> AI does not complete CAPTCHAs like humans. If you look across all the data of humans and AI completing CAPTCHAs, you start noticing differences in features like error patterns. Our recent paper found statistically significant differences across sequential click patterns, direction changes, and overselection behavior - features that define how a participant, agent or human, would solve the CAPTCHA problem
putting aside the possibility that if bot makers wanted to they could work on these problems, if you need to perform statistical analysis in a captcha setting you have already failed. bots don't stick to a given session persistently so there is no useful profile to form. at best you may improve on IP reputation scores (and they probably already do) but that doesn't help much.
Exactly, nowadays, the main usage of "capcha" is more about to force down on user the whatng cartel
web engines more than anything else.
It is like windows kernel anti-cheat which are more to please microsoft at making
games not running on linux based OS... and kernel anti-cheat seems to be
actively exploited by hackers.
Put up a human team tracking the IPs of those bots and work with network operators.
The hard part is to notify the people of the compromised IPs.
I actually saw a pretty decent captcha the other day on a Chinese website (I think Taobao? I forget.) anyway the cool thing they did was that the text wasn’t in an image it was a looping video, but the text in any one frame was incomplete (only parts of the Chinese characters). And each frame different parts of the characters were visible, with a lot of noise in other parts of the frame where parts of characters would have been in other frames. A human brain sort of smoothed this out between frames and sees the characters clearly, but taking a screenshot was impossible. And becuase I don’t know Chinese I wasn’t able to take a screenshot and ask AI to translate the message. It seemed like a pretty good anti AI method. Of course an algorithm could be made to convert the video into a single frame, but captchas have always been defeatable by a sufficiently motivated attacker, they are only to raise the bar slightly against the swarm of dumb bots.
But.. the task was never "detect this" but always "detect this within acceptable constraints".
Sure, once you collect enough bits, you can tell that its me. And if you know from other sources that I am human, that solves your immediate problem.
But if you do that, you have still failed at the task of detecting certain kind of abusive behavior without harming my anonymity.
The appendix lists what they were collecting, and the amount of samples needed for not just mathematically significant, but also practically useful distinguishing power implies collecting enough for a stable yet unique fingerprint.
In that case you could just add a login form.. and still be less hostile than the increasing number of websites that will not let me browse (maybe my mouse movement does not match other humans in my region, idk).
This feels like the kind of thing where, "you must be at least this human to pass" and that it just otherwise mostly wastes your time if you're a robot would cover most of what Captchas are useful for.
Like, if it takes you 3-5 seconds to get through a captcha as a human, as long as every single event has that effort added, the impact to something trying to use/reuse the end-page is way worse if you're a robot than if you're a human.
I can see a few usecases where it would still be valuable to continue the game of cat-and-mouse, but I feel like solving for consistency of human experience of your website, may actually be more punishing to anything trying to bypass it.
I wonder if AI could be detected via copyright. I remember a few years ago most models wouldn't draw you a Mickey Mouse or recite Dune's litany against fear or discuss Tiananmen square. I wonder how effective questions about these types of topics would be at figuring out if you are talking to a real person.
As a crude joke that is only tangentially related, I saw a skit video a while ago with two guys saying goodbye and one says "send me a dick pic when you get home" and then explains that an AI won't simulate it so this is a sure way to know that it's his friend confirming his safe arrival.
You should see what metaAI (the Ai that sits inside all your private WhatsApp conversations) does. It has severe thought police installed but it types the offensive stuff first and then quickly edits when it reads what it wrote.
CAPTCHAs are great. Exploiters get around them with proprietary anti-detect browsers and unethical residential proxies, while privacy browsers and affordable privacy VPNs get blocked and shadowbanned to death.
Fingerprint.com, while not a CAPTCHA, gives you +3 suspicious score just for using privacy settings like adblock on your browser. This makes it harder to sign up for any sites that use fingerprint.com.
https://github.com/CloakHQ/CloakBrowser is a good anti-detect browser as well as CAPTCHA bypass which is honestly fun to use coming from privacy browsers because every site just works and captchas get solved.
Exploiters might get around them in isolation but they are easily caught at scale due to the opportunity cost being less than the cost of creating unique behaviour over many containers.
