A Tale of Two Strings: The Deceptive Power of Unicode's Invisible Characters

Published on

Invisible Unicode characters

Invisible Unicode characters

Table of Contents

A Tale of Two Strings: The Deceptive Power of Unicode’s Invisible Characters

Consider these two strings of text:

Hello, World! Hello, World!

They look identical. If you were to copy and paste them, they would seem to be the same. But what if I told you that one of them contains a hidden, five-letter secret, while the other is completely clean? This isn’t a trick of the eye; it’s a demonstration of one of the most subtle and clever forms of text steganography, using the hidden power of Unicode’s invisible characters.

This technique has evolved from a curious digital phenomenon to a legitimate security concern, with cybercriminals actively exploiting these invisible characters in sophisticated phishing attacks and code obfuscation techniques as recently as 2025.

Understanding Unicode and Its Invisible Arsenal

Unicode's invisible characters

What is Unicode?

In the early days of computing, text was simple (mostly English characters), and systems like ASCII could represent everything with just 128 different codes. Today, our computers need to handle thousands of characters from virtually every language on Earth, plus emojis, mathematical symbols, and more.

Unicode is the universal standard that assigns a unique number (a “code point”) to every single one of these characters. This is what allows a computer in Japan to correctly display text written on a computer in Brazil.

The Invisible Characters Catalog

Writing systems are complex, requiring special “control characters” that provide instructions to text rendering engines without being visible. Here’s a comprehensive table of the most commonly used invisible Unicode characters:

CharacterUnicode Code PointNamePurposeSecurity Risk
U+200BZero-Width Space (ZWSP)Line break controlHigh - Steganography, phishing
U+200DZero-Width Joiner (ZWJ)Character joiningMedium - Emoji manipulation
U+200CZero-Width Non-Joiner (ZWNJ)Prevent character joiningMedium - Text parsing bypass
U+FEFFZero-Width Non-Breaking Space (ZWNBSP)Byte order markLow - Legacy encoding
U+3164Hangul FillerKorean text spacingHigh - Recent phishing attacks
U+FFA0Halfwidth Hangul FillerKorean text formattingHigh - JavaScript obfuscation
U+00A0Non-Breaking SpacePrevent line breaksMedium - Content filtering bypass
U+2060Word JoinerPrevent line breaksMedium - Text manipulation

Modern Encoding Techniques

Unicode's invisible characters

The encoding is essentially a binary code hidden in plain sight, using invisible characters that are still part of the text’s Unicode sequence. Security researchers have identified several encoding methods:

Binary Encoding: Using presence/absence of invisible characters to represent 0s and 1s Multi-Character Encoding: Using different invisible characters to represent different values Positional Encoding: Encoding information based on the position of invisible characters

Current Threat Landscape (2024-2025)

JavaScript Obfuscation Attacks

A new JavaScript obfuscation technique leveraging invisible Unicode characters to represent binary values is actively being used in phishing attacks. This novel method, first disclosed in October 2024, has been quickly adopted by threat actors.

The use of invisible Unicode characters for JavaScript obfuscation marks a dangerous evolution in phishing tactics. By leveraging Hangul filler characters, attackers can effectively disguise malicious code within seemingly blank scripts, making detection significantly harder.

Attack Vector: The new obfuscation technique exploits invisible Unicode characters, specifically Hangul half-width (U+FFA0) and Hangul full-width (U+3164).

AI and LLM Exploitation

Note that if the text was created by an LLM (ChatGPT, Claude, Gemini etc) it will still be identified as AI-generated by Originality.ai’s detection systems, but the invisible characters can be used to bypass other AI safety measures and content filters.

Real-World Attack Examples

Recent security incidents have shown the practical application of these techniques:

  1. Political Phishing Campaigns: threat actors targeting affiliates of an American political action committee
  2. Tycoon 2FA Exploitation: some domains involved are associated with Tycoon 2FA, indicating that organized cybercriminal groups are adopting these methods
  3. QR Code Attacks: Hackread reported a 587% surge in QR code phishing in early 2024

Legitimate Use Cases

Unicode's invisible characters

Despite the security risks, invisible Unicode characters serve important legitimate purposes:

Social Media and Content Management

Watermarking: Platforms embed invisible tracking IDs in content to identify re-uploads and prevent content theft.

Empty Messages: Send an empty Instagram comment using the U+200B ZERO WIDTH SPACE. The invisible letters are commonly used to send an empty message or set a form value to blank.

Typography and Internationalization

Emoji Composition: Zero Width Joiner (ZWJ) is a Unicode character that joins two or more other characters together in sequence to create a new emoji.

Language Support: this character is intended for invisible word separation and for line break control

Detection and Defense Strategies

Detection Tools and Techniques

Modern security requires specialized tools to identify invisible characters:

Tool TypePurposeExamples
Unicode InspectorsCharacter-by-character analysisUnicode Explorer, Invisible Character Detector
Diff CheckersCompare text stringsOnline diff tools
Security ScannersAutomated threat detectionEnterprise security solutions
Browser ExtensionsReal-time detectionCustom security extensions

Enterprise Security Measures

Prompt Security employs protection measures that inspect text down to Unicode level in real time. These measures are capable of restricting, blocking, and redacting visible and invisible characters, and are configurable so that organizations can customize protection according to their specific needs.

