🟡 🛡️ Security Published: · 2 min read ·

arXiv:2606.09700: Typographic attacks bypass AI moderation systems with less than 1% detection

arXiv:2606.09700 ↗

Editorial illustration: text with invisible typographic manipulations underneath an AI detector that passes it through

HPAA are typographic attacks that use spacing, emphasis, and spatial text layout to hide harmful content from automated detectors while remaining readable to humans. The study accepted at USENIX Security 2026 was tested on 13 systems and achieved >86% human recognition with detection below 1%.

🤖

This article was generated using artificial intelligence from primary sources.

Researchers from the University of Tennessee, IBM Research, and the University of Illinois presented the paper arXiv:2606.09700, v1 from June 8, 2026, defining a new class of attacks on content moderation systems. The method — accepted at USENIX Security 2026 — relies exclusively on typographic text manipulation, without changing the semantic message and without access to the internal parameters of the moderation model.

What are HPAA attacks?

HPAA (Human-Perceptible Adversarial Attacks) are attacks that use spacing, emphasis, and spatial text layout — visible typographic elements — to hide harmful content from automated detectors while remaining easily readable to humans. Unlike classic adversarial perturbations at the pixel level or hidden Unicode tokens, HPAA manipulations are clearly perceptual: a reader decodes the message effortlessly, while the moderation system classifies the content as safe.

Test results: 13 systems, 86%, less than 1%

The authors — Qin Yang, Lu Malloy, Joshua Lee, Xiaohan Chang, Meisam Mohammady, Doowon Kim, and Yuan Hong — tested the method on 13 commercial and open-source content moderation systems:

  • >86% human recognition — evaluator panels correctly identify harmful content even in typographically modified form
  • <1% detection rate — automated moderators practically fail to recognize the attack
  • Only 3 queries to the detector — black-box approach with no gradient information

The comparison is striking: the same text that an algorithm declares safe is recognized as harmful by a human in more than 86 out of 100 cases. The gap between machine detection and human perception has not previously been quantified with this level of precision.

Why do AI moderators ‘not see’ manipulated typography?

The cause lies in the architectural asymmetry between LLMs and the human visual system. LLM tokenization breaks text into subsequences according to static rules and has no visual perception layer through which the brain automatically reconstructs the intended meaning of manipulated text. A space or unexpected line break inserted by an attacker between letters does not change the semantics for the reader, but disrupts the tokenization pattern the moderator uses for detection.

The authors conclude that fine-tuning existing moderators alone is not sufficient: a lasting solution requires a visual pre-processing layer or tokenization schemes robust to typographic noise.

Frequently Asked Questions

What are HPAA attacks and how do they differ from classic adversarial attacks?
HPAA use exclusively typographic manipulations — spacing, emphasis, and spatial layout — that are visible to humans, unlike pixel perturbations or hidden Unicode tokens. The attacker needs no access to the internal parameters or gradients of the moderation model.
What are the implications for AI platform security and users?
The research shows that the solution is structural: AI moderation systems need a visual pre-processing layer that simulates human typographic perception. Fine-tuning existing moderators alone is not sufficient.

📬 AI news in your inbox

A daily digest built your way — pick topics, sources and cadence. One-click unsubscribe.