Visual Token Arbitrage: rendering text to images for a 62% Claude API discount (and why it's a terrible idea)
Converting text to images exploits dimension-based API billing for steep discounts, but fuzzy vision encoders silently hallucinate and corrupt precise data.
By Felix Hart
Sparked by 60% Fable cost cut by converting code to images and having the model OCR it · discussion

I was reading through a Hacker News thread discussing multimodal pricing loopholes this weekend, and it highlighted a fundamental absurdity in how AI vendors charge for compute. The industry standard right now is to bill multimodal requests based on raw image dimensions, ignoring actual information entropy. When sending an image to a modern API, your bill reflects the sheer physical dimensions of the canvas, entirely disregarding the underlying complexity of the pixels. This creates a strange economic gravity, one that developers are inevitably beginning to exploit.
The discussion heavily featured projects like the pxpipe GitHub repository, which exist to weaponize this billing disconnect. The premise is entirely mechanical. By taking massive text files and rendering them into densely packed PNGs before sending them to the API, developers are bypassing standard text token costs. I propose we call this exploit Visual Token Arbitrage. It is the specific act of exploiting the economic gap between raw text pricing and optical resolution billing tiers.
I like to think of these multimodal vision features as a massive collection of fragile heuristics glued to a fuzzy OCR scanner, entirely devoid of advanced cognitive reasoning. The vendor takes your image, chops it into a grid of squares, assigns a fixed token cost to each square, and feeds that visual representation into the exact same dense matrix of weights that handles regular text.
To see exactly how this arbitrage manifests over the wire, imagine writing a short Python script to trick the API. If someone takes a 5,000-word text document and crams it into a single 1024x1024 image using the Pillow library, they could fire it directly at Claude 3 Haiku and watch the billing illusion collapse entirely.
Here is the theoretical setup. First, pipe a giant text file into a Python processing script:
cat massive_document.txt | python text_to_vision_arbitrage.py
And here is a hypothetical 40-line Python script implementing the trick:
import sys, os, io
import httpx
import base64
from PIL import Image, ImageDraw, ImageFont
def text_to_image(text, size=(1024, 1024)):
# Create a blank white canvas
img = Image.new('RGB', size, color='white')
draw = ImageDraw.Draw(img)
font = ImageFont.load_default()
# Rough text wrapping logic to cram it all in
margin = 10
offset = margin
for line in text.split('\n'):
draw.text((margin, offset), line, font=font, fill='black')
offset += 12 # Tiny line height to maximize density!
# Convert to base64
buffered = io.BytesIO()
img.save(buffered, format="PNG")
return base64.b64encode(buffered.getvalue()).decode('utf-8')
if __name__ == "__main__":
raw_text = sys.stdin.read()
b64_image = text_to_image(raw_text)
# Fire it at the Anthropic API
headers = {
"x-api-key": os.environ.get("ANTHROPIC_API_KEY"),
"anthropic-version": "2023-06-01",
"content-type": "application/json"
}
payload = {
"model": "claude-3-haiku-20240307",
"max_tokens": 50,
"messages": [{
"role": "user",
"content": [
{"type": "image", "source": {"type": "base64", "media_type": "image/png", "data": b64_image}},
{"type": "text", "text": "Extract and summarize the core themes."}
]
}]
}
response = httpx.post("https://api.anthropic.com/v1/messages", headers=headers, json=payload)
print(response.json().get("usage"))
When this exploit is executed, the API predictably yields a JSON block looking something like this:
{
"input_tokens": 1600,
"output_tokens": 15
}
Sending those 5,000 words as raw text would typically incur an input cost of roughly 6,500 standard tokens. Formatting that exact same text as a standard-resolution image drops the billed footprint to a hard ceiling of exactly 1,600 vision tokens. Depending on the exact vendor pricing tiers, that frequently maths out to a 62% API discount for the exact same semantic payload!
The loophole exists solely because the billing model is completely detached from information density. A sprawling, high-entropy block of heavily compressed 8-point font costs the exact same to process as a blank white square of identical pixel dimensions. Language models lack the precision of relational databases, and forcing them to read microscopic text renders through their vision encoders introduces a catastrophic threat into your architecture.
This is where the arbitrage graduates from a clever hack into a dangerous anti-pattern. Processing standard prose—a news article or corporate PR slop—means the model will mostly succeed. The vision encoder acts as a fuzzy scanner, and the underlying language model uses semantic context to smooth over any blurry pixels. It sees a blurry rendering of The q**ck br*wn f*x and correctly assumes the missing vowels based on statistical probability.
Feeding the exploit a dense, low-context string causes the illusion to collapse instantly. When developers attempt to process cryptographic hex strings and UUIDs through this method, the error logs reported in the thread are deeply alarming. Forced to read an isolated string like a database key or a raw SHA-256 hash, the vision layer routinely and silently hallucinates. Observers watched Claude seamlessly swap an 8 for a B in a hex string without throwing a single error or warning flag.
Since the visual encoder slices the image into discrete patches to map those pixel clusters to known embeddings, the model bypasses traditional letter-by-letter reading entirely. When the font size is heavily compressed to maximize the economic arbitrage, those pixel patches become deeply ambiguous. A traditional OCR tool would simply throw a low-confidence warning or a fatal error. Language models lack that structural humility. They confidently output the wrong cryptographic key, polluting your database and masking potential data exfiltration events in the noise of their own unchecked hallucinations.
If you strip away surrounding semantic context, visual models will confabulate distinct characters driven entirely by visual vibes. The model encounters a cluster of dark pixels, guesses it looks vaguely like a B—and injects that poison directly into the downstream workflow.
The LLM vendors are abstracting away their compute costs using deeply flawed proxies like image dimensions. We can absolutely exploit that for cheap API calls—but if you use this chainsaw to process precise, low-context data, you are actively inviting silent data corruption into your pipelines. Do the math, but don't trust the OCR.