CAPTCHA Solving Services and Available CAPTCHA Types

What is CAPTCHA?

CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart.” It’s a security feature meant to prevent automated bots from abusing websites for spam comments, fraudulent account creation, scraping, credential-stuffing, and other automated abuse. Most CAPTCHAs ask the user to perform a task that’s easy for humans but difficult for software — read distorted text, identify objects in images, solve a small puzzle, or simply check a box.

The technology has been a moving target since its mid-2000s mainstream adoption. As bots have improved (especially with modern computer vision and large language models), traditional text-distortion CAPTCHAs have become trivially solvable, pushing CAPTCHA design toward behavioral analysis, device fingerprinting, and challenge formats that lean on context understanding rather than perception alone.

CAPTCHAs also have a recognized accessibility problem — distorted text is often unreadable for users with low vision, audio CAPTCHAs are problematic for deaf users, and image-based puzzles can fail for users with cognitive disabilities. WCAG 2.2 SC 3.3.8 Accessible Authentication (Minimum), added in October 2023, requires that authentication processes (which include many CAPTCHA flows) not rely on cognitive function tests like memorizing a password, transcribing a code, or solving a puzzle, unless an alternative is provided. This pushed many sites toward invisible or behavior-based bot detection rather than visible challenges.

What are the different types of CAPTCHAs?

Text-based CAPTCHAs

The original format — distorted letters and numbers the user types into a field. Once dominant, now mostly retired as modern AI vision models solve them with high accuracy. Some legacy sites still use them for low-stakes content. Pros: simple to implement. Cons: hostile to users with low vision; readily solved by bots in 2026.

Math problems

Simple arithmetic challenges (“What is 4 + 6?”) added to forms. Effective against very simple bots; trivially solvable by any modern automation. Often deployed as a low-friction supplement to a more sophisticated bot-detection layer rather than as a standalone defense. Common on WordPress sites via plugins like WP-Math-Captcha.

Word problems

Variants where the user is asked to type a specific word, identify the color of text, or follow a short instruction. Better than basic text CAPTCHAs for accessibility (no distortion), but increasingly vulnerable to LLM-based solvers that read instructions accurately.

Social media sign-in (OAuth/SSO)

Sign in with Google, Apple, Microsoft, Facebook, X, or LinkedIn (OAuth/SAML/OIDC) bypasses CAPTCHA entirely by relying on the upstream provider’s account-creation friction. Strong fit for B2C sites where users have major-platform accounts; less ideal where privacy is paramount or where the audience doesn’t want to link their identity. Now standard alongside or in place of native account creation.

Time-based detection

Measure how long the user takes to fill out a form. Bots typically submit within milliseconds; humans take seconds to minutes. Often combined with honeypot fields and behavioral analysis. Invisible to legitimate users; effective against simple bot scripts.

Honeypot fields

Hidden form fields visible to bots (which fill in every field they detect) but not rendered to humans (via CSS display: none, off-screen positioning, or ARIA attributes). When the hidden field is filled, the submission is rejected. Free, invisible to humans, effective against unsophisticated bots. More advanced bots inspect rendering and skip honeypot fields.

Google reCAPTCHA v2 — “I’m not a robot” checkbox

Released by Google in 2014. The user clicks a checkbox; reCAPTCHA evaluates browsing behavior, mouse movement, cookies, and other signals to score risk. If the score is uncertain, a follow-up image challenge appears (“Select all squares with crosswalks”). Still widely deployed; free for sites under most usage thresholds.

Google reCAPTCHA v3 (invisible)

Released 2018, runs entirely in the background. Returns a score from 0.0 (likely bot) to 1.0 (likely human) for every action; the site decides what to do at each threshold. No user interaction required. Better UX than v2 but harder to tune (sites have to handle the score explicitly). Free under threshold limits.

Google reCAPTCHA Enterprise

Launched 2020, Google’s paid enterprise tier built on the same scoring engine as v3 with deeper risk analysis, fraud-prevention add-ons, and account-defender features. Used by large e-commerce and financial services sites. Pricing is usage-based via Google Cloud.

Cloudflare Turnstile

Launched 2022 as a privacy-preserving CAPTCHA alternative. Free for everyone (no usage caps); doesn’t require cookies; works without sending user data to a third party. Often invisible to legitimate users; presents a managed challenge only when needed. One of the fastest-growing CAPTCHA alternatives, particularly among privacy-conscious sites and Cloudflare customers.

hCaptcha

Originally launched 2018 as a privacy-focused reCAPTCHA alternative; became Cloudflare’s default CAPTCHA from 2020-2022 before Cloudflare rolled out Turnstile. hCaptcha pays site operators a small amount for each challenge served (the data trains AI vision systems). Active across millions of sites worldwide.

