From Puppeteer stealth to Nodriver: How anti-detect frameworks evolved to evade bot detection
Browser automation tools like Puppeteer, Playwright, and Selenium are widely used for testing, scraping, and other automation tasks. However, because they were not designed with stealth in mind, they often expose detectable ...
What TikTok’s virtual machine tells us about modern bot defenses
A recent Hacker News post looked at the reverse engineering of TikTok’s JavaScript virtual machine (VM). Many commenters assumed the VM was malicious, designed for invasive tracking or surveillance.But based on the ...
Fraudulent email domain tracker: May 2025
This is the second edition of our monthly tracker highlighting email domains linked to fraudulent activity. Just like in April’s report, our goal is to equip security and anti-fraud teams with greater ...
What a Binance CAPTCHA solver tells us about today’s bot threats
In this post, we analyze an open-source CAPTCHA solver designed to bypass a custom challenge deployed on Binance, one of the most popular crypto platforms. While the solver is publicly available, we’ve ...
Castle for Cloudflare: Unified bot and fraud defense, from edge to in-app
Today, May 15, 2025, Castle extends its proven behavioral detection to the network edge through a no-code, fully managed Cloudflare integration.The rise of AI allows attackers to operate faster and better than ...
Detecting Hidemium: Fingerprinting inconsistencies in anti-detect browsers
This is the fourth article in our series on anti-detect browsers. In the previous post, we explained how to detect anti-fingerprinting scripts injected via Chrome DevTools Protocol (CDP). Here, we analyze Hidemium, ...
Detect and crash Chromium bots with one weird trick (bots hate it!)
Disclaimer: If you're here for the holy grail of bot detection, this may not be it, unless your UX strategy involves surprise popups and your marketing strategy involves blocking Google crawlers.We recently ...
Fraudulent email domain tracker: April 2025
This is the first release in a new Castle series highlighting email domains associated with fraudulent activity. Our goal is to provide visibility into email infrastructure commonly abused by bots and fraudsters, ...
Understanding disposable emails
Disposable email addresses are temporary inboxes that allow users to receive messages without linking the address to a long-term identity. Unlike Gmail or Outlook, which are built for ongoing use and personal ...
How dare you trust the user agent for bot detection?
In every HTTP request, the user agent header acts as a self-declared identity card for the client—typically a browser—sharing information about the software and platform supposedly making the request. It usually includes ...
