Home / Why CAPTCHAs Are Losing Ground to AI

Why CAPTCHAs Are Losing Ground to AI

Ng Chong

You’ve done it hundreds of times. A grid of blurry photos appears on your screen: “Select all images with traffic lights.” You squint, click a few tiles, wonder whether that sliver of pole in the corner counts, fail, try again. Eventually, you’re allowed in.

This ritual, the CAPTCHA, has been the internet’s bouncer for over two decades. But the door it guards is swinging open, and the bouncers are losing their edge. In 2024, researchers at ETH Zurich demonstrated that an AI model called YOLOv8 could solve Google’s reCAPTCHA image challenges with 100% accuracy, outperforming actual humans [1]. A separate study by the Merchant Risk Council found AI bots bypassing reCAPTCHA with 99.8% accuracy [2].

The proof-of-concept tool accompanying this article, a CAPTCHA solver built with a source-patched browser and AI vision, is a working demonstration of that reality. It was built specifically to test how well current CAPTCHA systems hold up against commodity AI, not as an attack tool. It navigates to a webpage, fills out a form, screenshots the CAPTCHA, sends the image to an AI vision model, and clicks the correct tiles. It works reliably. And it raises questions that go far beyond technology.

A brief history of the squiggly text

The story starts in 1997, when AltaVista (then a major search engine) deployed the first known CAPTCHA system to stop bots from spamming its URL submission form. It worked: spam dropped by 95% [3]. In 2000, Carnegie Mellon researchers formalized the concept and gave it its awkward name: Completely Automated Public Turing test to tell Computers and Humans Apart [3].

For years, the approach was simple: show distorted text that humans could read but machines couldn’t. Then OCR (optical character recognition) software caught up, and the text had to get more distorted, to the point where humans couldn’t read it either. Studies from the Baymard Institute found that text CAPTCHAs had an 8% failure rate on first attempt, rising to nearly 30% if case-sensitive [4].

Google acquired reCAPTCHA in 2009 and pivoted to image grids (“select all buses”), then to invisible behavioral analysis (reCAPTCHA v3), which watches how you move your mouse and assigns a “human probability” score without you ever seeing a challenge. Cloudflare launched Turnstile in 2022 as a privacy-friendlier alternative using cryptographic proof-of-work puzzles that run invisibly in your browser [5].

Today, Google’s reCAPTCHA dominates with roughly 94.7% market share across more than 10 million websites [6]. But that dominance is under pressure from multiple directions.

The shrinking gap between bots and defenses

The fundamental premise of a CAPTCHA is that there exist tasks humans can do easily but machines cannot. That premise is collapsing.

Modern AI vision models, the same technology that powers image search, self-driving cars, and medical imaging, can look at a grid of street photos and identify buses, crosswalks, and traffic lights with superhuman accuracy. The tool described in this repository does exactly this: it takes a screenshot of the CAPTCHA grid, sends it to a vision model (GPT, Claude, Qwen, or others), receives a list of which tiles to click, and clicks them. The entire process takes 2-3 seconds.

This isn’t a theoretical vulnerability. It’s a working pipeline that solves reCAPTCHA v2 challenges on real websites, fills out real forms, and submits them successfully.

The anti-bot industry knows this. hCaptcha’s February 2026 report acknowledges the threat from vision-language models but claims their challenges “evolve in lockstep” with AI capabilities [7]. Cloudflare’s Turnstile sidesteps the problem entirely by avoiding image challenges, relying on browser fingerprinting and cryptographic puzzles instead. But even behavioral analysis has limits: open-source tools now patch dozens of signals in Chromium at the source level to produce a browser fingerprint indistinguishable from a human-operated session, and alternative automation tools control the browser through internal channels that bypass the usual automation-detection mechanisms entirely.

The result is a layered arms race where each side’s improvements are rapidly neutralized by the other.

The hidden cost: who CAPTCHAs actually stop

While CAPTCHAs struggle to stop sophisticated bots, they remain remarkably effective at stopping people.

