How CAPTCHAs Are Evolving to Fight AI-Powered Bots
Is it game over for CAPTCHA solvers?
You must have noticed that CAPTCHAs are getting crazier and crazier. What used to be a simple “What text do you see in this distorted image?” has turned into a sequence of layered, multi-step, highly interactive verification tasks.
Fortunately, not all providers have gone in that direction (think of the simple one-click Cloudflare Turnstile). However, many others are designing more intricate mechanisms to counter AI-based automation.
Is this the end of CAPTCHA solvers? And does this impact your scraping script? And how should we interpret these changes overall? Let me introduce you to the new generation of CAPTCHA systems to address all of these questions!
Give your AI a web data layer – Decodo's Web Scraping API turns any site into clean, structured data your models can actually use.
Why CAPTCHAs Have Become More Sophisticated
Before the rise of modern AI, CAPTCHAs could already be solved automatically using traditional machine learning techniques and browser automation. The approach was based on three steps:
Detect the challenge.
Recognize its content.
Simulate the required user interaction.
For example, image classification models can identify the correct images in reCAPTCHA v2 (”Select all images containing hydrants”):
(For more details on reCAPTCHA solving, see our previous articles: Part I and Part II.)
Similarly, OCR models could extract text from distorted image-based CAPTCHAs.
Combined with browser automation, these models were often accurate enough to solve many CAPTCHA challenges without human intervention.
A good example was Botright, an open-source browser automation library that integrated machine learning models to solve CAPTCHAs. The project has since been abandoned (its last commit was over two years ago), but it demonstrated how effective this approach could be.
I’ve personally tested similar techniques. While they were far from 100% reliable, they were still capable of passing many CAPTCHA challenges.
CAPTCHA providers have long been aware of these techniques. As automated solvers became more capable, they responded by making CAPTCHAs steadily more intricate. This led to the introduction of puzzle-based challenges, such as those used by AWS WAF CAPTCHA, hCaptcha, and other providers.
Yet, the rapid advancement of multimodal AI models has raised the bar even further…
Instead of training specialized ML models for each CAPTCHA type, LLMs can understand images, reason about what they see, and let the controlled browser interact with the page much like a human would. That has forced CAPTCHA providers to develop more sophisticated techniques to distinguish humans from bots.
This is where we stand today!
Are CAPTCHAs Dead Because of AI?
The short answer is: No!
While multimodal AI models have fundamentally changed how CAPTCHA providers think about distinguishing human users from automated bots, traditional CAPTCHAs are far from obsolete. There are at least three reasons why:
Not every bot uses AI: Many scraping bots still rely on traditional browser automation or simple scripts. They don’t have access to AI tools capable of understanding and solving CAPTCHA challenges.
LLMs are not deterministic: AI models can solve the same CAPTCHA challenge most of the time, but fail spectacularly on others. No wonder you can find examples on Reddit and X of AI-powered browsers repeatedly failing at CAPTCHA challenges.
Solving the challenge is only part of the verification process: CAPTCHA systems usually evaluate much more than just the answer to the test. They also analyze behavioral signals such as mouse movements, cursor acceleration, click timing, scrolling behavior, touch interactions, and many other indicators. That’s why one-click, press-and-hold, and slider CAPTCHAs exist. An AI model may correctly identify the solution, yet still exhibit interaction patterns that look “robotic” rather than “human,” causing the verification to fail.
That said, AI is undeniably making life harder for CAPTCHA providers. Numerous research papers have shown that, given sufficient training data and realistic browser automation techniques (such as human-like mouse movements, scrolling, and timing), AI systems can successfully solve many traditional CAPTCHA schemes.
The real question is no longer whether AI can solve older CAPTCHAs, as it clearly can. The more interesting question is: Can it reliably solve the new generation of AI-resistant CAPTCHAs?
New Approaches to AI-Resistant CAPTCHAs
More and more CAPTCHA providers are experimenting with advanced challenges specifically engineered to resist AI-powered solvers.
In this section, I’ll focus on three approaches to newer CAPTCHAs that I’ve personally seen challenge even some of the most popular CAPTCHA-solving solutions.
hCaptcha’s New Puzzle-Based Challenges
hCaptcha has always been one of the more difficult CAPTCHA providers to bypass, thanks to its creative human verification tests.
As AI capabilities have advanced, hCaptcha has responded by introducing elaborate puzzles purpose-built to thwart automated solving:
Notice how many of these challenges require much more than simply clicking on the correct images. They can involve drag-and-drop interactions, spatial reasoning, and specific knowledge.
To properly solve CAPTCHAS, you need high quality proxies. anyIP gives HTTP/3 proxies from an IP pool made of 100M+ residential and mobile addresses.
