In this article, we cover the details of a heavily distributed credential-stuffing attack that targeted a major US financial service company (spoiler: there were some pretty clear signs of device spoofing, as you'll see below). By the end of the bot attack, which lasted 6 days, Castle blocked more than| The Castle blog
Headless Chrome bots powered by Playwright have become a go-to tool for bot developers due to their flexibility and efficiency. Playwright’s cross-browser capabilities, coupled with an API similar to Puppeteer and the lightweight nature of Headless Chrome, make it a powerful choice for tasks like web scraping, credential stuffing,| The Castle blog
Every month, we publish a list of fraudulent email domains observed across the websites and mobile apps we protect. See the July 2025 list for a recent example. These domains are tied to fake account creation and other abuse patterns, including: Disposable email services Custom throwaway domains registered explicitly for| The Castle blog
Open Bullet 2 is an open-source tool built for credential stuffing attacks, automated attempts to gain access to user accounts using stolen credentials from data breaches. It supports both website and mobile application targets and has become a staple in the fraud ecosystem due to its flexibility, extensibility, and active| The Castle blog
Cloudflare recently introduced a new authentication standard, HTTP message signatures, designed to securely verify automated traffic from known bot operators. OpenAI has adopted this standard in its OpenAI Operator product, which allows ChatGPT agents to perform actions on behalf of users. This new approach replaces the traditional method of IP-based| The Castle blog
This is the second post in our series on AI bots and their impact on fraud and detection systems. In the first article, we outlined the main categories of bots emerging from the generative AI ecosystem, explained their roles, and showed how each affects detection strategies. We grouped AI-driven automation| The Castle blog
AI bots, AI scrapers, AI agents—you’ve seen these terms thrown around in product announcements, Hacker News posts, and marketing decks. But behind the hype, what do these bots actually do? And more importantly, how are they changing the fraud and bot detection landscape? This article introduces| The Castle blog
This is the fourth edition of our monthly tracker highlighting email domains linked to fraudulent activity. Just like in June's report, our goal is to equip security and anti-fraud teams with greater visibility into the email infrastructure commonly exploited by bots and fraudsters. What this list includes: The| The Castle blog
At Castle, we’ve increasingly embedded LLMs and tools like Cursor into our research workflows, whether we’re prototyping detection techniques, exploring automation fingerprints, or reviewing technical content. These tools help us move faster, focus on the right problems, and reduce overhead in our day-to-day work. We’ve always shared| The Castle blog
If you’ve ever visited a site like amiunique.org, browserleaks.com, or pixelscan.net, you’ve probably seen a warning about how “unique” your browser fingerprint is, often followed by a long list of technical attributes related to your browser and your IP address. These| The Castle blog
Headless Chrome bots controlled by Selenium remain a staple in the bot developer’s toolkit in 2025. While newer frameworks like Playwright have gained traction, Selenium’s long-standing compatibility, extensive documentation, and integration with testing pipelines keep it popular, especially for automating login, signup, and scraping workflows at| The Castle blog
We learned our hiring philosophy the hard way: by getting it completely wrong. After Y Combinator in 2016, we did what you're "supposed" to do. We raised capital. We scaled aggressively, hiring specialists and building redundant teams. But instead of creating a finely tuned machine, we| The Castle blog
Most disposable email services are easy to detect. They use obvious domains like tempmail.xyz or tmxttvmail.com, which are widely known and routinely flagged by basic anti-abuse filters. Emailnator is different. While it still provides access to standard temporary inboxes, its most concerning feature is the ability to generate| The Castle blog
When it comes to bot and fraud detection, identifying the exact browser being used can be important, especially for privacy-focused browsers like Brave. Tools like Brave implement anti-fingerprinting features (e.g. canvas randomization), which can skew detection results or even cause false positives if misinterpreted. As we discussed here, users| The Castle blog
Time zone is a valuable signal in both bot and fraud detection. It's commonly used in browser fingerprinting and can be correlated with other data, like IP geolocation or language preferences, to flag inconsistencies. For example, a user claiming to be in Paris but presenting a system time zone of| The Castle blog
Every day, your computer renders dozens of these without you even noticing. Strange patterns, colorful shapes, and emojis—what do you think these are? These are canvas fingerprints, a technique used by the vast majority of websites to fingerprint devices and distinguish humans from bots. What you might not realize| The Castle blog
Browser fingerprinting leverages different JavaScript attributes related to the user's device, OS, and browser. When it comes to bot detection, fingerprints can be used as a signature to block attackers, even if they delete their session cookies. Bot detection engines also verify the values of different attributes to verify their| The Castle blog
The other day, I bought sneaker proxies by mistake. I know, I know, how do you accidentally buy sneaker proxies? Well, I needed residential proxies for <redacted> purposes and thought, hey, why not treat myself to the premium stuff? Instead of a basic sedan, I’ll get| The Castle blog
