AI Humanizers: How Undetectable.ai & StealthGPT Work — and Why They Fail

What Are AI Humanizers?

Ever since AI detectors went mainstream, a counter-industry has emerged: tools that promise to rewrite AI-generated text so detectors can no longer identify it. The best-known examples are Undetectable.ai, StealthGPT, WriteHuman, HIX Bypass, Phrasly, and Humbot. Their marketing promise: "Make your AI text 100% human." The reality is more complicated.

This article explains how these tools work technically, which attack vectors they use — and why modern Swiss detectors like AIDetector.ch rarely get fooled for long.

The Core Idea: Paraphrase as Weapon

Nearly all humanizers build on a simple core idea: take an AI text and have a second language model rewrite it. The goal is to alter the statistical properties detectors use to spot AI text — while keeping the content as close to the original as possible.

The attack vectors are:

• Lexical substitution: Swapping common AI words ("moreover" → "also", "consequently" → "so").
• Syntactic reordering: Active to passive, restructured clauses, swapping main and subordinate clauses.
• Sentence-length variation: Breaking uniform sentences into longer and shorter ones to fake burstiness.
• Injecting "human" markers: Typos, informal phrases, personal asides, slang.
• Token-level noise: Minimal character replacements (e.g., Latin "a" swapped for Cyrillic "а") invisible to the eye but disruptive to tokenizers.

Three Generations of Humanizers

Generation 1: Simple Paraphrase Tools

The first wave (2023) was essentially paraphrase APIs that rewrote at the lexical level. Output was often grammatically shaky and semantically imprecise. Detectors had little trouble spotting the paraphrase — because the paraphrase model's own statistical patterns left a signature.

Generation 2: Specialized Fine-Tuned Models

Starting in 2024, tools like StealthGPT and Undetectable.ai deployed custom language models fine-tuned specifically for "humanization." Training included pairs of AI text and human text optimized for semantic overlap with stylistic difference.

This generation was markedly better than the first. It could vary sentence length, replace transition words, and inject informal asides. Against first-generation detectors (GPTZero 1.0, simple perplexity tools) it was often successful.

Generation 3: Multi-Model Pipelines

The current wave combines multiple steps: paraphrase, re-paraphrase, "humanness scoring," back-paraphrase. Some tools add targeted character- or token-level noise on top. Vendors advertise "99.9%" evasion rates against various detectors. Those numbers come from in-house tests against outdated detector versions.

Why Humanizers Still Don't Beat Modern Detectors Permanently

The relationship between humanizers and detectors is an arms race — but one where detectors have structural advantages.

Advantage 1: Detectors Learn From Humanizer Output

Every publicly available humanizer becomes part of modern detector training data within weeks. As soon as Undetectable.ai ships a new pipeline, thousands of sample texts are run through it and added as negative examples to detector training.

The result: a humanizer that promises "99% undetectability" today often loses that rate within weeks — simply because the target models have caught up.

Advantage 2: Multi-Dimensional Signatures

Humanizers typically optimize against a few well-known signals: perplexity, burstiness, lexical diversity. Modern detectors measure far more dimensions, including:

• Deep syntactic patterns (how are clause structures distributed?)
• Discourse coherence (how do sentences hang together semantically?)
• Topological features (what does the text's embedding-space structure look like?)
• Token distribution anomalies (which rarities appear where?)
• Stylistic consistency across long documents

Humanizers can attack individual dimensions but rarely all at once — and every improvement on one axis often creates new anomalies on another.

Advantage 3: Quality Degrades

Every humanizer step is a translation step — and every translation loses information. Humanized text is almost always worse than the original AI text: less precise, stylistically lumpy, sometimes with factual errors. Submitting humanized output often means submitting something not just suspicious but also substantively weaker than necessary.

Advantage 4: Forensic Meta-Signatures

Multiply-rewritten text carries its own signatures that match neither human writing nor "fresh" AI text. Some current detectors explicitly identify these "second-generation" patterns: unusual combinations of high burstiness with uniform word choice that can only arise through paraphrase.

