As Figures 5 and 6 illustrate, CAPTCHA solver services have made it possible for attackers to completely circumvent CAPTCHAs, including Google’s latest version called CAPTCHA Enterprise (not shown here).

The Business of Human CAPTCHA Solvers

In many respects, CAPTCHA solver services operate like any legitimate enterprise, and they are clearly in business to make a profit. While the fees they charge “customers” (attackers) might be considered reasonable, the business model is weighted heavily against CAPTCHA solvers. And with relatively low overhead, the profit margin is attractive.

Isn’t this illegal? Not really. Solving a CAPTCHA isn’t the same as hacking a server or taking over an account. It may be a violation of a site’s terms of service, and it may enable a criminal act (e.g., credential stuffing), but the user of the service is the perpetrator, while the service itself can claim ignorance of its customers’ intentions. Even so, many of these companies are located overseas; 2Captcha, for example, is hosted in Russia.

How Much Does the Service Cost?

2Captcha charges customers different rates depending on the type of solved CAPTCHAs they want to purchase. Traditional CAPTCHAs cost customers $0.75 per 1,000. In comparison, solved reCAPTCHAs cost customers $2.99 per 1,000—almost four times as much as traditional CAPTCHAs (see Figure 7).