Current large language model–based content moderation systems overlook visual cues that humans rely on, resulting in a significant discrepancy between model-based detection and human perception of harmful content. This work proposes Human-Perceivable Adversarial Attacks (HPAA), which embed harmful messages into otherwise benign text by manipulating typographic features—such as spacing, emphasis, and layout—in ways that remain readily perceptible to humans yet evade detection by moderation models. The method requires neither access to the target model nor gradient information, generating effective adversarial examples with only a few queries and demonstrating broad applicability across both commercial and open-source moderation systems. Experiments show that, with an average of three queries, over 86% of generated attacks are correctly identified by human readers, while ten state-of-the-art moderation systems collectively detect fewer than 1% of such instances, thereby exposing and exploiting the perceptual gap between human and machine text interpretation.

Large language model (LLM)-powered content moderation systems have become a critical defense against harmful online content. However, these systems primarily operate on tokenized text and largely ignore the visual cues that humans naturally rely on when interpreting content. We show that this discrepancy creates a fundamental perceptual mismatch: content that is readily recognized as harmful by humans can become effectively invisible to automated moderation systems. To study this vulnerability, we introduce a class of Human-Perceptible Adversarial Attacks (HPAA), in which harmful expressions are embedded into otherwise benign text through visually salient typographic manipulations. Our key insight is that typographic features, including spacing, visual emphasis, and spatial arrangement, can be strategically combined to preserve human recognition of harmful content while substantially reducing machine detectability. Operating in black-box settings with only a small query budget, our attack automatically generates evasive content without requiring model access or gradient information. We evaluate the attack across multiple datasets and ten deployed moderation systems, including commercial APIs and state-of-the-art open-source guardrails. Results reveal a striking gap between human and machine perception: with only three detector queries, generated attacks achieve over 86\% human recognition while maintaining detection rates below 1\% across the evaluated systems. We further conduct ablation studies to identify the typographic factors driving successful evasion, analyze why current moderation architectures fail to capture these signals, and discuss practical defenses. Our findings expose a fundamental blind spot in today's LLM-based moderation ecosystem and highlight need for moderation systems that reason about content in a manner more consistent with human perceptual understanding.