark.
Extending the attack to combine Liminal (zero-width) and Doppelgänger methods achieves comparable or superior efficacy, as measured by multiple stylometric distance metrics (delta, cosine, Manhattan, etc.).
Figure 6: Distance measures quantifying style divergence after Liminal + Doppelgänger Injection, evidencing broad method-agnostic stylometric breakdown.
Theoretical and Practical Implications
The findings present a potent challenge to stylometric forensics, demonstrating the fragility of conventional approaches under simple, automatable attacks. Notably, homoglyphic substitution—despite being visually negligible—cripples both statistical and neural authorship attribution models unless robust preprocessing and sanitization are enforced prior to analysis.
From a privacy engineering perspective, the research codifies an operational threshold for attack efficacy (37.5% word coverage), allowing practitioners to quantify and optimize the trade-offs between effort, orthographic fidelity, and obfuscation. The cumulative effect of hybrid Injection strategies signals a paradigm shift: obfuscating authorial fingerprints is not only tractable but can be fully automated and rendered undetectable to human readers, undermining both legal and unauthorized stylometric surveillance.
These conclusions further suggest that highly curated content corpora or high-fidelity forensic databases are particularly susceptible to targeted poisoning by authors or malicious actors, threatening the evidentiary reliability of such resources in legal, journalistic, and intelligence settings.
Prospects for Future Research
Several unresolved dimensions merit follow-up:
- Preprocessing Arms Race: Stylometric systems will need rigorous, language-agnostic normalization to resist homoglyph and invisible character attacks.
- Cross-Lingual and Low-Resource Vulnerabilities: Expansion of homoglyph sets beyond Latin/Cyrillic offers new attack surfaces, especially for scripts with abundant confusables.
- Deep Model Robustness: Empirical assessment of transformer-based stylometry under Injection remains an open problem.
- Ethical Dual-use: While privacy-enhancing, these methods also undermine forensic and academic integrity applications, raising policy/trust issues in both digital forensics and anti-plagiarism.
Conclusion
This work substantiates the decisive vulnerability of stylometric attribution to automated homoglyphic substitution and zero-width character insertion. An empirically identified injection rate of 37.5% suffices to defeat authorship verification for standard systems, challenging the foundational reliability of forensic linguistics in adversarial or privacy-critical contexts. The results impel both the stylometry and natural language security communities to reassess the resilience of authorial attribution algorithms and escalate efforts in preprocessing and countermeasure development, lest stylometric practice becomes operationally obsolete against trivial adversarial perturbations.