Generative image models have reshaped how we create and share images, and vendors responded by embedding watermarks and provenance signals to help trace origin and enforce rights. Those watermarks range from visible logos and metadata to invisible latent-noise signatures and semantic marks embedded in model outputs.
But in the last few years, a steady stream of research , across ICCV, ICML, NeurIPS and arXiv preprints , has shown that many watermark classes are vulnerable to adaptive attacks. This article reviews the evidence, the evolving attack toolkit, and what defenders can realistically expect.
Why watermarks were proposed and how they work
Watermarks and provenance tags were proposed to provide provenance, attribution, and copyright protection for AI-generated content. Industry systems such as Google SynthID, OpenAI/DALL·E 3 C2PA Content Credentials, and Microsoft previews demonstrate the real-world push to surface origin information to end users and platforms.
The technical approaches vary: visible marks and metadata are easy to understand but easy to strip; invisible pixel-level or latent-noise watermarks try to hide signals in the generation process; semantic watermarks encode higher-level cues tied to content or class. Each class accepts different attacker models and trade-offs between robustness, visibility, and utility.
Researchers and vendors recognized that generative models are powerful oracles, denoisers, diffusion samplers, and large image editors, that attackers can use to perturb or regenerate images. That capability fundamentally alters the threat model for any watermark scheme deployed at scale.
The adaptive attack landscape: per-image, model-targeted, and black-box
Recent literature categorizes attacks into three practical groups: per-image attacks (adversarial perturbations, denoise+reconstruct), model-targeted attacks (fine-tuning or purifying an open-source decoder), and black-box forgery/removal attacks that require only a single reference image. This taxonomy helps explain why different watermark classes fail in different ways.
High-profile papers document how these attacks operate. The ICML 2024 result "Watermarks in the Sand" concludes that "strong watermarking is impossible." Under relatively natural assumptions the paper gives efficient attacks that remove watermarks with minimal quality loss (ICML 2024).
Model-targeted attacks can be especially powerful on open-source diffusion decoders: fine-tuning or targeted purification can erase latent signals across many outputs, while preserving perceptual quality. Per-image attacks, by contrast, focus resources on a small set of images and can use regeneration/denoising to reliably break invisible watermarks (2023 arXiv regeneration work).
Black-box and single-image attacks: practical and surprising
One of the most worrying empirical trends is the rise of black-box methods that need very little information. A December 2024 arXiv and an April 2025 arXiv paper show attackers can forge or remove semantic and latent-noise diffusion watermarks using unrelated models or only a single watermarked example.
As one paper puts it: "black-box adversarial attack ... uses only a single watermarked example." The April 2025 work "Forging and Removing Latent-Noise Diffusion Watermarks Using a Single Image" demonstrates a practical, black-box recipe for both forging and erasing latent-noise watermarks across multiple schemes on SDv1.4 and SDv2.0 (arXiv 2025).
These single-example attacks matter because they scale, an attacker need not access the original model, watermark key, or large corpora. A lone watermarked image can enable broad forgery or removal across many outputs, dramatically lowering the bar for misuse.
Provable defenses, their gains, and their limits
Defenders have pushed back. NeurIPS 2024 introduced RAW (A Robust and Agile Plug-and-Play Watermark Framework), claiming provable guarantees against removal attacks and reporting AUROC improvements from 0.48 to 0.82 under adversarial removal scenarios (NeurIPS 2024). These results show measurable progress in adversarial robustness evaluation.
Other defenses aim to bind watermarks cryptographically, add semantic-aware embeddings, or use traceable seeds. SEAL-like proposals and NoisePrints concepts attempt to tie watermark verification to content semantics or cryptographic seeds instead of fragile pixel patterns, raising the effort required for successful forgery or removal.
Still, theory and empirical work temper optimism. The ICML impossibility result and a range of regeneration and denoising attacks make plain that some watermark guarantees cannot hold universally. The arms race continues: provable defenses often rely on stronger assumptions (limited attacker access, restricted oracles) that real-world attackers may not respect.
Case studies, toolkits, and real-world incidents
Several toolkits and reproducible repos let researchers and attackers run through removal and forgery pipelines. Projects such as DiffWA, Warfare, DiffuseTrace, and others have benchmarked removal techniques; one toolkit reported attack speeds thousands of times faster than early diffusion-model-based attacks, making large-scale removal feasible.
Academic code and demos are also public: for example, the ICML "impossibility" repo, the Stable Signature official repo (ICCV 2023), and many GitHub aggregators make both watermark designs and their breaks reproducible. This openness accelerates both defense and attack development.
Industry incidents illustrate impact. In March 2025 reporters demonstrated that Google’s Gemini 2.0 Flash image tools could remove visible watermarks and plausibly fill-in missing regions, sparking copyright and safety concerns. Meanwhile, vendors that ship provenance metadata caution that visible marks and metadata can be stripped, edited, or lost during regeneration.
Practical guidance: what defenders, platforms, and users should do
First, accept realistic expectations: no single watermark class is bulletproof against adaptive attackers. The practical takeaway across multiple papers and news reports is that invisible/latent watermarks can be removed or forged using regeneration via diffusion, per-image adversarial perturbations, or model-targeted fine-tuning, and many attacks need only black-box access or a single reference image.
Second, layer defenses. Combine provenance metadata, visible cues, cryptographic binding when possible, and server-side verification at point-of-distribution. Use detection systems that incorporate semantics-aware signals and anomaly detection rather than relying on a single fragile bit in pixels or latent noise.
Finally, invest in monitoring, policy, and legal tools. Because technical defenses will lag behind adaptive attackers, platforms must pair watermarking with content moderation, takedown workflows, and provenance transparency so that harms can be mitigated even when technical markers fail.
Research outlook: the ongoing arms race
The field is healthy in the sense that top-tier venues (ICCV, ICML, NeurIPS) and an active arXiv stream document both new watermark proposals and corresponding adaptive attacks. This pattern, propose, attack, defend, repeat, suggests continued progress but no final victory.
One research direction is formalizing attacker capabilities and provable bounds under realistic oracles; another is building cryptographic bindings between content and model keys that are harder to simulate or invert. Yet every new defense will be stress-tested by generative oracles that can simulate removal pathways.
Open-source models and public code lower the barrier for large-scale attacks, so research must combine technical advances with operational measures, reproducible benchmarks, and interdisciplinary work across law and policy to make watermarking meaningful in practice.
In short, watermarks remain a useful tool but not a panacea. Designers should avoid overclaiming guarantees and instead present watermarks as one element of a layered provenance strategy.
As the literature summarizes: "strong watermarking is impossible." Defense can raise the cost of misuse, but the arms race will continue as attackers exploit oracles, single-image attacks, and model fine-tuning to remove or forge signals.
