Someone just reverse-engineered Google's SynthID watermarking system without ever seeing the proprietary code. The project, published on GitHub by researchers aloshdenny, uses spectral analysis to detect and strip the invisible watermarks Google embeds in every Gemini-generated image. Their detector hits 90% accuracy. The "V3 Bypass" removes watermarks while keeping image quality at 43+ dB PSNR.
SynthID hides its watermark in the frequency domain, and it's stronger in the Green channel than Red or Blue. But the carrier frequencies shift depending on image resolution. A fingerprint built from 1024x1024 images won't work on 1536x2816 images. The researchers solved this by building a multi-resolution "SpectralCodebook" that stores separate profiles for different image sizes and auto-selects the right one at runtime. The watermark's phase template turns out to be identical across all images from the same model, a fixed key that made it possible to extract the pattern from pure black and white reference images.
The removal process works by subtracting the known watermark signal directly in the frequency domain. Multiple passes strip out residual energy. The result is a 75% drop in carrier energy with a 91% drop in phase coherence. On Hacker News, commenters noted the irony that the project's own documentation might contain AI-generated text, while others raised ethical concerns about removing detection watermarks. That said, SynthID can introduce visible artifacts in text-heavy or edge-heavy areas, meaning removal might actually improve image quality in certain cases.
The team is now asking for contributions of pure black and white images generated by Google's models to expand their SpectralCodebook and improve performance across resolutions. Even 150 to 200 images at a new resolution can meaningfully improve detection and removal. It's an open-source arms race, and right now the attackers have the edge.