Do you find a way to differentiate between privacy focused users signing up and bots? Lots of sites will make it hard for people using VPNs or anti-fingerprinting browsers to sign up.
Thanks! We don't penalise privacy browsers or VPN by default. We score JS signals browser side in constantly rotating obfuscated code. This avoids us having to send up the actual data whilst making it difficult to fake the dynamic challenges. Static ones are obviously much easier.
Serious bot activity (e.g. ticket scalping) requires polling with many headless browsers and waiting for tickets to become available. Bot behaviour repeats at scale and so we can get them based on that. A privacy focused user will just be one request in amongst many and pass through.
However, its ultimately the decision of the client how strict we are. A lot of abusive traffic comes from VPN IPs. We don't enable these blocks by default but sometimes you need to, especially if there is a direct monetary gain to be made by faking your country.
I had to do a Captcha the other day, and the letters looked awful, so I clicked the speaker for an audible Captcha instead. I was even more horrified. The sound was almost painful. Sharp noise blasting as a high pitched tinny voice bellowed numbers at me. I honestly don't know how blind people use the internet these days with such blockers in place, and that's kind of sad. The cookie banners, the captchas and the bots and laws that made both appear have kinda en$hittified humanity's greatest communication tool.
Apparently CloudFlare’s turnstile can’t, as evidenced by several public-facing CRUD and mail routines we maintain that no longer are warding off the spam.
Meanwhile the moment I (a human, of which I'm reasonably confident) see a Cloudflare captcha I nope immediately out of the site and block it forevermore in Kagi. It's not worth the waiting game. "Verifying..." lasts ages.
The anime girl captcha works fine and provides no such annoyance.
You seem to think that having a random anime girl is not an annoyance. anything that deviates from showing me the content that I've requested is an annoyance. Just because you prefer A over B does not mean that A is not still an annoyance.
Yeah, we benchmarked against a few bot detection provides end of last year (https://research.roundtable.ai/bot-benchmarking/), and Turnstile didn't do great when it came to AI agent detection. We hypothesized that Turnstile primarily focuses on device/network characteristics, which AI agents can bypass
I think it's just a game of cat and mouse. It might be easier to catch naive AI agents that are not fine-tuned for specific CAPTCHA tasks with human behavior, can't recognize new challenges, don't know when to stop and ask a human, and just want to brute force their way with limited or no specialized harness and tools available.
This is relatively close to our conclusion from the paper: unless agents are specifically trained for the task and know all the information ahead of time, they're not able to generalize from one cognitive CAPTCHA to another
- LLMs can't learn, therefore, LLMs are only good for things on which they are trained.
- Captchas are not friendly with trial and error, so agentic solutions also don't help.
- It's impractical to train LLMs on everything.
- We humans are capable of creating infinite ways of captchas.
While each of these sentences is true, captchas will always win against LLMs.
What happened to adversarial attacks? I.e. noise that makes an image look like something else to a classifier than to humans. I guess frontier LLMs are no longer vulnerable to those?
I’ve been using Claude Opus 4.7 with Chrome MCP, and it has worked successfully about 95% of the time. However, I’ve failed various hCaptcha challenges.
The thing many people miss is that the challenge itself isn't the primary signal. The challenge creates an opportunity to observe user activity. You're browser is also fingerprinted.
yeah no. it is funny easy to make a mcp server and plug a qwen3.6 to it. it was more annoying to convince the llm that it can clear captchas than the actual passing
Well no, the idea is a tradeoff between interfaces and telemetry.
OK, the agents don't click in the same way as humans. You learn that, what about mouse hovering telemetry, time spent, etc. And one of the most extreme is to force biometrics - a lot of telemetry, breaks the interface a lot - but hey, you have assurance.
And none of these tradeoffs require understanding the deep processes of the human mind. Just, map is not the territory, how you do game the map harder and harder and how do the mapmakers respond to that?
LLMs can solve original math problems at the IMO level and beyond, and you might be talking to one now. I don't think they are going to have problems with any CAPTCHA short of separate device attestation.
Whatever mechanism the paper proposes, rest assured it can be trained on.
