Can pixelation be reversed? What depixelation tools actually recover
Short answer: sometimes, and the cases where it works are exactly the ones people use pixelation for. Classic pixelation makes each block the average of the pixels it covers, and for text in a screenshot those averages can be brute-forced back out. AI unblurring is a different trick: it invents plausible detail rather than recovering real detail, which is bad news for faces and overconfident headlines alike. And pixelation applied as an editor layer can simply be switched off. This guide walks through each attack, what it genuinely gets back, and the one form of pixelation that has nothing to give.
Every method, and what an attacker gets back
"Reversed" hides a lot of different outcomes, from reading the exact text to generating a lookalike face. Here is the honest version for each way people hide things in images.
| Method | What an attacker recovers | Verdict |
|---|---|---|
| Light blur | Short, predictable text such as codes and passwords, because the detail is still mathematically present. | Not safe |
| Heavy blur | Rarely the exact content, but AI can fill the area with a convincing invention, and a face can stay recognizable longer than you expect. | Risky |
| Classic pixelation | Screenshot text, by rendering candidates in the same font, pixelating them the same way and matching the block averages. | Not safe for text |
| Pixelation as a layer | Everything, if the file format or editor keeps the effect as an adjustable layer that can be turned off. | Not safe |
| Random-sample mosaic | Only the rough color mix of the region. The blocks are not computed from the hidden pixels, so there is nothing to match. | Safe |
| Crop | Nothing, when the pixels are genuinely removed from the saved file and the detail sat fully inside the cropped area. | Safe, at the edges |
How depixelation actually works
The attack on classic pixelation is not magic enhancement, it is a guessing game played at scale. Ordinary pixelation carves the region into a grid and fills each cell with the average of the pixels it covered. An average is a summary, and a summary carries information. Two different characters sitting under the same block produce two slightly different averages, and that difference is the leak.
A depixelation tool exploits it by working forwards instead of backwards. It does not try to sharpen the blocks. It renders candidate text in the same font and size, pixelates each candidate with the same grid, and compares the resulting averages against the blocks in your image. When a candidate's mosaic matches yours, it has found your text. No reconstruction ever happens, the tool just keeps guessing until the math agrees.
This is why "it looks unreadable to me" is the wrong test. The attacker is not reading the blocks. They are checking which of a few thousand possibilities produces those exact blocks, and a computer gets through a few thousand possibilities before you have finished zooming in.
Why screenshots are the easiest possible target
Guess-and-compare only works when the attacker can reproduce your image exactly, and a screenshot hands them everything they need. A photo of a document has lighting, angle, lens softness and paper texture, all of which add noise that makes candidate-matching unreliable. A screenshot has none of that. The text is rendered by the same operating system in a known font at a known size on a pixel-perfect grid. The attacker's candidate renders are not approximations of your image, they are clones of it.
It gets easier still when the hidden text has structure. A six-digit code has a million possibilities. An API key has a known prefix and character set. An account number has a fixed length. The search space is small, the rendering is exact, and the averages do the rest, which is precisely why the things people pixelate most, keys, codes and account numbers in screenshots, are the things the attack handles best.
What "AI unblurring" really does
The other thing people mean by "reversed" is the AI enhancer that turns a pixelated face into a sharp one. It is worth being precise about what those models do, because the headline and the reality point in opposite directions. The model has seen millions of faces and learns what kind of sharp image plausibly downgrades into your blocks. Then it generates one. The output is not the hidden face, it is an invention that is consistent with the blocks, and famously, the invented face is often a different person entirely.
That sounds like good news, and for exact recovery it is: AI cannot conjure information the blocks do not contain. But it is not a reason to relax, for two reasons. First, a gently pixelated or blurred face keeps enough structure that the person can stay recognizable to people who know them, no AI required. Second, "a plausible reconstruction" can still do damage even when it is wrong, because viewers believe sharp images. If the point of the redaction is that a person must not be identifiable, the practical guidance in covering faces in screenshots on a Mac is to use coarse, irreversible blocks and leave nothing for either humans or models to work with.