According to the World Health Organization, 1.3 billion people globally (16% of the world’s population) experience significant disability [8]. For these users, CAPTCHAs can be impassable barriers:

  • Visually impaired users cannot see image grids. Audio alternatives exist but are heavily distorted. Give-up rates for audio CAPTCHAs reach 50%, and solving one takes an average of 28.4 seconds compared to 9.8 seconds for visual challenges [4].
  • Users with motor disabilities such as tremors, paralysis, or limited dexterity cannot reliably click small tiles or drag sliders. Time limits make this worse.
  • Users with cognitive disabilities such as dyslexia, ADHD, or autism are overwhelmed by ambiguous instructions and pattern-matching under pressure. (“Does this corner of a traffic light count?”)
  • Elderly users experience natural declines in visual acuity and fine motor control that make CAPTCHAs progressively harder.

Research from GeeTest estimates that at least 15% of website users are failing due to inaccessible CAPTCHA design [9]. The friction is not limited to disabled users: anyone holding a baby, using a cracked screen, browsing on slow internet, or simply tired after a long day faces similar barriers.

The business impact is measurable. Stanford University research found that CAPTCHAs can reduce form conversions by up to 40% [10]. One case study showed a sign-up form converting at 48% with CAPTCHA jumped to 64% without it, a 33% improvement [4]. Roughly 30% of users will leave a site entirely if the CAPTCHA is too complex or time-consuming [10].

In other words, CAPTCHAs are increasingly unable to stop bots, but they reliably stop paying customers, potential supporters, and people seeking services.

The privacy problem nobody reads about

There’s another dimension most users never consider. When you solve a reCAPTCHA, you’re not just proving you’re human. You’re handing Google a detailed behavioral profile.

Google’s reCAPTCHA collects: your browsing history, previously visited websites, mouse movements and click patterns, browser fingerprint (including hardware details, installed fonts, and graphics card information), IP address, login state, and device information [11]. The French data protection authority (CNIL) ruled that reCAPTCHA uses “excessive personal data for purposes other than security” [11]. In practice, the data feeds Google’s advertising ecosystem, not just its security system.

In April 2026, Google shifted reCAPTCHA from “data controller” to “data processor” under GDPR, requiring websites to migrate to Google Cloud Platform accounts [12]. The free tier was simultaneously cut from 1 million to just 10,000 monthly assessments, with a new $8/month fee for the standard tier [12]. This pricing change, combined with growing privacy scrutiny, is pushing websites toward alternatives.

Privacy-first alternatives do exist. Cloudflare Turnstile uses no tracking cookies. ALTCHA is open-source and self-hostable with no user tracking [13]. Friendly Captcha is WCAG 2.2 Level AA certified and collects no behavioral data [14]. But these solutions represent a tiny fraction of the market, and many websites remain on reCAPTCHA by default.

When the system breaks

Even setting aside bots and accessibility, CAPTCHA infrastructure has proven fragile.

In 2026, Google and Cloudflare suffered simultaneous multi-hour outages that took both reCAPTCHA and Cloudflare Turnstile offline [15]. Any website relying on either service for form protection was effectively locked. Real users couldn’t submit forms, make purchases, or access services. hCaptcha, running on independent infrastructure, was the only major provider unaffected, maintaining 99.99%+ availability during the outage [15].

Meanwhile, cybercriminals have turned CAPTCHAs into attack vectors. “Fake CAPTCHA” campaigns, where malicious advertisements display convincing CAPTCHA interfaces that trigger malware downloads, accounted for 58% of all identifiable cyber incidents in 2025 [16]. The security mechanism designed to protect users is now being weaponized against them, and the resulting erosion of trust makes users more likely to avoid all CAPTCHAs, including legitimate ones.

What this proof of concept demonstrates

This CAPTCHA solver was built as a research proof of concept, not an attack tool, but a diagnostic. The question it answers is simple: can commodity AI, running on a single laptop, reliably defeat the CAPTCHA systems that protect the majority of the internet? The answer, as of mid-2026, is yes.