Data Processing Considerations

When this is copied into a text editor, the invisible characters are not correctly represented due to encoding mismatch. Organizations should implement:

Best Practices for Developers and Security Teams

Code Review Guidelines

  1. Visual Inspection: Never rely solely on visual code review
  2. Automated Scanning: Implement tools that detect invisible characters
  3. Character Encoding: In HTML, it can be referenced as ​, ​ or ​

Content Security Policies

Testing and Validation

Regular testing should include:

The Future of Invisible Character Threats

As artificial intelligence and natural language processing become more prevalent, the potential for invisible character exploitation grows. Organizations must stay vigilant and adapt their security measures to address these evolving threats.

The technique represents a powerful lesson in digital forensics: what you see is not always what you get. True analysis requires looking beyond the surface and examining the underlying data itself.

Conclusion

Unicode’s invisible characters represent a fascinating intersection of typography, technology, and security. While they serve legitimate purposes in modern computing, their potential for misuse requires ongoing vigilance from security professionals and developers alike.

Understanding these techniques is crucial for anyone working in cybersecurity, web development, or digital forensics. As attack methods evolve, so must our defenses against the invisible threats hiding in plain sight.

Frequently Asked Questions

What are invisible Unicode characters?

Invisible Unicode characters are special control characters that do not appear when rendered in text but can carry instructions or hidden data, such as Zero-Width Space (U+200B) or Zero-Width Joiner (U+200D).

How are invisible Unicode characters used in phishing attacks?

Attackers embed these characters in text or code (e.g., JavaScript) to hide malicious payloads, bypass content filters, or obfuscate scripts, making detection by security systems or human reviewers difficult.

Can invisible Unicode characters be detected easily?

They are not visible to the naked eye, but specialized tools like Unicode inspectors (e.g., Unicode Explorer) or automated security scanners can detect them by analyzing the underlying code points.

Are there legitimate uses for invisible Unicode characters?

Yes, they are used in typography for controlling text rendering (e.g., emoji composition with Zero-Width Joiner), in social media for watermarking, and in internationalization for managing language-specific text formatting.

How can developers protect against invisible character threats?

Developers should implement strict input validation, use allowlists for permitted Unicode ranges, employ automated scanning tools, and conduct regular security audits to detect and mitigate these threats.

References

  1. Promptfoo. (2025, April 10). The Invisible Threat: How Zero-Width Unicode Characters Can Silently Backdoor Your AI-Generated Code. Retrieved from https://www.promptfoo.dev/blog/invisible-unicode-threats/

  2. Unicode Explorer. (n.d.). U+200B ZERO WIDTH SPACE. Retrieved from https://unicode-explorer.com/c/200B

  3. Invisible Characters. (n.d.). Unicode characters you can not see. Retrieved from https://invisible-characters.com/

  4. EditPad. (n.d.). Invisible Character - Blank Text Copy Paste. Retrieved from https://www.editpad.org/tool/invisible-character

  5. Originality.AI. (2025, June 26). Invisible Text Detector & Remover. Retrieved from https://www.editpad.org/tool/invisible-character

  6. KNIME. (2024, February 1). Invisible Unicode characters: How to find and remove them. Retrieved from https://www.knime.com/blog/how-to-find-remove-invisible-unicode-characters

  7. Emojipedia. (n.d.). Zero Width Joiner Emoji. Retrieved from https://emojipedia.org/zero-width-joiner

  8. The Eclectic Light Company. (2024, March 27). Invisible Unicode and compound emoji. Retrieved from https://eclecticlight.co/2024/03/30/invisible-unicode-and-compound-emoji/

  9. BleepingComputer. (2025, February 19). Phishing attack hides JavaScript using invisible Unicode trick. Retrieved from https://www.bleepingcomputer.com/news/security/phishing-attack-hides-javascript-using-invisible-unicode-trick/

  10. Blackswan Cybersecurity. (2025, April 4). Emerging Threat: Invisible Unicode Phishing Attacks. Retrieved from https://blackswan-cybersecurity.com/emerging-threat-invisible-unicode-phishing-attacks/

  11. Prompt Security. (2025, May 21). Unicode Exploits Are Compromising Application Security. Retrieved from https://www.prompt.security/blog/unicode-exploits-are-compromising-application-security

  12. WIRE TOR. (2025, February 19). Cybercriminals Use Invisible Unicode to Mask JavaScript in Phishing Attacks. Retrieved from https://medium.com/@wiretor/cybercriminals-use-invisible-unicode-to-mask-javascript-in-phishing-attacks-ee642cd1d509

  13. Vocal Media. (n.d.). Cybercriminals Use Invisible Unicode to Mask JavaScript in Phishing Attacks. Retrieved from https://vocal.media/01/cybercriminals-use-invisible-unicode-to-mask-java-script-in-phishing-attacks

  14. Hackread. (2024, August 27). New Unicode QR Code Phishing Scam Bypasses Traditional Security. Retrieved from https://hackread.com/unicode-qr-code-phishing-scam-bypasses-security/

  15. AUMINT.io. (2025, February 27). Ghost Code: The Sinister Rise of Invisible Phishing with Unicode Obfuscation. Retrieved from https://www.aumint.io/ghost-code-the-sinister-rise-of-invisible-phishing-with-unicode-obfuscation-👻/

  16. IronScales. (2024, July 10). What is Unicode Domain Phishing? Retrieved from https://ironscales.com/glossary/unicode-domain-phishing-attack

  17. IKARUS Security Software. (2021, April 1). Tricked: Phishing campaigns with hidden fonts and zero text. Retrieved from https://www.ikarussecurity.com/en/security-news-en/tricked-phishing-campaigns-with-hidden-fonts-and-zero-text/