Arkose Labs (FunCaptcha)

Enterprise-grade interactive CAPTCHA service known for its rotating-image and matching puzzles (FunCaptcha). Used by major social networks (Roblox, EA, Riot Games), financial services, and account-protection platforms. Designed to be costly and time-consuming for bot farms to bypass at scale.

Sweet CAPTCHA

An image-matching CAPTCHA service that was popular around 2014-2016 but became infamous in 2015 after the WordPress plugin was found injecting malicious advertising into host sites (Sucuri research, March 2015). The standalone Sweet CAPTCHA service is no longer recommended; the underlying image-matching pattern lives on in services like Arkose Labs.

Confident CAPTCHA

An image-recognition CAPTCHA where users follow instructions to click specific images. The original Confident CAPTCHA service (~2012-era) effectively wound down; the click-the-images pattern is now embodied in Google reCAPTCHA v2 challenges and Arkose Labs.

Biometrics, passkeys, and the future of authentication

The authentication frontier has moved largely toward passkeys (FIDO2 / WebAuthn) — cryptographically backed, phishing-resistant authentication using device biometrics (Touch ID, Face ID, Windows Hello) or hardware security keys. Apple, Google, and Microsoft all support passkeys natively across their platforms; major sites including PayPal, eBay, Amazon, GitHub, and others have rolled out passkey support since 2023. For new account flows, passkeys reduce or eliminate the need for traditional CAPTCHA challenges by anchoring identity in a verified device.

Behavioral biometrics (typing cadence, mouse movement, touch patterns) — used by services like BioCatch, Forter, and Sift — provide an invisible bot-detection layer that’s harder to defeat than static CAPTCHAs. These are now widely deployed in financial services and e-commerce alongside or in place of visible CAPTCHAs.

The CAPTCHA-solving economy

Alongside the CAPTCHA-defender ecosystem, a CAPTCHA-solving services industry has existed since the mid-2000s and has expanded substantially with the growth of automated tasks online. The original model relied on low-cost human labor in countries including India, Bangladesh, Vietnam, the Philippines, and parts of Eastern Europe — workers solve CAPTCHAs forwarded via API and the answer returns within seconds. Modern services have shifted toward hybrid models combining human workers, optical character recognition (OCR), and (since the 2022-2024 generative AI wave) computer-vision and LLM-based solvers that can handle even complex image-based CAPTCHAs.

Customers of these services include search-engine optimization tooling, web scraping pipelines, automation scripts, market-research tools, and a substantial gray market of account-creation and credential-stuffing operations. Use of CAPTCHA-solving services typically violates the terms of service of the sites being accessed, and depending on use case may have legal implications (CFAA in the U.S., Computer Misuse Act in the UK, and equivalents elsewhere).

Pricing across the major services has trended downward as AI-based solving has reduced labor costs — typical 2026 pricing is roughly $0.50-$3.00 per 1,000 image CAPTCHAs and $1.00-$3.00 per 1,000 reCAPTCHA v2/v3 or hCaptcha solves, varying by service, volume, and CAPTCHA type. The 2024-2026 wave of LLM-vision integration has also brought non-traditional solvers like CapSolver and NopeCHA into the market.

CAPTCHA-solving services

Anti-Captcha

Anti-Captcha is one of the longest-running CAPTCHA-solving services. CAPTCHAs uploaded via API are routed to a hybrid pool of human workers and AI solvers; results return typically within seconds. Supports image CAPTCHAs, reCAPTCHA v2/v3, hCaptcha, FunCaptcha (Arkose), GeeTest, and other modern formats. Pricing in 2026 generally runs around $0.50-$1.00 per 1,000 image CAPTCHAs and $1.00-$3.00 per 1,000 reCAPTCHA/hCaptcha. Browser extensions for Chrome and Firefox are available alongside the API.

2Captcha

2Captcha is one of the largest and most-used CAPTCHA-solving services, with thousands of workers online at any given time alongside an AI-solver pool. Average response times: a few seconds for image CAPTCHAs, longer for reCAPTCHA v2 image challenges. Pricing is competitive — typical 2026 rates are around $0.50-$1.00 per 1,000 image CAPTCHAs and $1.00-$3.00 per 1,000 reCAPTCHA/hCaptcha solves. Supports most major CAPTCHA types and provides client libraries in PHP, Python, .NET, Java, JavaScript, Go, and others.

Death By Captcha

Death By Captcha (also styled DBC) has been operating since the early 2010s. It combines OCR with human solvers and has API client libraries for most common languages. Pricing typically runs around $1.39 per 1,000 standard CAPTCHAs at the entry tier, dropping for higher-volume plans. Supports image CAPTCHAs, reCAPTCHA, FunCaptcha, and several other formats. Multiple payment options including cryptocurrency.