Empirical Test Runs: What Works, What Doesn't

Several independent tests from 2024 and 2025 paint a consistent picture:

• Against outdated detectors (GPTZero default configuration, simple perplexity tools), humanizers often achieve evasion rates of 70–90%.
• Against modern, regularly updated detectors (including AIDetector.ch and Originality.ai), evasion drops to 20–45% — at the cost of noticeable text quality loss.
• On German text, humanizers are generally weaker: most are trained on English and produce grammatically conspicuous German constructions that are easier to catch than the original.
• On specialized text (legal, medical, technical), humanizers fail especially often: technical terminology cannot survive lexical substitution without changing meaning.

The Ethical and Legal Dimension

Regardless of whether humanizers technically work, there's the question of whether their use is ethically and legally defensible. In an educational context the answer is clear:

• Intent to deceive: Anyone humanizing AI text to submit it as their own acts with clear intent to deceive. That's an academic integrity violation independent of detector accuracy.
• Evidentiary burden: Even if a humanizer fools a detector, the text remains identifiable as an AI product — through oral defense, stylistic mismatch with the student's prior work, or internal content contradictions.
• Reputational risk: Being caught using a humanizer often triggers harsher sanctions at many institutions than students who openly declare their AI use.

What Humanizers Cannot Change: Evidence Beyond the Text

Even a perfectly humanized text cannot protect against meta-signals outside the text itself:

• Drafting history: Genuine writers typically have a draft history — in Google Docs, Word with Track Changes, handwritten notes.
• Stylistic mismatch: A text that doesn't match the person's prior work style is suspect — detector or not.
• Oral examination: If you can't explain the content, you deliver the strongest evidence there is — humanizer or not.
• Forensic analysis of submission files: Word or PDF metadata can reveal copy-paste patterns, editing times, and tools used.

Implications for Faculty and Assessment Officers

Three concrete recommendations emerge for teachers, lecturers, and assessment officers:

1. Don't rely on the detector alone — but don't abandon it either. Modern detectors catch humanized text far more often than humanizer vendors admit. The detector remains the most important technical line of defense.
2. Demand process documentation. Drafts, outlines, intermediate versions, working journals. These largely neutralize any advantage humanizers provide.
3. Introduce oral components. Fifteen minutes of conversation about the work will unmask humanized text more reliably than any technical solution.

Looking Forward: Where Is the Arms Race Heading?

Three trends shape what's coming:

• Model-side watermarking: OpenAI, Google, and Anthropic are experimenting with statistical watermarking that remains detectable despite humanizers. First publicly available implementations are expected through 2026.
• Provenance tracking: Documents will increasingly be verifiable through cryptographic signatures and metadata chains. That moves the fight from the text itself to the document context.
• Personalized baselines: Detectors will increasingly learn an individual's writing profile from prior work — and flag any stylistic deviation.

Conclusion: Humanizers Are Not a Free Pass

AI humanizers are a real technology. They achieve impressive evasion rates against outdated detectors and are marketed as "100% undetectable." The reality is more sobering: against modern, data-protection-compliant detectors like AIDetector.ch that are retrained regularly with new humanizer output, success rates often collapse.

More importantly, there's the ethical and structural finding: even when a humanizer fools the detector, the work remains forensically and pedagogically vulnerable. The combination of process documentation, oral defense, and reliable technical detection turns "undetectable" into a marketing slogan — not a practical reality.

Sources

• Sadasivan, V.S. et al., "Can AI-Generated Text be Reliably Detected?", arXiv:2303.11156, 2023.
• Krishna, K. et al., "Paraphrasing Evades Detectors of AI-generated Text," NeurIPS, 2023.
• Dugan, L. et al., "RAID: A Shared Benchmark for Robust Evaluation of Machine-Generated Text Detectors," ACL, 2024.
• Kirchenbauer, J. et al., "A Watermark for Large Language Models," ICML, 2023.
• Mitchell, E. et al., "DetectGPT," ICML, 2023.