Cybercriminals Leveraging CAPTCHA-Breaking Services with Human Solvers to Bypass Security Measures

Reading Time: ( Word Count: )

May 30, 2023

Cybersecurity experts warn about the availability of CAPTCHA-breaking services that bypass security systems designed to differentiate between legitimate users and bot traffic.

As per a recent report by Trend Micro shows a growing demand for services specifically created to break CAPTCHAs, as cybercriminals are actively seeking ways to overcome these security measures accurately.

These CAPTCHA-solving services do not rely on optical character recognition or advanced machine-learning techniques. Instead, they employ real human solvers to crack the CAPTCHAs on their behalf.

CAPTCHA, abbreviated for Completely Automated Public Turing Test to Tell Computers and Humans Apart, is a tool to distinguish between real human users and automated bots. Its purpose is to combat spam and prevent the creation of fake accounts. While CAPTCHAs can sometimes inconvenience users, they effectively counter web traffic from bots.

Illicit CAPTCHA-solving services function by receiving customer requests and outsourcing the task of solving CAPTCHAs to human solvers. These solvers work out the solution and return the results to the users.

Also, Read: “Unveiling the Mastermind: ‘Jack’ from Romania, Behind the Golden Chickens Malware”


This process involves calling an API to submit the CAPTCHA and utilizing another API to retrieve the results. By employing actual humans to solve CAPTCHAs, filtering out automated bot traffic through these tests becomes ineffective, allowing the customers of CAPTCHA-breaking services to develop automated tools to exploit online web services.

Moreover, threat actors have been observed purchasing CAPTCHA-breaking services and combining them with proxyware offerings. This combination allows them to conceal their original IP addresses and evade anti-bot barriers.

Proxyware, marketed as a tool to share unused internet bandwidth for a passive income, transforms the devices using it into residential proxies.

In one instance, a CAPTCHA-breaking service targeted the popular social commerce marketplace Poshmark. The requests originating from a bot were routed through a proxyware network.

“CAPTCHAs are commonly used tools to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has significantly diminished their effectiveness,” explained security researcher Joey Costoya. “While online web services can block abusive IP addresses, the rise in proxyware adoption renders this method as ineffective as CAPTCHAs.”

To mitigate these risks, online web services are advised to supplement CAPTCHAs and IP blocklisting with additional anti-abuse measures.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *