AkiraBot Evades CAPTCHA to Spam the Web with AI Content

A newly uncovered Python-based tool known as AkiraBot has been used to spam more than 80,000 websites with AI-generated messages, according to cybersecurity firm SentinelOne. This framework is capable of bypassing CAPTCHA protections and avoiding network detection, making it highly effective in targeting contact forms and chat features on websites—especially those belonging to small and medium-sized businesses.

The bot gets its name from SEO-themed domains containing "Akira," and also uses the name ServiceWrap in various SEO domain aliases. It’s designed to generate and submit spam content that is indexable by search engines, utilizing OpenAI’s language models to craft unique, tailored messages for each site it attacks.

Analysis of AkiraBot’s codebase shows that the framework has been active since September 2024, beginning with Shopify platforms and eventually targeting sites built with GoDaddy, Wix, Squarespace, and other general web builders. These platforms are commonly used by SMBs due to their simplicity and eCommerce capabilities.

SentinelOne found several versions of the bot, all embedding hardcoded OpenAI API keys and using the same proxy services and test environments. The bot's dashboard allows its operator to view performance metrics, select target sites, and manage concurrent attacks.

Each spam message is based on a generic structure but is uniquely generated using OpenAI's API to appear customized. This variability makes traditional spam filters less effective.

To bypass CAPTCHA systems like hCAPTCHA and reCAPTCHA, AkiraBot uses Selenium WebDriver to simulate human interaction during website loading. If that fails, it switches to third-party CAPTCHA-solving services such as Capsolver, FastCaptcha, and NextCaptcha.

The bot also uses proxy services—most notably SmartProxy—to mask its activities and evade detection. Logs maintained by AkiraBot indicate that over 80,000 domains have been successfully spammed, with more than 420,000 unique websites being targeted since its launch.

Interestingly, the Akira and ServiceWrap SEO services featured in the spam messages have suspiciously consistent 5-star reviews on platforms like TrustPilot—likely AI-generated—while also receiving 1-star reviews labeling them as scams or spam services.

SentinelLabs notes that AkiraBot is a sophisticated and evolving system that has adapted over time to target new platforms and circumvent defenses. They anticipate continued development of the bot as hosting services attempt to combat its spread.