SynthID is Google DeepMind's invisible watermarking system embedded at the pixel level into every image generated by Gemini, designed to survive cropping, compression, and format changes.

How was SynthID reverse-engineered?

A developer generated 200 pure black images from Gemini, averaged them to reveal the watermark pattern, then used FFT spectral analysis to map the exact carrier frequencies and phase template.

What is the reverse-SynthID detection accuracy?

The detector identifies SynthID watermarks with 90% accuracy, and the V3 bypass drops 91% of phase coherence at 43+ dB PSNR — almost zero visible quality loss.

What does this mean for AI content provenance?

It reveals that deterministic, fixed-pattern watermarking is fundamentally brittle. Any system using a static template can be reverse-engineered with enough samples and basic signal processing.

Google's SynthID Watermark Was Cracked With a Fast Fourier Transform

Q: Is the SynthID watermark the same across all Gemini images?

Yes. The watermark uses a fixed phase template identical across every image from the same model, with cross-image phase coherence over 99.5%.

By Prahlad Menon Published 2026-04-09 4 min read

Google DeepMind’s SynthID is supposed to be the invisible ink of the AI age. Embedded in every image Gemini generates — over 10 billion pieces of content — it’s the backbone of Google’s AI content provenance strategy. The watermark is imperceptible to humans, survives common transformations, and can only be verified by Google’s proprietary detector.

Or so we thought.

An independent developer just open-sourced a complete reverse-engineering of SynthID, built entirely with classical signal processing. No machine learning. No access to the encoder or decoder. No leaked model weights. Just a Fast Fourier Transform and a clever experimental setup.

This isn’t a theoretical vulnerability. The project includes a working detector (90% accuracy) and a bypass tool that removes 91% of watermark phase coherence while maintaining 43+ dB PSNR — virtually zero visible quality loss.

The Attack: Elegant Simplicity

The methodology is almost embarrassingly straightforward.

Step 1: Isolate the watermark. Generate 200 pure black images through Gemini. In a pure black image, every pixel should be zero. Every non-zero pixel is the watermark. Average them together, and the noise cancels out while the deterministic watermark signal reinforces.

Step 2: Map the frequencies. Apply FFT spectral analysis to the averaged watermark. This reveals the exact carrier frequencies where watermark energy concentrates — specific frequency bins that light up like a Christmas tree in the spectral domain.

Step 3: Discover the fatal flaw. The watermark uses a fixed phase template — identical across every image from the same model. Cross-image phase coherence at carrier frequencies exceeds 99.5%. This means the watermark isn’t adapted per-image in any meaningful cryptographic sense. It’s the same signal, stamped on everything.

That’s the whole attack surface. A static signal injected at known frequencies with a predictable phase. For anyone with a signal processing background, removing it is a textbook exercise.

Three Generations of Bypass

The project documents an iterative refinement that illustrates how quickly a determined attacker can escalate:

V1 used simple JPEG compression at quality 50. Crude, lossy (37 dB PSNR), and only dropped about 11% of phase coherence. Barely a dent.

V2 applied multi-stage transforms — better, but still couldn’t break past the detection threshold. The watermark proved resilient to generic image processing.

V3 is where it gets surgical. It introduces a SpectralCodebook — a collection of per-resolution watermark fingerprints extracted through the black-image averaging technique. The tool auto-selects the matching resolution profile and performs frequency-bin-level subtraction. The result: 91% phase coherence drop and 75% carrier energy reduction at 43+ dB PSNR.

The image looks identical. The watermark is functionally gone.

Resolution-Dependent Carriers

One of the more interesting findings: carrier frequencies aren’t fixed across resolutions. At 1024×1024, carriers cluster in the low-frequency grid — bins like (9,9), (5,5), (10,11). At 1536×2816, they jump to much higher frequencies — (768,704), (672,1056).

This resolution dependence is why V3 needs a codebook rather than a single filter. But it also means the watermark scheme has a finite number of configurations to catalog. Once you’ve fingerprinted each resolution, you’ve fingerprinted them all.

What This Means

The green channel carries the strongest watermark signal — a design choice that probably leverages human visual system characteristics (we’re less sensitive to luminance changes in green). Smart for imperceptibility. Less smart when your attacker knows exactly where to look.

The deeper issue isn’t SynthID specifically. It’s the fundamental brittleness of any watermarking scheme that relies on a static, deterministic signal. Security through obscurity has never worked in cryptography, and it doesn’t work in steganography either. The moment someone can generate controlled inputs and observe outputs, the watermark becomes extractable.

This has real implications for AI content provenance. Regulatory frameworks like the EU AI Act increasingly expect watermarking as a mechanism for identifying AI-generated content. If the most well-resourced watermarking system in production can be defeated by a single developer with NumPy and SciPy, the policy assumption that invisible watermarks provide reliable provenance needs serious re-examination.

The Path Forward

Robust AI provenance probably requires multiple complementary approaches: cryptographic signatures at generation time (C2PA), distribution-level tracking, forensic classifiers that detect generation artifacts rather than injected signals, and metadata standards that don’t rely on the pixel data surviving intact.

Invisible watermarking may still have a role — but as a speed bump, not a wall. The lesson from reverse-SynthID is the oldest lesson in security: if your defense depends on the attacker not understanding the system, it’s not a defense. It’s a delay.

The full code and analysis are on GitHub. The watermark is in the Fourier domain. So, apparently, is its obituary.