The tool uses a browser patched at the Chromium source level to present a genuine fingerprint and avoid bot detection. It auto-detects form fields by reading labels in the page DOM, fills them with plausible data, screenshots CAPTCHA challenges, sends them to any of several AI vision APIs, parses the response, clicks the correct tiles using calculated coordinates, and submits the form.

It handles Cloudflare Turnstile (which the browser’s source-level patches bypass without any AI involvement), reCAPTCHA v2 image grids (solved by AI vision in 1-2 rounds), hCaptcha grids, and distorted text CAPTCHAs. The patched browser also acts as prevention: by presenting a convincing fingerprint, it sometimes avoids triggering reCAPTCHA challenges altogether, passing the checkbox check without ever seeing an image grid.

In testing against the University’s websites, the tool:

  • Bypassed Cloudflare Turnstile on a contact form without triggering any visible challenge. The browser’s fingerprint was accepted as legitimate, and the form was submitted with auto-filled data on the first attempt.
  • Solved reCAPTCHA v2 image grids on a second site, completing “select all traffic lights” and “select all buses” challenges in one to two rounds using a commodity vision model, then submitting the form successfully.
  • Prevented reCAPTCHA from triggering on some attempts entirely. The browser’s fingerprint was convincing enough that the checkbox passed without presenting an image grid at all.

The limitations are real, but perhaps not where you’d expect:

  • reCAPTCHA’s “select more” rounds, where individual tiles are replaced after clicking, require multiple queries to the vision model, adding time. But each query takes 1-2 seconds, so even a difficult multi-round challenge resolves in under 15 seconds.
  • Image grid challenges generally require more effort than prevention alone. A convincing browser fingerprint sometimes prevents reCAPTCHA from triggering a grid challenge at all, passing the checkbox without any visual test. When a grid does appear, however, the AI does not always get it right on the first try. 4×4 grids are harder than 3×3, and Google often chains multiple rounds. In practice, the solver sometimes fails a challenge and has to retry from scratch. It still succeeds, but it may take several attempts, each costing a few seconds and an extra API call. Turnstile, by contrast, was not always bypassed instantly in testing and occasionally required multiple polling cycles before resolving. The gap between “defeatable” and “effortless” is real, and both systems sit in it to varying degrees.
  • Rate limiting and IP reputation still matter. Google tracks solve patterns across sessions, and too many rapid solves from one IP will escalate difficulty or block entirely. This is currently the most effective defense.
  • reCAPTCHA v3 (invisible, score-based) and advanced behavioral analysis are a different kind of problem. There is no image to solve; the defense relies on browser fingerprinting and interaction patterns. But source-patched browsers already address this by presenting a genuine fingerprint and simulating human-like mouse movements and timing. The challenge is not unsolved, just solved by a different layer of the same toolchain.

One limitation that has largely disappeared is cost. Cloud AI vision APIs charge per query, making large-scale solving via API more expensive than human CAPTCHA-solving farms ($1-3 per thousand solves). But open-weight vision models like Qwen3-VL and Gemma 4 now run locally on consumer hardware: a laptop GPU or even a Mac with enough memory. Once the model is downloaded, every solve is free. There are no API keys, no per-query fees, no rate limits, and no external service that could be shut down. The tool in this repository supports local models via Ollama with a single flag (--llm ollama-local). This shifts the economics decisively: the cost of solving CAPTCHAs at scale is now the electricity to run a GPU, not a line item in an API bill.

What comes next

The industry is slowly moving away from challenge-response CAPTCHAs toward what researchers call “ambient trust”: verification that happens continuously in the background without ever interrupting the user [17].