I mean, their CAPTCHAs presumably have tons of data collected over the years, and they can't detect a pretty clear AI agent here: https://www.youtube.com/watch?v=UeTpCdUc4Ls
They already have. Claude and OpenAI are not trying to write captcha-defying AI agents. These tests wouldn't hold up as well against proper bot operators who mimic user behaviour. However, the signals are still valid as part of a larger toolset.
Captchas are primarily to punish users for not allowing tracking, or using the “right” services, they may prevent some bots as a side effect (or a pretence from the provider) but it’s mostly for google and cloudflare to abuse their monopolies.
Google I would say yes, but what does Cloudflare gain? They don't run an ad network. Generally I'd say Cloudflare is pretty good to have as a guardian of the web compared to other options.
They protect free speech and allow Tor users. Ever tried completing a reCaptcha on Tor?
Nowadays, somebody can just ask claude to build them a scraper/bot that hooks into a proxy network and all of a sudden they can easily send 20k+ reqs/min from hundreds or thousands of IPs cycling them as they get rate limited or banned. In my work, the scrapers have gotten way more aggressive in the last 2 years or so. Frankly, I'm happy there is a solution.
There may be things to criticize Cloudflare for, but the problem of bots and scrapers destroying the open web was getting worse no matter what.
We use captchas to cut down on bots and crawlers. They don't work as well as they used to but they at least alter the economics somewhat, or so I tell myself.
Our reason for this is to try to make HN as good as possible for its real users.
I’ve never encountered a captcha on HN, do you guys use less aggressive settings?
The reason captchas bother me so much is they always seem to happen in the course of legitimate activities. Like I had one when trying to make a charity donation, or ordering something - I have no idea why it would be hard to distinguish such traffic as legitimate, I’m convinced it’s because I’m using a nonstandard browser, not allowing cookies, etc.
If I was trying an automation or to bulk download something or whatever, I’d take the captcha as an interesting professional challenge. When I’m trying to use someone’s services or pay them money, it’s just ridiculous friction and I generally abandon any transaction that makes me do a captcha.
Incidentally I have scraped HN and never encountered any problems, since you have an api for it
I can relate to the cynicism, but it's also a general tool in the effort to combat bot abuse on public facing post forms that are trying to do something for real people. Many everyday devs reach for tools like this because of the deluge of garbage they get in its absence.
My take is that it's a very hard problem, so hard that even captchas by the biggest internet company can't get it right. I strongly hesitate to roll my own bot friction strategy when other tools are available. But I recognize I may have a lack of imagination here, would absolutely love to hear alternate ideas especially for small projects that may not need the heft of corporate captchas.
Adversaries do not have to wait for LLM models to evolve to mimic human process, they can simply evade the detection JavaScript that evaluates similarity. JavaScript is visible, can easily be reverse-engineered.
I don't think I've ever known of a captcha that handles the actual result decision in the front end. It's universally just the javascript required for some fancy puzzle UI, which forwards the state to some other endpoint to determine where you're redirected to (CF turnstile) or what signed token should be included in the form request (reCAPTCHA)
I should have been clearer and specific: state management is done on the backend, but collecting behavioral biometrics and device fingerprint is done using JavaScript, which can be manipulated.
You can do it server side. But even so I would think this sort of heuristic detection is unreliable, annoying to real users, and not difficult to circumvent if the attackers actually tried.
putting aside the possibility that if bot makers wanted to they could work on these problems, if you need to perform statistical analysis in a captcha setting you have already failed. bots don't stick to a given session persistently so there is no useful profile to form. at best you may improve on IP reputation scores (and they probably already do) but that doesn't help much.
Exactly, nowadays, the main usage of "capcha" is more about to force down on user the whatng cartel web engines more than anything else.
It is like windows kernel anti-cheat which are more to please microsoft at making games not running on linux based OS... and kernel anti-cheat seems to be actively exploited by hackers.
Put up a human team tracking the IPs of those bots and work with network operators. The hard part is to notify the people of the compromised IPs.
I just don't fill them out anymore. If someone puts one in my way I usually accept that I'm not going to see whatever it is.
