AI-Powered Bot AkiraBot Targets Websites with Spam at Scale, Bypassing CAPTCHA Checks
Published on April 10, 2025
- A novel spam bot leverages OpenAI to create messages, with more than 80,000 successful spam incidents reported.
- The bot targeted over 400,000 websites via advanced CAPTCHA evasion and network techniques.
- Following the report, OpenAI disabled the identified API keys and started investigating associated accounts.
AkiraBot, an AI-powered spam bot, is intensifying spam attacks on websites globally, utilizing OpenAI to generate bespoke outreach messages and bypassing CAPTCHA defenses to target over 400,000 websites since September 2024, with more than 80,000 successful spam incidents.
SentinelLABS' detailed analysis reveals the bot's immense scale, presenting heightened threats to small and medium-sized businesses.
Unlike conventional spam tools, AkiraBot employs a modular, customizable architecture designed for mass website spamming. Its primary targets are contact forms and live chat widgets on platforms like Shopify, GoDaddy, Wix, and Squarespace.Â
AkiraBot's unique ability to process website content using OpenAI's GPT-based technology allows it to create tailored marketing messages, making it harder for spam filters to detect and block these attacks. The bot spammed various websites with messages that were indexed by search engines.
![Google search results containing useakira[.]com](https://cdn.technadu.com/wp-content/uploads/2025/04/Google-search-results-containing-useakira.com_.webp)
A significant feature that sets AkiraBot apart is its sophisticated CAPTCHA bypass mechanisms, including Capsolver, FastCaptcha, and NextCaptcha. With Selenium WebDriver and inject.js scripts, the tool mimics user activity, altering attributes like audio context, graphics rendering, and browser navigator objects to deceive defenses.Â
Notably, this level of sophistication extends to defeating popular CAPTCHA services such as Google reCAPTCHA and Cloudflare’s hCAPTCHA.
AkiraBot's reliance on SmartProxy further supports its evasion techniques by using residential and data center proxies, revealing a concerning overlap of legitimate services with malicious usage cases. These methods allow AkiraBot to bypass geographical or IP-based restrictions.
Two versions of AkiraBot used a Telegram bot via scripts that collected success metrics from the bot and posted them to a Telegram channel via API.
Following SentinelLABS' research, OpenAI has collaborated to tackle this misuse, disabling the identified API keys and investigating associated accounts. OpenAI reaffirmed its stance against the exploitation of its technology for spam and announced ongoing efforts to enhance misuse detection systems.
Related
Most Popular
Most Popular