What TikTok’s virtual machine tells us about modern bot defenses
A recent Hacker News post looked at the reverse engineering of TikTok’s JavaScript virtual machine (VM). Many commenters assumed the VM was malicious, designed for invasive tracking or surveillance.But based on the VM’s behavior and string patterns, a more plausible explanation is that it' ... Read More
Fraudulent email domain tracker: May 2025
This is the second edition of our monthly tracker highlighting email domains linked to fraudulent activity. Just like in April’s report, our goal is to equip security and anti-fraud teams with greater visibility into the email infrastructure commonly exploited by bots and fraudsters.What this list includes: The ... Read More
What a Binance CAPTCHA solver tells us about today’s bot threats
In this post, we analyze an open-source CAPTCHA solver designed to bypass a custom challenge deployed on Binance, one of the most popular crypto platforms. While the solver is publicly available, we’ve intentionally chosen not to link to the original repository. The code is minimally documented and was ... Read More
Detecting Hidemium: Fingerprinting inconsistencies in anti-detect browsers
This is the fourth article in our series on anti-detect browsers. In the previous post, we explained how to detect anti-fingerprinting scripts injected via Chrome DevTools Protocol (CDP). Here, we analyze Hidemium, a popular anti-detect browser, and describe how it can be detected.We start with a high-level overview of ... Read More
Detect and crash Chromium bots with one weird trick (bots hate it!)
Disclaimer: If you're here for the holy grail of bot detection, this may not be it, unless your UX strategy involves surprise popups and your marketing strategy involves blocking Google crawlers.We recently stumbled across a bug on the Chromium bug tracker where a short JavaScript snippet can ... Read More
Fraudulent email domain tracker: April 2025
This is the first release in a new Castle series highlighting email domains associated with fraudulent activity. Our goal is to provide visibility into email infrastructure commonly abused by bots and fraudsters, so that security teams can improve their detection systems.Each month, we’ll publish a ranked list ... Read More
Understanding disposable emails
Disposable email addresses are temporary inboxes that allow users to receive messages without linking the address to a long-term identity. Unlike Gmail or Outlook, which are built for ongoing use and personal association, disposable email services are built for anonymity and convenience.Most disposable services require no signup or verification ... Read More
How dare you trust the user agent for bot detection?
In every HTTP request, the user agent header acts as a self-declared identity card for the client—typically a browser—sharing information about the software and platform supposedly making the request. It usually includes details like the browser name and version, operating system, and rendering engine. But crucially, ... Read More
Why traditional bot detection techniques are not enough, and what you can do about it
Bots are often used to conduct attacks at scale. They can be used to automatically test stolen credit cards, steal user accounts (account takeover), and create thousands of fake accounts.Detecting bot activity has traditionally relied on techniques like Web Application Firewalls (WAFs), CAPTCHAs, and static fingerprinting. However, with the ... Read More
Analyzing anti-detect browsers: How to detect scripts injected via CDP in Chrome
This is the third article in our series on anti-detect browsers. In our previous article, we analyzed Undetectable, a widely used anti-detect browser. In this article, we present two effective methods for detecting scripts—especially anti-fingerprinting scripts—that have been injected through the Chrome DevTools Protocol (CDP) in ... Read More
