What are CAPTCHA Farms?

Alex McConnell
Alex McConnell
3 Minute read
What are CAPTCHA Farms?

Article Contents

    In part one of our CAPTCHA series, we discussed how CAPTCHA works and how it is used to effectively stop bots. In part two, we take a deep dive into one of the most commonly used CAPTCHA evasion techniques, CAPTCHA farms.

    First thing’s first, let’s understand a little more about what a CAPTCHA farm is and how they came in to being.

    CAPTCHA farms are a thriving business and have been for over a decade; ever since the likes of MySpace, Google and YouTube started using CAPTCHA to block the hoards of spam bots from accessing their sites for nefarious purposes. For instance, spam bots will send hundreds of requests per minute to overwhelm and take a website offline or post messages in comment boxes that are embedded with phishing links or hyperlinks to another website to improve that site’s search rankings.

    This is not the type of activity that any well-run business wants to see going on, and most strive to put a stop to it, while other organisations are built on the very premise of enabling this malicious behaviour.

    How do CAPTCHA farms work?

    CAPTCHA farms bridge the gap between bot operators and the site they want to access via a CAPTCHA form.

    Essentially, the bot will be integrated with a third-party API, so that when faced with a CAPTCHA test, the request is sent to a CAPTCHA farm to be completed by a real human. The human-generated, correct response is then sent to the bot, which is now able to successfully solve the CAPTCHA test on the web application and verify its “humanness”.

    There are other ways to evade a CAPTCHA test using bots, including Optical Character Recognition (OCR) and audio to test services, but we focused our research on the multi-million-dollar industry built around CAPTCHA farms.

    Undercover at a CAPTCHA farm

    In our efforts to really get to grips with how CAPTCHA farms work, a group of Netacea researchers decided to sign up for one of the many CAPTCHA farms readily accessible on the world wide web

    We identified an appropriate organisation for our research and upon accessing the site, quickly realised it had all the required look and feel of a well-established, well-run business. It even had customer stats, information for employees, developer areas, FAQs, news referral schemes and how-to-guides. The business was even using social media to advise employees about rotating their IPs.

    On becoming officially registered employees, we began our CAPTCHA solving training and our progress was monitored and moderated by the organisation. That way, they could ensure accuracy, prevent detection and justify their customer’s expenditure.

    We were then ready to start solving CAPTCHAs and for the money to start rolling in; or so we thought.

    Robot Captcha Farms

    How much money can I make working in a CAPTCHA farm?

    We quickly discovered that while this industry is lucrative for some, it’s built on the backs of citizens from economically-deprived countries who operate in a fleet of digital sweatshops.

    In half an hour, our best researcher earnt 0.0087p. You would need to solve a LOT of CAPTCHAs to earn an average £18k salary.

    This led us to dig deeper into the CAPTCHA farming economy. We found that employees earn $0.17 (£0.13) per 1000 CAPTCHAs solved and $1 (£0.76) per reCAPTCHA; using the USD to GBP conversion rate of 1 USD = 0.76 GBP.

    According to the image CAPTCHA renumeration figures above alone, a single employee at the chosen business would need to complete 100 million CAPTCHAs to earn £13k.

    How much does it cost to farm out CAPTCHA challenges?

    We were unable to find a hard and fast figure charged by CAPTCHA farms for their services, but we did estimate the discrepancy in how much it would cost a bot operator to farm out CAPTCHA 1000 challenges and how much the “farm” would earn per worker.

    Applying the same USD to GBP conversion rate, a bot operator will spend £0.68 per 1000 CAPTCHAs and £2.28 per reCAPTCHA.

    If we deduct the £0.13 paid out to the employee per 1000 image CAPTCHAs, the business earns £0.55 per 1000 and £55,000 for every 100 million CAPTCHAs solved. And that’s where we find the big bucks.

    Clearly CAPTCHA farming isn’t going to go away anytime soon, and CAPTCHA continues to play a critical role in most cybersecurity solutions. However, CAPTCHA is not enough on its own.

    How Netacea helps combat captcha farm activity

    Netacea takes a smarter approach to bot management. Our Intent Analytics™ powered by defensive AI quickly and accurately distinguishes bots from humans to protect websites, mobile apps and APIs from automated threats while prioritizing genuine users. Actionable intelligence with data-rich visualizations empowers you to make informed decisions about your traffic.

    Discover More about Netacea Bot Protection software or book a Netacea demo with our experts.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.

    Related Blogs

    Knight chess piece
    Alex McConnell

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Alex McConnell

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Alex McConnell

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo