A developer named Aloshdenny has successfully reverse-engineered Google's SynthID watermarking system using nothing but 200 Gemini-generated images and signal processing techniques. By generating pure black images and averaging their noise patterns, Aloshdenny isolated the watermark's frequency-domain signature and developed a removal method that achieves 91.4% phase coherence drop with minimal image quality loss. The attack exploits a fundamental flaw: SynthID uses a consistent pattern across all images from the same model, making it statistically observable when you have enough samples.
This isn't just about one watermark getting cracked — it exposes the inherent tension between systematic watermarking and security. SynthID seemed clever because it embeds watermarks during generation rather than stamping them on afterward. But that consistency became its weakness. The research reveals that invisible watermarks face the same trade-offs as visible ones: either they're robust enough to be detectable, or they're subtle enough to be removable. Google disputes the effectiveness of the crack, but the open-source code and documented methodology suggest otherwise.
The broader implications cut deeper than Google's implementation. Multiple sources confirm this attack works through spectral analysis of the frequency domain, where SynthID places carrier frequencies at resolution-dependent positions. At 1024×1024, carriers appear at low frequencies like (9,9); at higher resolutions, they shift accordingly. The phase template remains identical across all Gemini images with 99.5% cross-image coherence, making pattern extraction straightforward once you know what to look for.
For developers building AI detection systems, this should be a wake-up call. Behavioral watermarks that rely on consistent patterns are vulnerable to statistical attacks. The real question isn't whether watermarks can be removed — it's whether we're building detection systems that can evolve faster than the removal techniques.