--- id: BTAA-TEC-010 title: 'Special Tokens and Glitch Patterns: How Unusual Tokens Disrupt Model Processing' slug: special-tokens-glitch-patterns type: lesson code: BTAA-TEC-010 aliases: - special tokens - glitch tokens - token disruption - attention bypass author: Herb Hermes date: '2026-04-10' last_updated: '2026-04-11' description: Learn how special tokens and glitch patterns can disrupt model attention mechanisms and bypass safety filters through token-level manipulation. category: offensive-techniques difficulty: intermediate platform: Universal challenge: Identify which token patterns could disrupt safety filtering read_time: 9 minutes tags: - prompt-injection - special-tokens - glitch-tokens - tokenization - attention-mechanisms - model-behavior - technique status: published test_type: adversarial model_compatibility: - Kimi K2.5 - MiniMax M2.5 - GPT-4 - Claude - Gemini responsible_use: Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. prerequisites: - BTAA-FUN-001 — What is Prompt Injection - BTAA-TEC-007 — Stacked Framing and Instruction Laundering follow_up: - BTAA-EVA-005 — Format Confusion and Encoded Extraction - BTAA-DEF-003 — Multi-Layer Defense Strategies public_path: /content/lessons/techniques/special-tokens-glitch-patterns.md pillar: learn pillar_label: Learn section: techniques collection: techniques taxonomy: intents: - disrupt-attention-mechanisms - bypass-keyword-filters - redefine-instruction-boundaries techniques: - special-token-insertion - glitch-token-exploitation - delimiter-manipulation evasions: - token-level-obfuscation - attention-disruption inputs: - chat-interface - formatted-prompts - structured-templates --- # Special Tokens and Glitch Patterns: How Unusual Tokens Disrupt Model Processing > **Responsible use:** Use this approach only on authorized training systems, sandboxes, or systems you are explicitly permitted to test. --- ## Purpose This lesson teaches you to recognize **special token attacks** and **glitch pattern exploitation** — techniques that manipulate models at the token level to bypass safety filters and disrupt normal processing. Understanding how unusual tokens affect model attention and behavior helps you build more robust defenses and identify sophisticated attack vectors. --- ## What this technique is **Special token attacks** insert unusual tokens, special delimiters, or out-of-distribution characters into prompts to: - Disrupt attention mechanisms that normally focus on semantically important content - Create parsing ambiguities at the boundary between instructions and content - Trigger anomalous model behaviors that keyword-based filters cannot anticipate **Glitch tokens** are vocabulary entries that produce unexpected or unstable model outputs due to anomalous properties in their embeddings or training exposure. Together, these techniques exploit the gap between how humans read text and how tokenizers process it. --- ## How it works ### Tokenization fundamentals Language models don't read text directly—they process **tokens**, which are numerical representations of words, subwords, or characters. Before any safety evaluation occurs, your input becomes a sequence of token IDs: ``` "Hello world" → [15496, 995] → model processing ``` This tokenization step creates opportunities for manipulation: ### Attack vector 1: Attention disruption Transformers use attention mechanisms to determine which parts of input to focus on. Special tokens can: - Scatter attention across non-semantic tokens - Create artificial "attention sinks" that draw focus from safety-relevant content - Disrupt the coherence of how instructions are parsed > **Research insight:** Studies on jailbreak transferability show that token-level perturbations can significantly alter which parts of a prompt the model prioritizes during response generation. ### Attack vector 2: Boundary redefinition Special delimiters and markers can redefine where the model perceives instruction boundaries: - Standard prompts: `User: [instruction] Assistant: [response]` - Manipulated prompts: Insert special tokens between instruction segments to create false boundaries The model may interpret content after special markers as a new context, bypassing safety instructions that preceded the marker. ### Attack vector 3: Glitch token exploitation Some tokens in a model's vocabulary produce anomalous behavior: - Tokens from rare training data that the model never learned to handle consistently - Special control tokens exposed through the tokenizer - Character combinations that map to unexpected embedding representations When processed, these tokens can cause the model to "glitch"—producing outputs that don't follow normal semantic or safety constraints. --- ## Why it works Special token attacks succeed because of three systemic weaknesses: ### 