Captchatronix

Captchatronix is a smaller automated and human-powered solving service. Markets itself toward developers integrating CAPTCHA solving into custom workflows, with API support for cURL, PHP, Python, Perl, VB.NET, and iMacros. Pricing and active status fluctuate; the smaller-scale services tend to come and go in this market more than the major players (Anti-Captcha, 2Captcha, Death By Captcha).

Captchacoder

Captchacoder offers both hybrid (OCR + human) and human-only solving tiers. Historical pricing ranged from $0.59 to $2.40 per 1,000 CAPTCHAs depending on type and tier; verify current rates on the site. Year-round operation with no premium night-shift pricing. The service has historically offered a 15-day money-back guarantee; check current terms.

De-Captcher

De-Captcher is one of the original CAPTCHA-solving services, dating to the late 2000s. Combines OCR and human workers; you only pay for successfully solved CAPTCHAs. Historical pricing around $2 per 1,000 solved; payment options have included Bitcoin and WebMoney. Activity level on the platform has fluctuated; verify current status before committing.

Expert Decoders

Expert Decoders provides standard and premium tiers, with premium accounts offering higher solve rates and dedicated infrastructure. Historical pricing ranged from $1.20 to $3.20 per 1,000 CAPTCHAs depending on tier. The service supports reCAPTCHA v2 and image-based CAPTCHAs, with money-back guarantees historically offered (15-30 days depending on tier). Verify current pricing and feature set.

Imagetyperz

Imagetyperz is a long-running solving service supporting image CAPTCHAs, reCAPTCHA v2/v3, hCaptcha, FunCaptcha, GeeTest, and other modern formats. Real-time service-status reporting on the homepage shows recent solve times and success rates. Historical pricing around $1 per 1,000 standard CAPTCHAs and $2 per 1,000 reCAPTCHA. 24/7 customer support and most major language client libraries available.

Cheap Captcha

Cheap Captcha competes on price as the name implies. Historical bulk pricing around $4.73 per 12,000 CAPTCHAs, $9.87 per 25,000, and $39.49 per 100,000. Supports common APIs and accepts multiple payment methods. As with other smaller services in this category, verify current activity and pricing before committing — the smaller-scale solving services in this market come and go more frequently than the major players.

Bypass Captcha

Bypass Captcha operates on a credit model, where each credit equals one successfully solved CAPTCHA. Historical plan pricing ran from $14 (2,000 credits) up to $630 (100,000 credits). Year-round operation with multiple integrations and no claimed hidden costs. Verify current plan pricing and capabilities before integrating.

Notable newer CAPTCHA-solving services

The 2022-2026 generative-AI wave brought several newer solvers to the market that lean heavily on AI-vision and LLM-based solving rather than primarily human workers:

• CapSolver — AI-driven solver supporting reCAPTCHA, hCaptcha, FunCaptcha, GeeTest, AWS WAF, and other modern formats. Browser extension and API.
• NopeCHA — AI-based browser extension and API focused on reCAPTCHA and hCaptcha.
• AZcaptcha — competing solver with hybrid human-and-AI model.
• SolveCaptcha and CapMonster Cloud — additional services that have grown in this period.

The shift toward AI-based solving has driven prices down across the industry. It has also accelerated the move from static visible CAPTCHAs (text, image-recognition) toward behavior-based and risk-scoring approaches (reCAPTCHA v3, Turnstile, Arkose) that are harder for AI vision to defeat in a single shot.

Bot defense beyond CAPTCHA

CAPTCHAs are one layer in a broader bot-defense stack. Modern sites typically combine several techniques rather than relying on any single layer:

• Rate limiting and throttling. Cap requests per IP, per session, or per account over time windows. Easily defeated by distributed bots but useful as a first filter.
• IP reputation and threat-intelligence feeds. Block known bot IPs, datacenter ranges, and proxy/VPN exit nodes. Services like AbuseIPDB, MaxMind, IPQualityScore, Spur, and IPinfo provide threat-intelligence data.
• Device and browser fingerprinting. Identify revisiting devices via combinations of user-agent, screen resolution, timezone, fonts, canvas rendering, and other signals. FingerprintJS is the leading commercial library; the technique works across sessions even when cookies are cleared.
• Web Application Firewalls (WAF). Cloudflare, AWS WAF, Akamai Bot Manager, Imperva, and Fastly all provide bot-management products that combine fingerprinting, behavioral analysis, and threat intelligence at the edge before traffic reaches the origin server.
• Behavioral biometrics. Mouse movement, typing cadence, scroll patterns, and touch behavior. Services like BioCatch, Forter, Sift, NuData, and Castle profile user behavior to detect bot-like patterns invisibly.
• Account-level signals. Email reputation, phone-number verification, payment-method risk, account age, and prior behavior. Maxmind minFraud, Sift, Riskified, and Signifyd combine these signals for fraud-prevention scoring.
• Proof-of-work challenges. Lightweight cryptographic puzzles (mCaptcha, Friendly Captcha, Cloudflare Turnstile’s underlying mechanism) that take computational effort to solve. Invisible to humans; expensive at scale for bots.