CAPTCHAs are the most recognizable anti-bot mechanism on the web. Whether you're logging into a game, signing up for a new service, or checking out online, chances are you've been asked to click on traffic lights, solve a puzzle, or interpret distorted letters. These tests—| The Castle blog
Every time there's a Hacker News thread about bots, bot detection, or CAPTCHAs, a familiar complaint shows up: people using VPNs, ad blockers, Firefox forks, or privacy tools get bombarded with CAPTCHAs or blocked entirely. It feels like modern anti-bot systems are punishing users just for trying to protect their| The Castle blog
This is the first article of a series about anti-detect browsers. In this article, we provide an overview of anti-detect browsers and their main features. We also present the most common fraudulent use cases of these browsers. In the next articles, we’ll deep dive into the techniques they use| The Castle blog
Browser automation tools like Puppeteer, Playwright, and Selenium are widely used for testing, scraping, and other automation tasks. However, because they were not designed with stealth in mind, they often expose detectable traces. These can include headless browser markers, inconsistencies in JavaScript APIs, or synthetic input patterns, all of which| The Castle blog
In this post, we analyze an open-source CAPTCHA solver designed to bypass a custom challenge deployed on Binance, one of the most popular crypto platforms. While the solver is publicly available, we’ve intentionally chosen not to link to the original repository. The code is minimally documented and was clearly| The Castle blog
This is the fourth article in our series on anti-detect browsers. In the previous post, we explained how to detect anti-fingerprinting scripts injected via Chrome DevTools Protocol (CDP). Here, we analyze Hidemium, a popular anti-detect browser, and describe how it can be detected. We start with a high-level overview of| The Castle blog
This is the first release in a new Castle series highlighting email domains associated with fraudulent activity. Our goal is to provide visibility into email infrastructure commonly abused by bots and fraudsters, so that security teams can improve their detection systems. Each month, we’ll publish a ranked list of| The Castle blog
Disposable email addresses are temporary inboxes that allow users to receive messages without linking the address to a long-term identity. Unlike Gmail or Outlook, which are built for ongoing use and personal association, disposable email services are built for anonymity and convenience. Most disposable services require no signup or verification.| The Castle blog
In every HTTP request, the user agent header acts as a self-declared identity card for the client—typically a browser—sharing information about the software and platform supposedly making the request. It usually includes details like the browser name and version, operating system, and rendering engine. But crucially, this identity| The Castle blog
Bots are often used to conduct attacks at scale. They can be used to automatically test stolen credit cards, steal user accounts (account takeover), and create thousands of fake accounts. Detecting bot activity has traditionally relied on techniques like Web Application Firewalls (WAFs), CAPTCHAs, and static fingerprinting. However, with the| The Castle blog
This is the third article in our series on anti-detect browsers. In our previous article, we analyzed Undetectable, a widely used anti-detect browser. In this article, we present two effective methods for detecting scripts—especially anti-fingerprinting scripts—that have been injected through the Chrome DevTools Protocol (CDP) in Chrome and| The Castle blog
The good old days where bots used PhantomJS and could be detected because they didn’t support basic JavaScript features are over. It’s 2025, and the bots have never been as sophisticated as today. They leverage anti-detect automation frameworks, residential proxies and CAPTCHA farms. Even basic bots that leverage| The Castle blog
Headless Chrome bots powered by Puppeteer are a popular choice among bot developers. The Puppeteer API’s ease of use, combined with the lightweight nature of Headless Chrome, makes it a preferred tool over its full-browser counterpart. It is commonly used for web scraping, credential stuffing attacks, and the creation| The Castle blog
This is the second article of our series about anti-detect browsers. In the first article, we gave an overview of anti-detect browsers, their main features and what they’re used for. In this second article, we do a deep dive into Undetectable, a popular anti-detect browser. We start by providing| The Castle blog
In this article, we cover the details of a distributed credential-stuffing attack that targeted the mobile application of a major US on-demand staffing company. By the end of the bot attack, which lasted 4 days, Castle blocked more than 558K malicious login attempts. Credential stuffing attack metrics * Date: from December| The Castle blog
In a previous blog post, we talked about canvas fingerprinting, a technique commonly used to detect fraudsters and bots. In this post we'll go deeper on how fraudsters can forge or create fake canvas fingerprints to stay under the radar for typical device fingerprinting techniques. Plus cover some techniques for| The Castle blog
Disclaimer: If you're here for the holy grail of bot detection, this may not be it, unless your UX strategy involves surprise popups and your marketing strategy involves blocking Google crawlers. We recently stumbled across a bug on the Chromium bug tracker where a short JavaScript snippet can crash headless| The Castle blog
