DeMark: A Query-Free Black-Box Attack on Deepfake Watermarking Defenses

• URL: http://arxiv.org/abs/2601.16473v1
• Date: Fri, 23 Jan 2026 06:04:43 GMT
• Title: DeMark: A Query-Free Black-Box Attack on Deepfake Watermarking Defenses
• Authors: Wei Song, Zhenchang Xing, Liming Zhu, Yulei Sui, Jingling Xue,
• Abstract summary: DeMark is a query-free black-box attack framework that targets defensive image watermarking schemes for deepfakes.<n>We exploit latent-space vulnerabilities in encoder-decoder watermarking models through a compressive sensing based sparsification process.<n>DeMark reduces watermark detection accuracy from 100% to 32.9% on average while maintaining natural visual quality.
• Score: 25.492274324587058
• License: http://creativecommons.org/publicdomain/zero/1.0/
• Abstract: The rapid proliferation of realistic deepfakes has raised urgent concerns over their misuse, motivating the use of defensive watermarks in synthetic images for reliable detection and provenance tracking. However, this defense paradigm assumes such watermarks are inherently resistant to removal. We challenge this assumption with DeMark, a query-free black-box attack framework that targets defensive image watermarking schemes for deepfakes. DeMark exploits latent-space vulnerabilities in encoder-decoder watermarking models through a compressive sensing based sparsification process, suppressing watermark signals while preserving perceptual and structural realism appropriate for deepfakes. Across eight state-of-the-art watermarking schemes, DeMark reduces watermark detection accuracy from 100% to 32.9% on average while maintaining natural visual quality, outperforming existing attacks. We further evaluate three defense strategies, including image super resolution, sparse watermarking, and adversarial training, and find them largely ineffective. These results demonstrate that current encoder decoder watermarking schemes remain vulnerable to latent-space manipulations, underscoring the need for more robust watermarking methods to safeguard against deepfakes.

Related papers

• RecoverMark: Robust Watermarking for Localization and Recovery of Manipulated Faces [16.612226216769262]
  We propose RecoverMark, a watermarking framework that achieves robust manipulation localization, content recovery, and ownership verification simultaneously.<n>Our key insight is twofold. First, we exploit a critical real-world constraint: an adversary must preserve the background's semantic consistency to avoid visual detection.<n>Based on these insights, RecoverMark treats the protected face content itself as the watermark and embeds it into the surrounding background.
  arXiv  Detail & Related papers  (2026-02-24T07:11:40Z)
• IConMark: Robust Interpretable Concept-Based Watermark For AI Images [50.045011844765185]
  We propose IConMark, a novel in-generation robust semantic watermarking method.<n>IConMark embeds interpretable concepts into AI-generated images, making it resilient to adversarial manipulation.<n>We demonstrate its superiority in terms of detection accuracy and maintaining image quality.
  arXiv  Detail & Related papers  (2025-07-17T05:38:30Z)
• When There Is No Decoder: Removing Watermarks from Stable Diffusion Models in a No-box Setting [37.85082375268253]
  We study the robustness of model-specific watermarking, where watermark embedding is integrated with text-to-image generation.<n>We introduce three attack strategies: edge prediction-based, box blurring, and fine-tuning-based attacks in a no-box setting.<n>Our best-performing attack achieves a reduction in watermark detection accuracy to approximately 47.92%.
  arXiv  Detail & Related papers  (2025-07-04T15:22:20Z)
• WMCopier: Forging Invisible Image Watermarks on Arbitrary Images [38.59295440296696]
  We propose WMCopier, an effective watermark forgery attack that operates without requiring prior knowledge of or access to the target watermarking algorithm.<n>Our approach first models the target watermark distribution using an unconditional diffusion model, and then seamlessly embeds the target watermark into a non-watermarked image.<n> Experimental results demonstrate that WMCopier effectively deceives both open-source and closed-source watermark systems.
  arXiv  Detail & Related papers  (2025-03-28T11:11:19Z)
• LampMark: Proactive Deepfake Detection via Training-Free Landmark Perceptual Watermarks [7.965986856780787]
  This paper introduces a novel training-free landmark perceptual watermark, LampMark for short. We first analyze the structure-sensitive characteristics of Deepfake manipulations and devise a secure and confidential transformation pipeline. We present an end-to-end watermarking framework that imperceptibly embeds and extracts watermarks concerning the images to be protected.
  arXiv  Detail & Related papers  (2024-11-26T08:24:56Z)
• Certifiably Robust Image Watermark [57.546016845801134]
  Generative AI raises many societal concerns such as boosting disinformation and propaganda campaigns. Watermarking AI-generated content is a key technology to address these concerns. We propose the first image watermarks with certified robustness guarantees against removal and forgery attacks.
  arXiv  Detail & Related papers  (2024-07-04T17:56:04Z)
• UnMarker: A Universal Attack on Defensive Image Watermarking [4.013156524547072]
  We present UnMarker -- the first practical universal attack on defensive watermarking. UnMarker requires no detector feedback, no unrealistic knowledge of the watermarking scheme or similar models, and no advanced denoising pipelines. Evaluations against SOTA schemes prove UnMarker's effectiveness.
  arXiv  Detail & Related papers  (2024-05-14T07:05:18Z)
• Latent Watermark: Inject and Detect Watermarks in Latent Diffusion Space [7.082806239644562]
  Existing methods face the dilemma of image quality and watermark robustness. Watermarks with superior image quality usually have inferior robustness against attacks such as blurring and JPEG compression. We propose Latent Watermark, which injects and detects watermarks in the latent diffusion space.
  arXiv  Detail & Related papers  (2024-03-30T03:19:50Z)
• Robustness of AI-Image Detectors: Fundamental Limits and Practical Attacks [47.04650443491879]
  We analyze the robustness of various AI-image detectors including watermarking and deepfake detectors. We show that watermarking methods are vulnerable to spoofing attacks where the attacker aims to have real images identified as watermarked ones.
  arXiv  Detail & Related papers  (2023-09-29T18:30:29Z)
• Invisible Image Watermarks Are Provably Removable Using Generative AI [47.25747266531665]
  Invisible watermarks safeguard images' copyrights by embedding hidden messages only detectable by owners. We propose a family of regeneration attacks to remove these invisible watermarks. The proposed attack method first adds random noise to an image to destroy the watermark and then reconstructs the image.
  arXiv  Detail & Related papers  (2023-06-02T23:29:28Z)
• Certified Neural Network Watermarks with Randomized Smoothing [64.86178395240469]
  We propose a certifiable watermarking method for deep learning models. We show that our watermark is guaranteed to be unremovable unless the model parameters are changed by more than a certain l2 threshold. Our watermark is also empirically more robust compared to previous watermarking methods.
  arXiv  Detail & Related papers  (2022-07-16T16:06:59Z)
• Fine-tuning Is Not Enough: A Simple yet Effective Watermark Removal Attack for DNN Models [72.9364216776529]
  We propose a novel watermark removal attack from a different perspective. We design a simple yet powerful transformation algorithm by combining imperceptible pattern embedding and spatial-level transformations. Our attack can bypass state-of-the-art watermarking solutions with very high success rates.
  arXiv  Detail & Related papers  (2020-09-18T09:14:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.