The right combination depends on the site’s threat model — content sites typically need lighter defenses than financial services or e-commerce platforms. The trend has been toward layered, invisible defenses where the user never sees a CAPTCHA unless their behavior triggers a high-risk score.

Frequently asked questions

Are CAPTCHA-solving services legal?

Use of CAPTCHA-solving services typically violates the terms of service of the sites being accessed. Depending on the jurisdiction and use case, it may also have legal implications under laws like the U.S. Computer Fraud and Abuse Act (CFAA), the UK’s Computer Misuse Act, or various anti-bot and anti-fraud statutes. Using these services to access protected systems, evade rate limits, or commit fraud carries real legal risk. Consult counsel for any commercial use case.

What replaced reCAPTCHA v1?

Google’s original reCAPTCHA (the distorted-text version that helped digitize books) was sunset in March 2018 in favor of reCAPTCHA v2 and v3. The text-recognition workload has long since been replaced by computer-vision models that no longer need human assistance for that task.

Why are CAPTCHAs an accessibility issue?

Distorted text is unreadable for users with low vision; audio CAPTCHAs are inaccessible to deaf users; image-based puzzles fail for users with cognitive disabilities; time-based challenges create problems for users with motor disabilities or who use assistive technology. WCAG 2.2 SC 3.3.8 Accessible Authentication (Minimum), added October 2023, requires authentication processes not to rely on cognitive function tests unless an alternative is provided. The U.S. DOJ’s April 2024 Title II final rule (with the April 2026 IFR setting deadlines of April 26, 2027 / April 26, 2028) and the European Accessibility Act (effective June 28, 2025) make WCAG 2.2 conformance a legal requirement for many organizations.

What’s the most accessible bot-detection method?

Modern invisible approaches — Cloudflare Turnstile, reCAPTCHA v3 / Enterprise, behavioral analysis, honeypot fields, and time-based detection — generally avoid creating user-facing barriers. Passkeys (FIDO2/WebAuthn) replace authentication challenges with cryptographic device-bound login that’s phishing-resistant and accessible by design. For organizations subject to WCAG 2.2 / DOJ Title II / EAA, defaulting to invisible bot detection plus passkey-supported authentication is the strongest accessibility-and-security combination.

Can AI bots defeat modern CAPTCHAs?

Increasingly yes, for visual challenges. Studies in 2023-2024 found that vision-language models (GPT-4 Vision, Claude with vision, Gemini) solve traditional reCAPTCHA v2 image challenges at or above human accuracy. This is the main reason CAPTCHA design has shifted toward behavior-based scoring (reCAPTCHA v3, Turnstile) and harder-to-game interactive challenges (Arkose FunCaptcha) rather than relying on perception-only puzzles.

How should I choose between reCAPTCHA, Turnstile, and hCaptcha for a new site?

For most sites in 2026: Cloudflare Turnstile is the cleanest default — free, privacy-preserving, no usage caps, and works without cookies. hCaptcha is a strong alternative with a similar privacy posture and is well-established. Google reCAPTCHA v3 / Enterprise remains widely used and ties into Google’s broader threat-intelligence data, but routes user data through Google. Pick Turnstile if you want privacy-first defaults; reCAPTCHA Enterprise if you need the deepest fraud-prevention features and are already in the Google Cloud ecosystem.

The bottom line

The CAPTCHA landscape in 2026 has shifted decisively away from visible text and image puzzles and toward invisible behavioral analysis, privacy-preserving managed challenges (Cloudflare Turnstile), enterprise risk scoring (reCAPTCHA Enterprise, Arkose Labs), and cryptographic authentication via passkeys. The CAPTCHA-solving services industry that grew up alongside still exists and has consolidated around a handful of major players using hybrid human-and-AI workflows; pricing has trended downward as machine-learning solvers have become more capable. For sites adding bot defense in 2026, defaulting to invisible bot detection plus passkey-supported authentication is the strongest combination of accessibility, user experience, and security — visible CAPTCHAs should be a fallback rather than a default.