Cybercriminals Leveraging CAPTCHA-Breaking Services with Human Solvers to Bypass Security Measures

Reading Time: ( Word Count: )

May 30, 2023

Cybersecurity experts warn about the availability of CAPTCHA-breaking services that bypass security systems designed to differentiate between legitimate users and bot traffic.

As per a recent report by Trend Micro shows a growing demand for services specifically created to break CAPTCHAs, as cybercriminals are actively seeking ways to overcome these security measures accurately.

These CAPTCHA-solving services do not rely on optical character recognition or advanced machine-learning techniques. Instead, they employ real human solvers to crack the CAPTCHAs on their behalf.

CAPTCHA, abbreviated for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a tool to distinguish between real human users and automated bots. Its purpose is to combat spam and prevent the creation of fake accounts. While CAPTCHAs can sometimes inconvenience users, they effectively counter web traffic from bots.

Illicit CAPTCHA-solving services function by receiving customer requests and outsourcing the task of solving CAPTCHAs to human solvers. These solvers work out the solution and return the results to the users.

Also, Read: “Unveiling the Mastermind: ‘Jack’ from Romania, Behind the Golden Chickens Malware”


This process involves calling an API to submit the CAPTCHA and utilizing another API to retrieve the results. By employing actual humans to solve CAPTCHAs, filtering out automated bot traffic through these tests becomes ineffective, allowing the customers of CAPTCHA-breaking services to develop automated tools to exploit online web services.

Moreover, threat actors have been observed purchasing CAPTCHA-breaking services and combining them with proxyware offerings. This combination allows them to conceal their original IP addresses and evade anti-bot barriers.

Proxyware, marketed as a tool to share unused internet bandwidth for a passive income, transforms the devices using it into residential proxies.

In one instance, a CAPTCHA-breaking service targeted the popular social commerce marketplace Poshmark. The requests originating from a bot were routed through a proxyware network.

“CAPTCHAs are commonly used tools to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has significantly diminished their effectiveness,” explained security researcher Joey Costoya. “While online web services can block abusive IP addresses, the rise in proxyware adoption renders this method as ineffective as CAPTCHAs.”

To mitigate these risks, online web services are advised to supplement CAPTCHAs and IP blocklisting with additional anti-abuse measures.




Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub Embraces Device-Linked Passkeys for a More Secure User Experience.

GitHub has today announced the widespread availability of passkeys across its platform, offering an enhanced ...
Internet Security vs. Antivirus

Internet Security vs. Antivirus

The software programs "Antivirus" and "Internet Security" safeguard the user system from malicious programs by ...
Wi-Fi Security Key vs. Password: Unraveling the Difference

Wi-Fi Security Key vs. Password: Unraveling the Difference

In the digital age, where connectivity is king, securing our Wi-Fi networks is paramount. When it comes to ...
Instagram Security Code Not Working

Instagram Security Code Not Working

In the realm of social media, Instagram stands as one of the most popular platforms for sharing moments, ...

Submit a Comment

Your email address will not be published. Required fields are marked *