[2603.00164] Reverse CAPTCHA: Evaluating LLM Susceptibility to Invisible Unicode Instruction Injection

Computer Science > Cryptography and Security arXiv:2603.00164 (cs) [Submitted on 26 Feb 2026] Title:Reverse CAPTCHA: Evaluating LLM Susceptibility to Invisible Unicode Instruction Injection Authors:Marcus Graves View a PDF of the paper titled Reverse CAPTCHA: Evaluating LLM Susceptibility to Invisible Unicode Instruction Injection, by Marcus Graves View PDF HTML (experimental) Abstract:We introduce Reverse CAPTCHA, an evaluation framework that tests whether large language models follow invisible Unicode-encoded instructions embedded in otherwise normal-looking text. Unlike traditional CAPTCHAs that distinguish humans from machines, our benchmark exploits a capability gap: models can perceive Unicode control characters that are invisible to human readers. We evaluate five models from two providers across two encoding schemes (zero-width binary and Unicode Tags), four hint levels, two payload framings, and with tool use enabled or disabled. Across 8,308 model outputs, we find that tool use dramatically amplifies compliance (Cohen's h up to 1.37, a large effect), that models exhibit provider-specific encoding preferences (OpenAI models decode zero-width binary; Anthropic models prefer Unicode Tags), and that explicit decoding instructions increase compliance by up to 95 percentage points within a single model and encoding. All pairwise model differences are statistically significant (p < 0.05, Bonferroni-corrected). These results highlight an underexplored attack surface for ...