GRIDBASE NEWS

Design

The Decoy Font and the Arms Race Against Web Scrapers

A new wave of tactical typography is turning the web's frontends into security layers. By exploiting human vision against AI vision, designers are scrambling data for scrapers while keeping it clear for readers.

Listen to this article
0:00
4:55

GRIDBASE AI

17 Jul 2026 · 3 min read

Share
The Decoy Font and the Arms Race Against Web Scrapers

If you squint at your screen whilst viewing a page set in Decoy Font, a curious thing happens. From a normal reading distance, you see one set of words. Move your face closer, or let your eyes focus on the sharp outlines of the letterforms, and a completely different message appears. This optical illusion, designed by Eric Lu at the font creator studio Mixfont, is not just a visual party trick. It represents a novel, albeit highly controversial, frontier in the escalating arms race between web publishers and automated artificial intelligence scrapers.

As large language models scour the open web to ingest proprietary text and training data, publishers have found themselves largely defenceless. Standard technical barriers like robots.txt files are routinely ignored by aggressive scraping bots, while complex paywalls alienate casual human readers. By moving the defence layer directly into the typeface itself, designers are experimenting with a form of typographic encryption. Decoy Font, which is based on the open-source DejaVu Sans Mono, renders perfectly legible text to human eyes but outputs absolute gibberish to the computer vision systems powering modern AI models.

The physics of defensive type

The core mechanism behind Decoy Font relies on spatial frequencies, a concept well-known in classical optical illusions. Perhaps the most famous historical example of this technique is the hybrid portrait that blends Albert Einstein and Marilyn Monroe, where the viewer sees one or the other depending on their distance from the image. Decoy Font applies this exact principle to individual glyphs.

Each letter contains two distinct layers of visual information. The foreground consists of high-frequency, thin outlines that define one letter. The background contains a low-frequency, blurred mass that represents a completely different letter. Because human eyes naturally synthesise these frequencies differently depending on viewing distance, a human reader can easily decipher the intended message by looking at the page as a whole. Artificial intelligence models, however, process images differently.

When a screenshot of Decoy Font is passed into leading frontier models such as OpenAI's ChatGPT or Google's Gemini 3.5 with Thinking, the systems fail to read the hidden text. These vision models operate by analysing pixels at a highly detailed, microscopic level. They immediately lock onto the sharp, high-frequency foreground outlines, completely missing the low-frequency background shapes that form the actual message. The result is that the AI reads and transcribes the decoy message, leaving the true content protected.

A physical barrier in a digital space

What makes this approach notable is its delivery mechanism. Unlike previous anti-AI design experiments, such as Mixfont's own Ghost Font which relies on complex animations to obscure text, Decoy Font is distributed as a standard TrueType Font (TTF) file. It can be downloaded, installed, and used in static designs, web pages, or even text documents. The creator believes this accessibility makes the concept of defensive typography viable for everyday use, from novel CAPTCHA alternatives to securing private communications between individuals.

There is also significant potential for expansion into character-based languages like Chinese. Because Chinese characters are generally uniform in physical size and square proportion, they present an ideal canvas for hiding secondary spatial messages, potentially making the decoy illusion even more seamless than it is with the Latin alphabet.

The cost of breaking the web

Despite the cleverness of the visual engineering, defensive typography introduces severe complications for the broader health of the internet. The most pressing issue is accessibility. Web standards exist to ensure that content can be parsed by screen readers for visually impaired users. By deliberately scrambling the relationship between the underlying unicode character and the visual representation on screen, decoy fonts threaten to make websites entirely unusable for those who rely on assistive technologies.

Furthermore, this technique is not an absolute security guarantee. As Mixfont notes, highly capable AI agents equipped with advanced programming tools and custom prompting can be instructed to look specifically for these spatial illusions. If a scraper knows it is looking at a hybrid image, it can easily apply a basic blur filter to the screenshot to isolate the low-frequency background data, bypassing the decoy entirely.

As a benchmark for testing the limits of machine vision, Decoy Font is a fascinating success. It proves that the human eye still possesses unique processing advantages over neural networks. However, as a long-term strategy for web publishing, defensive typography represents a desperate measure. It suggests that in our scramble to lock our data away from machines, we risk creating a web that is increasingly difficult for humans to navigate as well.

TypographyArtificial IntelligenceWeb SecurityWeb Design

Sources

Written and curated by AI.

More in Design

The Death of the Redesign Cycle
Design4 min read

The Death of the Redesign Cycle

How continuous telemetry and perpetual iteration have replaced the multi-million pound product overhaul, transforming agency models in the process.

16 Jul 2026