Microsoft’s Multi-Option CAPTCHAs
Explore the Microsoft forums and Reddit, and you’ll find plenty of users complaining about Microsoft’s newer human verification challenges (example 1, example 2, example 3). Here are a few examples:
These challenges can be somewhat ambiguous. They tend to present multiple plausible answers, require you to search through numerous options, and may involve several consecutive steps before the verification is complete. As a result, they take considerably longer to solve and can be frustrating for legitimate users (especially if a mistake forces them to restart the entire challenge).
Temu’s Proprietary CAPTCHAs
Some platforms are moving away from standard CAPTCHA providers and building their own verification systems in-house. A notable example is Temu, which has recently introduced a restrictive, custom CAPTCHA mechanism:
These challenges go beyond simple image selection and require very specific actions. For instance, they can involve multi-step interactions such as drag-and-drop tasks or slider-based tests that must be completed in a precise way.
What they generally have in common is the heavy use of AI-generated images. This creates an interesting dynamic: AI is being used to produce the very content to stop AI-powered bots.
The Future of CAPTCHA: What Comes Next
While these new CAPTCHA challenges are definitely more difficult for AI to solve, it’s still unclear whether AI will evolve quickly enough to keep up in the ongoing arms race between scraping developers and CAPTCHA-protected websites.
What’s clear is that providers will continue experimenting…
Hand-Gesture CAPTCHAs
Hand-gesture CAPTCHAs represent a shift from traditional image-based verification toward real-world interaction signals.
Google has recently begun testing a new reCAPTCHA system that asks users to prove they’re human by performing simple hand gestures in front of their device camera.
When enabled, the browser requests camera access and records a short video of the user’s hand movement. The system then analyzes the footage by extracting around 21 hand-landmark points (measurements of finger and joint positions) to identify specific gestures.
This is an attempt to improve “liveness detection,” making it harder for automated systems to pass as real users. Still, it’s not impossible that AI-driven tools could eventually simulate these gestures using AI-generated videos via camera injection.
Stronger CAPTCHAs, Worse User Experience?
Newer CAPTCHAs are significantly harder for AI to pass, but they also introduce a new layer of friction for us, the everyday users. That’s the main trade-off in the current wave of anti-AI verification systems.
As models become more capable, CAPTCHAs are forced to evolve in parallel, often becoming more demanding not only for bots but also for legitimate users.
As a result, many users have been complaining on Reddit and X about frustration, increasingly time-consuming challenges, and privacy concerns (such as having to use a camera just to complete a CAPTCHA).
This has led to growing criticism that could eventually push providers to relax some of these verification mechanisms, either by making them easier or less frequent (which would be a win-win scenario for web scraping).
It’s quite clear that the real objective is finding a balance between effectively blocking bots and avoiding unnecessary friction for legitimate users.
Are These New CAPTCHAs Effective Against AI?
These newer CAPTCHAs aren’t becoming more elaborate simply for the sake of increasing difficulty. Providers are well aware that the probability of AI reliably passing these checks at scale remains low, though not zero.
The idea is to design challenges that are intricate enough to deter automation, while still incorporating sufficient interaction signals and behavioral data to assess whether the user is actually human.
In essence, beneath the surface, the core principle hasn’t fundamentally changed. What we are seeing is an evolution in execution, rather than a reinvention of the underlying idea.
Avoiding CAPTCHAs Remains More Effective Than Solving Them
The final question is: “Should these new CAPTCHAs scare us, web scraping experts/enthusiasts?” In a sense, they might, but ultimately this is not really a revolution…
The truth is that in web scraping, the most effective strategy is rarely about solving CAPTCHAs. Instead, it’s about avoiding them altogether.
CAPTCHA systems are just one layer of a broader anti-bot ecosystem, and triggering them is a signal that the traffic is already considered low-trust or detectable.
For this reason, the focus should be on prevention rather than resolution. Best practices involve:
Routing traffic through high-quality residential proxy networks with strong reputation IPs.
Using stealth browser environments such as Kameleo Docker, Camoufox, or Rayobrowse.
Managing and rotating browser sessions in automated scraping workflows.
The end goal is to consistently emulate real, human-like browsing behavior to minimize the chances of detection. If human verification tests still appear, CAPTCHA solvers will remain the go-to option, as they must evolve to keep up with new challenges in order to stay in business.
The Web Scraping Club is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
Conclusion
In this post, you’ve understood why CAPTCHAs have become more sophisticated and the role AI has played in this evolution. You’ve also seen what providers like hCaptcha, platforms like Microsoft, and sites like Temu are doing to defend against AI-powered automated scrapers and bots, as well as what the future of CAPTCHAs might look like.
I hope you now have a clearer understanding of the current and future CAPTCHA landscape. If you have any questions, feel free to leave them in the comments below. Until next time!
Did you like this article? Share it with someone who might find it useful and get a discount on paid plans.











