Contents
If you have searched for a tool to stop your voice being cloned, you have probably seen three names: DeFake, AntiFake and Voice Guard. Two of them are the same thing, and one is mostly a search term. AntiFake is the peer-reviewed method, DeFake is the same team’s public name for it, and “Voice Guard” is the phrase people use for the whole category of voice-cloaking tools. Here is what actually exists, and how well it holds up.
DeFake and AntiFake are one tool
AntiFake (Yu, Zhai, Zhang, ACM CCS 2023) is a voice-protection method from Washington University in St. Louis. It adds an adversarial perturbation to a recording so that a model which scrapes your voice learns the wrong thing and cannot cleanly synthesize you; the authors describe it as “a defense mechanism that relies on adversarial examples to prevent unauthorized speech synthesis.” The same team’s tool, under the product name DeFake, was named a winner of the US Federal Trade Commission’s Voice Cloning Challenge in 2024. So DeFake and AntiFake are not competitors to compare; they are the paper name and the public name of one line of work. On its own benchmark AntiFake reports “over 95% protection rate even against unseen” systems, while a listening study confirmed the protected audio still sounds acceptable, at a mean opinion score around 3.45.
What “Voice Guard” actually refers to
People search for “Voice Guard” because they want the voice equivalent of Glaze: a protection layer applied before upload. There is no single, widely recognized product that owns the name, so it is best read as a category label for adversarial voice-protection tools, of which AntiFake is the most prominent. One source of confusion is worth naming: a distinct 2025 research tool called E2E-VGuard exists, but it is its own method, not the generic “Voice Guard” people usually mean. There is also a specific tool literally named VoiceGuard that appears in the research: the De-AntiFake study (Fan, Chen, Liu, Zhang, Yu, ICML 2025) evaluated it alongside AntiFake, and found it easier to strip, restoring cloning on VoiceGuard-protected speech to a verification score of 0.830 versus 0.762 for AntiFake, on a scale where higher means a better clone. The lesson holds either way: the protection comes from the method, not the label, so check which technique a “Voice Guard” product actually uses before trusting it.
The rest of the family
Beyond AntiFake, several tools protect a voice in different ways, and they split by what they defend against.
| Tool | Protects against | Form |
|---|---|---|
| AntiFake / DeFake | Voice cloning (synthesis) | Cloak before upload |
| VoiceBlock | Speaker recognition | Real-time filter |
| V-Cloak | Speaker recognition | Real-time anonymizer |
| VoiceCloak | Diffusion voice conversion | Cloak before upload |
| E2E-VGuard | LLM / end-to-end TTS | Cloak before upload |
VoiceBlock (O’Reilly, Bugler, Bhandari, Morrison, Pardo, NeurIPS 2022) runs “in real-time on a single CPU thread,” which makes it suited to live audio, and V-Cloak (Deng, Teng, Chen, USENIX Security 2023) is a real-time anonymizer designed to keep speech intelligible and natural while hiding the speaker. Both are aimed at speaker recognition rather than cloning specifically. On the cloning side, VoiceCloak (Hu, Wu, Lu, Luo, AAAI 2026) targets diffusion-based voice conversion, which the authors note earlier defenses were “proven incompatible with.” The newest tools aim at today’s systems: SafeSpeech (Zhang et al., USENIX Security 2025) is titled “Robust and Universal Voice Protection Against Malicious Speech Synthesis,” and E2E-VGuard (Zhang et al., NeurIPS 2025) targets production LLM-based text-to-speech, tested across 16 open-source synthesizers and 3 commercial APIs.
Do they actually hold?
Not permanently. De-AntiFake (Fan, Chen, Liu, Zhang, Yu, ICML 2025) ran the first systematic evaluation of these protections against an attacker who purifies the audio first, and found that “existing purification methods can neutralize a considerable portion of the protective perturbations.” It warns that a defense that fails against purification gives users “a false sense of security,” and its purify-then-refine attack restores cloning quality that a cloak was meant to block. That does not make the tools useless; it makes them a cost, not a lock. Second-generation tools such as SafeSpeech and E2E-VGuard are built specifically to resist purification, and neither has been independently broken yet, but that is not the same as proven durable.
The practical takeaway is simple: treat DeFake and AntiFake as one tool, ignore “Voice Guard” as a brand and look at the underlying method, and expect any single cloak to be removable by a determined attacker. To turn this into an actual routine, see how to protect your voice from AI cloning, and for how protection tools hold up across media, see the AI poisoning tools scorecard.
Sources
- Yu, Zhai, Zhang (2023). AntiFake: Using Adversarial Audio to Prevent Unauthorized Speech Synthesis. ACM CCS 2023.
- O’Reilly, Bugler, Bhandari, Morrison, Pardo (2022). VoiceBlock: Privacy through Real-Time Adversarial Attacks with Audio-to-Audio Models. NeurIPS 2022.
- Deng, Teng, Chen (2023). V-Cloak: Intelligibility-, Naturalness- and Timbre-Preserving Real-Time Voice Anonymization. USENIX Security 2023.
- Hu, Wu, Lu, Luo (2026). VoiceCloak: A Multi-Dimensional Defense Framework against Unauthorized Diffusion-based Voice Cloning. AAAI 2026.
- Zhang, Wang, Yang (2025). SafeSpeech: Robust and Universal Voice Protection Against Malicious Speech Synthesis. USENIX Security 2025.
- Zhang, Wang, Mi (2025). E2E-VGuard: Adversarial Prevention for Production LLM-based End-To-End Speech Synthesis. NeurIPS 2025.
- Fan, Chen, Liu, Zhang, Yu (2025). De-AntiFake: Rethinking the Protective Perturbations Against Voice Cloning Attacks. ICML 2025.
New protection tests, breakdowns and how-long-does-it-hold checks. No spam, unsubscribe anytime.