Researcher says they reverse-engineered Google’s SynthID watermark — and built a way to strip it

April 9, 2026
aiopen-source
A man closely inspects an object using a magnifying glass.
Photo by cottonbro studio on Pexels

Overview

It has been reported that a lone open-source project on GitHub claims to have reverse-engineered Google’s SynthID — the invisible watermark Google embeds in images generated by its Gemini model — using only spectral analysis and signal-processing tricks. The repository alleges a three-stage bypass that first detects the watermark with around 90% accuracy and then applies a multi-resolution “spectral codebook” approach to surgically reduce the watermark signal while mostly preserving visual quality. Quiet, technical work — but the headline is loud: a provenance mark that’s supposed to persist may be removable.

What the researchers found

The project’s authors say the watermark is resolution-dependent and carries a consistent phase pattern tied to the model; the green channel reportedly shows the strongest signal. They built a detector and an iterative subtraction approach that, allegedly, drops phase coherence dramatically while keeping peak signal-to-noise ratios high — in other words, the watermark signal weakens while images still look good. This is an arms-race moment: watermark designers add artefacts, analysts probe frequency bins, and both sides iterate.

Why it matters

Why should you care? Because watermarks like SynthID are intended to provide provenance and a traceable signal that content came from a generative model — a tool in the fight against misinformation and deepfakes. If those marks can be reliably detected and removed, the efficacy of provenance systems is undermined. There’s a clear ethical sting here: academic curiosity and security research can quickly collide with misuse risks. How do you balance openness with protection? No easy answers.

Community reaction and next steps

The repo’s maintainers are openly soliciting reference images to strengthen their multi-resolution codebook, and it has been reported that they welcome contributors. Meanwhile, platform and model operators will likely take note; expect updates to watermarking schemes and new detection-hardening measures as part of a cat-and-mouse cycle. For now, this is a live example of how quickly generative-AI provenance can be tested — and why defenders and researchers need to keep talking.

Sources: github.com/aloshdenny, Hacker News