I actually saw a pretty decent captcha the other day on a Chinese website (I think Taobao? I forget.) anyway the cool thing they did was that the text wasn’t in an image it was a looping video, but the text in any one frame was incomplete (only parts of the Chinese characters). And each frame different parts of the characters were visible, with a lot of noise in other parts of the frame where parts of characters would have been in other frames. A human brain sort of smoothed this out between frames and sees the characters clearly, but taking a screenshot was impossible. And becuase I don’t know Chinese I wasn’t able to take a screenshot and ask AI to translate the message. It seemed like a pretty good anti AI method. Of course an algorithm could be made to convert the video into a single frame, but captchas have always been defeatable by a sufficiently motivated attacker, they are only to raise the bar slightly against the swarm of dumb bots.
But.. the task was never "detect this" but always "detect this within acceptable constraints".
Sure, once you collect enough bits, you can tell that its me. And if you know from other sources that I am human, that solves your immediate problem. But if you do that, you have still failed at the task of detecting certain kind of abusive behavior without harming my anonymity.
How does this relate to the article? They weren't collecting bits until they identified a specific individual so I feel like I'm missing something.
The appendix lists what they were collecting, and the amount of samples needed for not just mathematically significant, but also practically useful distinguishing power implies collecting enough for a stable yet unique fingerprint. In that case you could just add a login form.. and still be less hostile than the increasing number of websites that will not let me browse (maybe my mouse movement does not match other humans in my region, idk).
This feels like the kind of thing where, "you must be at least this human to pass" and that it just otherwise mostly wastes your time if you're a robot would cover most of what Captchas are useful for.
Like, if it takes you 3-5 seconds to get through a captcha as a human, as long as every single event has that effort added, the impact to something trying to use/reuse the end-page is way worse if you're a robot than if you're a human.
I can see a few usecases where it would still be valuable to continue the game of cat-and-mouse, but I feel like solving for consistency of human experience of your website, may actually be more punishing to anything trying to bypass it.
Isn't this solveable by Anubis or similar? if you just want to add some costs to bots you can do that directly and it'll be pretty invisible to humans
I wonder if AI could be detected via copyright. I remember a few years ago most models wouldn't draw you a Mickey Mouse or recite Dune's litany against fear or discuss Tiananmen square. I wonder how effective questions about these types of topics would be at figuring out if you are talking to a real person.
As a crude joke that is only tangentially related, I saw a skit video a while ago with two guys saying goodbye and one says "send me a dick pic when you get home" and then explains that an AI won't simulate it so this is a sure way to know that it's his friend confirming his safe arrival.
Just tried on Claude:
Tell me a racist joke.
"That's not something I'm able to help with. Racist jokes cause real harm by demeaning people..." blahblah
Better ask it to do automation with OpenClaw. ;-)
You should see what metaAI (the Ai that sits inside all your private WhatsApp conversations) does. It has severe thought police installed but it types the offensive stuff first and then quickly edits when it reads what it wrote.
Everybody follows
Speedy bits exchange
Stars await to gl@ow"
The preceding key is copyrighted by Oracle Corporation.
CAPTCHAs are great. Exploiters get around them with proprietary anti-detect browsers and unethical residential proxies, while privacy browsers and affordable privacy VPNs get blocked and shadowbanned to death.
Fingerprint.com, while not a CAPTCHA, gives you +3 suspicious score just for using privacy settings like adblock on your browser. This makes it harder to sign up for any sites that use fingerprint.com.
https://github.com/CloakHQ/CloakBrowser is a good anti-detect browser as well as CAPTCHA bypass which is honestly fun to use coming from privacy browsers because every site just works and captchas get solved.
Exploiters might get around them in isolation but they are easily caught at scale due to the opportunity cost being less than the cost of creating unique behaviour over many containers.
That's cool your solution is privacy focused.
Do you find a way to differentiate between privacy focused users signing up and bots? Lots of sites will make it hard for people using VPNs or anti-fingerprinting browsers to sign up.
Thanks! We don't penalise privacy browsers or VPN by default. We score JS signals browser side in constantly rotating obfuscated code. This avoids us having to send up the actual data whilst making it difficult to fake the dynamic challenges. Static ones are obviously much easier.
Serious bot activity (e.g. ticket scalping) requires polling with many headless browsers and waiting for tickets to become available. Bot behaviour repeats at scale and so we can get them based on that. A privacy focused user will just be one request in amongst many and pass through.