Blur is the weakest of the lot
If pixelation is a summary, blur is a shuffle. A blur averages each pixel with its neighbors, which smears the detail around without removing it. The original information is still mathematically present in the image, just rearranged, and software that models the blur can rearrange a lot of it back. Short, predictable text is the easiest case: verification codes recovered from gently blurred screenshots are a recurring party trick for exactly this reason.
The full comparison between the two, including when each is the right call, lives in the guide to blurring and pixelating sensitive data in screenshots. For this article the takeaway is simple: a casual blur should never be the thing standing between a secret and the internet.
The mosaic with nothing to give back
Every attack above works because the redaction is derived from the thing it hides. Averaged blocks summarize the hidden pixels, a blur rearranges them, an effect layer sits on top of them. Break that link and the attacks have nothing to hold on to.
That is how ScrubShot's Scrub tool works. The scrubbed region is carved into blocks the usual way, but each block's color comes from a handful of samples taken at random from anywhere in the region, not from an average of the pixels it covers. The block layout has no relationship to the content underneath. Render-and-compare fails because there are no averages to compare against; a candidate that happens to match once will not match the next image, since scrubbing the same spot twice produces a different mosaic each time. The only thing the result reveals is the rough color mix of the area, roughly "there was dark text on a light background here," and nothing about which text.
Just as important, the blocks are rewritten into the actual pixels of the saved file. There is no effect layer to switch off and no original hiding underneath, the same property that makes a real crop safe, as covered in redaction versus cropping. A redaction has to clear both bars, irreversible in the file and underived from the content, and most casual methods quietly fail at least one.
Making the whole question moot
You do not have to hold this threat model in your head every time you share an image. You just need the safe redaction to be the convenient one. With ScrubShot the loop is: press the shortcut to capture the screen, drag the Scrub tool over anything sensitive to write the random mosaic straight into the image, then copy or save and share the cleaned version. Nothing is uploaded to be processed, which matters more than it sounds, because a redaction service that needs your unredacted original has already received the secret, a trade unpacked in what happens when you redact a screenshot online. The wider picture of choosing between crop, box, blur and mosaic is in the main guide to redacting screenshots on a Mac.
About this guide
I make ScrubShot, and the depixelation attack described here is the reason its Scrub tool fills blocks from random samples instead of averages, so I am writing about a problem I have had to engineer against rather than one I read about. I have tried to keep the claims conservative in both directions: classic pixelation of screenshot text is genuinely attackable and you should treat it that way, and AI enhancement is genuinely incapable of exact recovery, whatever the demo videos imply. Where a method is fine, like a real crop or a properly flattened opaque box, I say so.
FAQ
- Can AI recover a face from a pixelated photo?
- It can generate a face that fits the blocks, which is not the same as recovering the person. The tools that "enhance" a pixelated face are filling the gap with a plausible invention, and the result routinely looks like a different human being. That said, a lightly pixelated face still carries enough structure to be risky, so when the point is that someone must not be identifiable, use coarse blocks written into the image rather than a gentle effect.
- Are bigger pixel blocks safer?
- Bigger blocks discard more detail, so yes, up to a point. But if each block is still the average of the pixels it covers, screenshot text can still be brute-forced by rendering candidates and matching those averages, just with less certainty. Block size treats the symptom. The fix is blocks whose colors are not computed from the hidden pixels at all, because then there is nothing to match at any size.
- Is a blurred password or verification code recoverable?
- Treat it as recoverable, yes. Short, predictable text is the easiest case for unblurring, because the attacker knows the character set, the length and usually the exact font, and a light blur leaves the original detail mathematically present in the image. If a code or password has appeared under a casual blur in something you shared, the safe response is to change it.
- Why does ScrubShot scrub the same area differently each time?
- Because the blocks are random. Each block in a scrubbed region is filled from color samples taken at random from anywhere in that region, so running the Scrub tool over the same spot twice produces two different mosaics. That is the design working, not a glitch: if the pattern were derived from the pixels underneath, it would carry information about them, and the whole point is that it carries none.
Try it
ScrubShot is a Mac app built around exactly this: press the shortcut, drag over the sensitive parts, and they are rewritten as a random mosaic that depixelation tools cannot work back from. The cleaned screenshot is the only version that ever leaves your Mac. There is a free 7-day trial with no card required. After that it is $30 once.