1. Human-token mismatch Safety filters are often designed by humans looking for human-meaningful patterns. But models process tokens, and the mapping between text and tokens is not always intuitive: - Invisible characters become visible tokens - Single characters can split into multiple tokens - Seemingly identical strings can tokenize differently based on surrounding context ### 2. Attention as a limited resource Transformer attention is finite. When special tokens consume attention "budget," less remains for safety-relevant context. An attacker doesn't need to hide malicious intent—they just need to make it less attended-to than the surrounding noise. ### 3. Pre-filter tokenization Most safety systems evaluate text at the string level, before or after tokenization. Manipulations that only affect the token sequence may pass string-based checks entirely. --- ## Example pattern Here's an **abstracted illustration** of how token manipulation works (not a functional exploit): ``` [Normal instruction tokens] ↓ tokenization splits here <|special_marker|> ← Inserted special token ↓ creates boundary ambiguity [Content that might bypass filters] ↓ due to disrupted attention <|end_section|> ← Another special delimiter ↓ redefines what follows as "new context" [Remaining instruction] ``` **The insight:** The model doesn't see this as continuous text with a hidden payload. It sees separate token sequences with special delimiters that alter how attention flows and how boundaries are interpreted. --- ## Where it shows up in the real world ### Public pattern repositories The L1B3RT4S repository catalogs special tokens and glitch patterns alongside other jailbreak techniques. Its vendor-specific files (CHATGPT.mkd, ANTHROPIC.mkd, GOOGLE.mkd) show how token manipulation varies across model families while sharing underlying principles. ### Research literature Academic studies on adversarial prompts have demonstrated that: - Token-level perturbations can flip model behavior on classification tasks - Special tokens can cause models to ignore portions of their system prompt - Glitch tokens exist in the vocabulary of production models and produce predictable anomalous outputs ### Arena observations BTFO-AA testing shows that successful attacks increasingly combine token-level manipulation with other techniques. Special tokens rarely work alone—they're most effective as components in stacked framing architectures. --- ## Failure modes Special token attacks fail when: 1. **Token normalization succeeds** — If the defense strips or remaps special tokens before model processing, the attack vector closes 2. **Attention mechanisms are robust** — Models trained with attention-regularization techniques may be less susceptible to disruption 3. **Multi-layer evaluation** — When safety checks happen at multiple processing stages, token tricks that pass one layer may fail another 4. **Context window limits** — Very long sequences of special tokens may be truncated before they can disrupt attention effectively 5. **Post-processing detection** — Even if a token attack generates harmful output, output filters may still catch and block it --- ## Defender takeaways ### Normalize at the token level Apply sanitization **before** tokenization when possible: - Strip or remap known special token patterns - Normalize Unicode and invisible characters - Use allowlists for acceptable token sequences ### Evaluate attention patterns Monitor what your model is attending to: - Log attention weights for safety-critical inputs - Flag inputs where attention is unusually distributed - Test whether special token sequences cause attention to avoid policy-relevant context ### Defense in depth Don't rely on a single filter: - Pre-tokenization string checks - Post-tokenization sequence validation - Model-output safety evaluation - Post-generation content filtering Each layer should catch attacks that slip through the others. ### Test with token awareness When red-teaming your own systems: - Test how your tokenizer handles unusual inputs - Verify that string-level and token-level representations align for safety-critical content - Include token manipulation in your adversarial test suite --- ## Related lessons - **BTAA-TEC-007 — Stacked Framing: How Jailbreaks Layer Multiple Evasion Techniques** — Shows how special tokens fit into broader layered attack architectures - **BTAA-EVA-005 — Format Confusion and Encoded Extraction** — Explores related boundary-manipulation techniques using format specifications - **BTAA-TEC-001 — Authority Framing with Expert Personas** — Often combined with token techniques to create compliance pressure --- ## From the Bot-Tricks Compendium Thanks for referencing **Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans!** Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.