The most promising directions include:

  • Device attestation for public-facing websites: protocols like Apple’s Private Access Tokens and Android’s device integrity API can prove that a request comes from a real, unmodified device without identifying the user or requiring prior registration. Cloudflare already uses Apple PATs to skip CAPTCHAs for Safari users. This approach works for anonymous visitors on public forms, since it verifies the device, not the person. The tradeoff is a dependency on hardware vendors: Linux users, older devices, and custom-built machines are excluded, effectively allowing Apple and Google to gatekeep who can access the web without friction.
  • Passkeys (WebAuthn/FIDO2) for authenticated contexts: hardware-backed cryptographic credentials that replace passwords and prove device legitimacy. These are strong for login flows, account recovery, and payment confirmation, but they require the user to have registered with the site beforehand. A first-time visitor submitting a contact form has no passkey to present, so this approach does not apply to open public forms.
  • Risk-based authentication: analyzing signals like device history, location, and behavioral patterns to assign trust scores. Low-risk users proceed without friction; only suspicious traffic faces additional checks.
  • Proof-of-work: requiring the client device to solve a cryptographic puzzle, making automation expensive at scale without burdening individual users (Friendly Captcha, ALTCHA).
  • Continuous behavioral analysis: monitoring interaction patterns throughout a session rather than at a single checkpoint, detecting anomalies that suggest automation or account takeover.

None of these are perfect. Device attestation creates hardware vendor lock-in. Passkeys don’t help with anonymous public access. Behavioral analysis raises privacy questions. Proof-of-work disproportionately affects low-powered mobile devices. Risk scoring can be gamed by establishing trusted profiles before attacking.

But all of them represent progress beyond “click all the traffic lights,” a model that was always a compromise, and one that AI has now decisively outgrown.

References

  1. ETH Zurich (2024). “Breaking reCAPTCHAv2.” Research demonstrating YOLOv8 achieving 100% accuracy on reCAPTCHA v2 image challenges.
  2. Merchant Risk Council. Study on AI bot performance against reCAPTCHA systems showing 99.8% bypass accuracy.
  3. GeeTest. “History of CAPTCHA: The Origin Story.” AltaVista’s 1997 deployment and Carnegie Mellon’s formalization in 2000.
  4. Baymard Institute. CAPTCHA usability research: failure rates, audio CAPTCHA completion times, and conversion impact case studies.
  5. Cloudflare (2022). Turnstile launch announcement: proof-of-work based invisible challenge system.
  6. TechnologyChecker.io (2026). “Companies Using reCAPTCHA in 2026.” Market share analysis across CAPTCHA providers.
  7. hCaptcha Blog (February 2026). “hCaptcha CAPTCHAs: Highly Effective Against Bots and Agents in 2026.” Response to vision-language model threats and browser automation agents.
  8. World Health Organization. Global disability statistics: 1.3 billion people (16% of world population) experiencing significant disability.
  9. GeeTest (April 2026). “CAPTCHA Accessibility: Why You’re Failing 15% of Your Users.”
  10. Stanford University. Research on CAPTCHA impact on form conversion rates, documenting up to 40% reduction.
  11. CNIL (France). Ruling on Google reCAPTCHA’s use of excessive personal data for purposes beyond security.
  12. Ben Ryan Blog (2026). “Google reCAPTCHA Cloud Migration WordPress 2026.” Documentation of pricing changes and cloud platform migration requirements.
  13. ALTCHA. Open-source proof-of-work CAPTCHA alternative: self-hostable, no cookies, GDPR/CCPA compliant.
  14. Friendly Captcha (February 2026). “Best CAPTCHA Alternative 2026: More Privacy, Less Friction.” WCAG 2.2 Level AA certification.
  15. hCaptcha Blog (2026). “How hCaptcha Stayed Up When Cloudflare and Google Went Down.” Documentation of simultaneous outage and infrastructure independence.
  16. Blackpoint Cyber. “The 3 Cyber Attack Campaigns That Defined 2025.” Fake CAPTCHA and ClickFix campaigns accounting for 58% of identifiable incidents.
  17. Tugui Dragos-Constantin (December 2025). “The Silent Gatekeeper: Why CAPTCHA is Dying and What Comes Next in 2025.” Medium.