spoof-unicode-text
Unicode "spoofing" or "homoglyph substitution" replaces Latin characters with visually-identical characters from other scripts β Cyrillic "Π°" (U+0430) for Latin "a" (U+0061), Greek "ΞΏ" (U+03BF) for Latin "o" (U+006F), Cherokee "α΄" for Latin "A". The result looks identical to the eye but is a different string under the hood. Used by security researchers and educators to demonstrate IDN (internationalised domain name) homograph attacks, phishing risk, and Unicode-confusable detection in software. The ZTools tool is for research, awareness, and testing β not for malicious deception. Do not use to deceive real users.
Use casesβ
Security training & awareness demosβ
Show colleagues why "ΡΠ°ΡΡΠ°l.com" (Cyrillic "Ρ" + "Π°") is not "paypal.com". Visual-identical strings are how phishing campaigns trick users; live demos are more memorable than slide-deck warnings.
Anti-phishing researchβ
Generate test strings to validate your homoglyph-detection rules in URL filters, email gateways, and brand-protection tools.
Username squatting testsβ
Some services normalise lookalikes; some don't. Test whether your platform allows homoglyph variants of admin/staff usernames β fix if it does.
Bug bounty & pentestingβ
Authorised pentesting only: probe whether an application's identity comparison is byte-level or normalised. Documenting findings.
How it worksβ
- Paste plain ASCII β Latin letters with confusable counterparts in other scripts.
- Pick a substitution profile β Aggressive (replace everything that has any lookalike) vs Conservative (replace only characters with very-close confusables β Unicode TR39 "single-script confusable" set).
- Generate β Each Latin character is replaced by its homoglyph (Cyrillic, Greek, Cherokee, Latin Extended).
- Inspect side-by-side β The tool shows both strings + per-character source script + Unicode code point.
Examplesβ
Input: "paypal" β aggressive
Output: "ΡΠ°ΡΡΠ°Σ" β Cyrillic Ρ, Π°, Ρ, Π°, Σ. Looks identical; bytes differ.
Input: "admin" β conservative
Output: "Π°dmin" β only "a" replaced (Cyrillic Π°); rest unchanged.
Input: "google.com" β domain-spoofing demo
Output: "gΠΎΠΎgle.com" β both "o"s Cyrillic; 100% visual match in most fonts.
Frequently asked questionsβ
Is this legal to use?
The tool itself is legal. Using output to deceive users (phishing, fraud) is illegal in most jurisdictions (CFAA, computer-misuse acts). Use for training, research, security testing, and awareness only.
Why does a Cyrillic Π° look identical to Latin a?
Cyrillic and Latin scripts share Greek ancestry. Many cursive lowercase forms converged. Modern Unicode keeps them as separate characters because they have different uppercases (Π/A) and behave differently in their respective languages.
How do I detect homoglyph attacks in my app?
Use Unicode TR39 Confusables data + Punycode normalisation for domains. Many libraries (uts39, confusable_homoglyphs) implement this.
Will browsers warn me about a homoglyph URL?
Modern browsers (Chrome, Firefox, Safari) detect mixed-script IDN domains and force Punycode display ("xn--..."). Single-script all-Cyrillic domains are NOT auto-flagged β visual deception is still possible.
Why aren't emoji available as substitutes?
Emoji aren't typographic letterforms; they're pictograms. Confusable detection focuses on letter-shape lookalikes only.
Does this work on iOS / Android?
Yes β Unicode is universal. Some keyboards make typing non-Latin scripts harder, which is part of the defence-in-depth.
Tipsβ
- Always disclose when sharing spoofed strings β never use to mislead.
- For demos, show both the visible string and a hex dump side-by-side; the byte-level reality lands harder than the warning.
- If your app accepts usernames, normalise to NFKC + script-mixing detection at signup.
- Brand-protection: monitor IDN registrations of your trademark via tools like DNStwist; homoglyph squatting is common.
- For password fields, browsers normalise differently β test homoglyph passwords against your auth system.
Try it nowβ
The full spoof-unicode-text runs in your browser at https://ztools.zaions.com/spoof-unicode-text β no signup, no upload, no data leaves your device.
Last updated: 2026-05-06 Β· Author: Ahsan Mahmood Β· Edit this page on GitHub