However, its ultimately the decision of the client how strict we are. A lot of abusive traffic comes from VPN IPs. We don't enable these blocks by default but sometimes you need to, especially if there is a direct monetary gain to be made by faking your country.
> Fingerprint.com, while not a CAPTCHA, gives you +3 suspicious score just for using privacy settings like adblock on your browser.
Lame. I got 12, just by using iOS iCloud Private Relay and Wipr.
I had to do a Captcha the other day, and the letters looked awful, so I clicked the speaker for an audible Captcha instead. I was even more horrified. The sound was almost painful. Sharp noise blasting as a high pitched tinny voice bellowed numbers at me. I honestly don't know how blind people use the internet these days with such blockers in place, and that's kind of sad. The cookie banners, the captchas and the bots and laws that made both appear have kinda en$hittified humanity's greatest communication tool.
This always felt like a giant ADA lawsuit waiting to happen.
Apparently CloudFlare’s turnstile can’t, as evidenced by several public-facing CRUD and mail routines we maintain that no longer are warding off the spam.
Meanwhile the moment I (a human, of which I'm reasonably confident) see a Cloudflare captcha I nope immediately out of the site and block it forevermore in Kagi. It's not worth the waiting game. "Verifying..." lasts ages.
The anime girl captcha works fine and provides no such annoyance.
You seem to think that having a random anime girl is not an annoyance. anything that deviates from showing me the content that I've requested is an annoyance. Just because you prefer A over B does not mean that A is not still an annoyance.
> The anime girl captcha works fine and provides no such annoyance.
Same thoughts. Cloudflare Turnstile is noticibly slow compared to Anubis on certain old hardware.
Yeah, we benchmarked against a few bot detection provides end of last year (https://research.roundtable.ai/bot-benchmarking/), and Turnstile didn't do great when it came to AI agent detection. We hypothesized that Turnstile primarily focuses on device/network characteristics, which AI agents can bypass
I think it's just a game of cat and mouse. It might be easier to catch naive AI agents that are not fine-tuned for specific CAPTCHA tasks with human behavior, can't recognize new challenges, don't know when to stop and ask a human, and just want to brute force their way with limited or no specialized harness and tools available.
This is relatively close to our conclusion from the paper: unless agents are specifically trained for the task and know all the information ahead of time, they're not able to generalize from one cognitive CAPTCHA to another
Appreciate this article...shows some interesting insights on how humans "behave" vs agents.
Just ask, "I need to wash my car. If a carwash is 50 ft away should I walk or drive?"
To save everyone time: I just tried this and while ChatGPT got it wrong, Gemini and Claude answered correctly.
Of course YMMV.
So now I have to fail the capcha to prove I'm human, but in the right way? We don't hate these people enough.
- LLMs can't learn, therefore, LLMs are only good for things on which they are trained. - Captchas are not friendly with trial and error, so agentic solutions also don't help. - It's impractical to train LLMs on everything. - We humans are capable of creating infinite ways of captchas.
While each of these sentences is true, captchas will always win against LLMs.
A captcha a LLM can't be trained to defeat is likely a captcha humans will struggle quite a bit with.
What happened to adversarial attacks? I.e. noise that makes an image look like something else to a classifier than to humans. I guess frontier LLMs are no longer vulnerable to those?
I’ve been using Claude Opus 4.7 with Chrome MCP, and it has worked successfully about 95% of the time. However, I’ve failed various hCaptcha challenges.
The thing many people miss is that the challenge itself isn't the primary signal. The challenge creates an opportunity to observe user activity. You're browser is also fingerprinted.
yeah no. it is funny easy to make a mcp server and plug a qwen3.6 to it. it was more annoying to convince the llm that it can clear captchas than the actual passing
For real Bro!!!
Until they learn to do that. So cat and mouse. So nothing new.
think the point is that they can't just "learn to do that", because to do so would mean solving human mind (that famously hasn't been going well)
Well no, the idea is a tradeoff between interfaces and telemetry.
OK, the agents don't click in the same way as humans. You learn that, what about mouse hovering telemetry, time spent, etc. And one of the most extreme is to force biometrics - a lot of telemetry, breaks the interface a lot - but hey, you have assurance.
