Spoof Unicode Text — Lookalike Character Replacer (Free)

Name: Spoof Unicode Text
Availability: InStock
Author: ZTools

Replace Latin letters with visually-identical Unicode lookalikes (Cyrillic, Greek). For research and demos of homoglyph attacks. Free, ethical use.

About Spoof Unicode Text

Unicode "spoofing" or "homoglyph substitution" replaces Latin characters with visually-identical characters from other scripts — Cyrillic "а" (U+0430) for Latin "a" (U+0061), Greek "ο" (U+03BF) for Latin "o" (U+006F), Cherokee "ᴀ" for Latin "A". The result looks identical to the eye but is a different string under the hood. Used by security researchers and educators to demonstrate IDN (internationalised domain name) homograph attacks, phishing risk, and Unicode-confusable detection in software. The ZTools tool is for research, awareness, and testing — not for malicious deception. Do not use to deceive real users.

Use cases

Security training & awareness demos. Show colleagues why "раураl.com" (Cyrillic "р" + "а") is not "paypal.com". Visual-identical strings are how phishing campaigns trick users; live demos are more memorable than slide-deck warnings.
Anti-phishing research. Generate test strings to validate your homoglyph-detection rules in URL filters, email gateways, and brand-protection tools.
Username squatting tests. Some services normalise lookalikes; some don't. Test whether your platform allows homoglyph variants of admin/staff usernames — fix if it does.
Bug bounty & pentesting. Authorised pentesting only: probe whether an application's identity comparison is byte-level or normalised. Documenting findings.

How it works

Paste plain ASCII. Latin letters with confusable counterparts in other scripts.
Pick a substitution profile. Aggressive (replace everything that has any lookalike) vs Conservative (replace only characters with very-close confusables — Unicode TR39 "single-script confusable" set).
Generate. Each Latin character is replaced by its homoglyph (Cyrillic, Greek, Cherokee, Latin Extended).
Inspect side-by-side. The tool shows both strings + per-character source script + Unicode code point.

Examples

Input: "paypal" — aggressive
Output: "раураӏ" — Cyrillic р, а, у, а, ӏ. Looks identical; bytes differ.

Input: "admin" — conservative
Output: "аdmin" — only "a" replaced (Cyrillic а); rest unchanged.

Input: "google.com" — domain-spoofing demo
Output: "gооgle.com" — both "o"s Cyrillic; 100% visual match in most fonts.

Frequently asked questions

Is this legal to use?

The tool itself is legal. Using output to deceive users (phishing, fraud) is illegal in most jurisdictions (CFAA, computer-misuse acts). Use for training, research, security testing, and awareness only.

Why does a Cyrillic а look identical to Latin a?

Cyrillic and Latin scripts share Greek ancestry. Many cursive lowercase forms converged. Modern Unicode keeps them as separate characters because they have different uppercases (А/A) and behave differently in their respective languages.

How do I detect homoglyph attacks in my app?

Use Unicode TR39 Confusables data + Punycode normalisation for domains. Many libraries (uts39, confusable_homoglyphs) implement this.

Will browsers warn me about a homoglyph URL?

Modern browsers (Chrome, Firefox, Safari) detect mixed-script IDN domains and force Punycode display ("xn--..."). Single-script all-Cyrillic domains are NOT auto-flagged — visual deception is still possible.

Why aren't emoji available as substitutes?

Emoji aren't typographic letterforms; they're pictograms. Confusable detection focuses on letter-shape lookalikes only.

Does this work on iOS / Android?

Yes — Unicode is universal. Some keyboards make typing non-Latin scripts harder, which is part of the defence-in-depth.

Pro tips

Always disclose when sharing spoofed strings — never use to mislead.
For demos, show both the visible string and a hex dump side-by-side; the byte-level reality lands harder than the warning.
If your app accepts usernames, normalise to NFKC + script-mixing detection at signup.
Brand-protection: monitor IDN registrations of your trademark via tools like DNStwist; homoglyph squatting is common.
For password fields, browsers normalise differently — test homoglyph passwords against your auth system.

Reviewed by Ahsan Mahmood · Last updated 2026-05-06 · Part of ZTools.

For the full, formatted version of this page, please enable JavaScript and reload https://ztools.zaions.com/spoof-unicode-text.