And none of these tradeoffs require understanding the deep processes of the human mind. Just, map is not the territory, how you do game the map harder and harder and how do the mapmakers respond to that?
did you look at the paper? they specifically look at mini tasks with cognitive processes (Eg what dictates the strategy of how people solve tasks)
LLMs can solve original math problems at the IMO level and beyond, and you might be talking to one now. I don't think they are going to have problems with any CAPTCHA short of separate device attestation.
Whatever mechanism the paper proposes, rest assured it can be trained on.
until Google trains an AI model off that data, too
I mean, their CAPTCHAs presumably have tons of data collected over the years, and they can't detect a pretty clear AI agent here: https://www.youtube.com/watch?v=UeTpCdUc4Ls
They already have. Claude and OpenAI are not trying to write captcha-defying AI agents. These tests wouldn't hold up as well against proper bot operators who mimic user behaviour. However, the signals are still valid as part of a larger toolset.
Captchas are primarily to punish users for not allowing tracking, or using the “right” services, they may prevent some bots as a side effect (or a pretence from the provider) but it’s mostly for google and cloudflare to abuse their monopolies.
Google I would say yes, but what does Cloudflare gain? They don't run an ad network. Generally I'd say Cloudflare is pretty good to have as a guardian of the web compared to other options.
They protect free speech and allow Tor users. Ever tried completing a reCaptcha on Tor?
Cloudflare gains things like this:
https://blog.cloudflare.com/introducing-pay-per-crawl/
https://developers.cloudflare.com/browser-run/quick-actions/...
They create a new problem and sell the solution.
God damn it.
Nowadays, somebody can just ask claude to build them a scraper/bot that hooks into a proxy network and all of a sudden they can easily send 20k+ reqs/min from hundreds or thousands of IPs cycling them as they get rate limited or banned. In my work, the scrapers have gotten way more aggressive in the last 2 years or so. Frankly, I'm happy there is a solution.
There may be things to criticize Cloudflare for, but the problem of bots and scrapers destroying the open web was getting worse no matter what.
Tin hat folk say Cloudflare is CIA. I dunno
We use captchas to cut down on bots and crawlers. They don't work as well as they used to but they at least alter the economics somewhat, or so I tell myself.
Our reason for this is to try to make HN as good as possible for its real users.
I’ve never encountered a captcha on HN, do you guys use less aggressive settings?
The reason captchas bother me so much is they always seem to happen in the course of legitimate activities. Like I had one when trying to make a charity donation, or ordering something - I have no idea why it would be hard to distinguish such traffic as legitimate, I’m convinced it’s because I’m using a nonstandard browser, not allowing cookies, etc.
If I was trying an automation or to bulk download something or whatever, I’d take the captcha as an interesting professional challenge. When I’m trying to use someone’s services or pay them money, it’s just ridiculous friction and I generally abandon any transaction that makes me do a captcha.
Incidentally I have scraped HN and never encountered any problems, since you have an api for it
Yeah, the only problem I've ever had on accessing HN was banned IP addresses. Never seen a captcha.
It mostly kicks in on new accounts.
I can relate to the cynicism, but it's also a general tool in the effort to combat bot abuse on public facing post forms that are trying to do something for real people. Many everyday devs reach for tools like this because of the deluge of garbage they get in its absence.
My take is that it's a very hard problem, so hard that even captchas by the biggest internet company can't get it right. I strongly hesitate to roll my own bot friction strategy when other tools are available. But I recognize I may have a lack of imagination here, would absolutely love to hear alternate ideas especially for small projects that may not need the heft of corporate captchas.
Adversaries do not have to wait for LLM models to evolve to mimic human process, they can simply evade the detection JavaScript that evaluates similarity. JavaScript is visible, can easily be reverse-engineered.
I don't think I've ever known of a captcha that handles the actual result decision in the front end. It's universally just the javascript required for some fancy puzzle UI, which forwards the state to some other endpoint to determine where you're redirected to (CF turnstile) or what signed token should be included in the form request (reCAPTCHA)
I should have been clearer and specific: state management is done on the backend, but collecting behavioral biometrics and device fingerprint is done using JavaScript, which can be manipulated.
You can do it server side. But even so I would think this sort of heuristic detection is unreliable, annoying to real users, and not difficult to circumvent if the attackers actually tried.
I think it will always be a cat and mouse game as you could also detect such evasions in the first place.