What Is a Captcha Farm? How They Work & How to Stop Them
Captcha farms getting past your captcha?
Stop bulk-solved bots with Procaptcha for free today
What is a captcha farm?
A captcha farm is a commercial service that solves CAPTCHAs at scale on behalf of attackers. Farms package the solving pipeline behind a simple HTTP API. The attacker's bot submits the CAPTCHA challenge (an image, an audio clip, a Turnstile widget, a reCAPTCHA site key) and the farm returns a solved token, typically within a few seconds, for a fraction of a cent per solve.
Some farms use human workers paid per solve (often in countries with low wage costs). Others rely on machine-learning models trained on millions of scraped CAPTCHA images and audio clips. The largest operators combine both, routing easy challenges to models and hard ones to humans. From the target website's perspective the CAPTCHA is solved by an apparently valid browser session. The outsourcing is invisible to the vanilla verification API that reCAPTCHA, hCaptcha or Turnstile expose.
How does a captcha farm work?
A modern captcha farm operates as a four-stage pipeline.
- Ingress. An attacker's bot hits a target site, receives the CAPTCHA widget, and forwards the site key (plus challenge image or token) to the farm's API.
- Routing. The farm's dispatcher classifies the challenge type (reCAPTCHA v2 image grid, reCAPTCHA v3 token, hCaptcha visual, Turnstile invisible check, funCAPTCHA, GeeTest slider) and hands it to the right worker pool.
- Solving. For image challenges, a human worker or ML classifier returns the coordinates or answer. For token-based checks (reCAPTCHA v3, Turnstile) the farm typically runs a fingerprinted headless browser at a residential IP and captures the resulting token.
- Return. The solved token is posted back to the attacker's bot, which submits it to the target site. The target verifies the token against Google, hCaptcha or Cloudflare's public endpoint, which confirms it as valid.
Because the farm's browser session is itself real (or looks real), even server-side "was this token issued to a real user" checks pass. This is the reason CAPTCHA-only defences fail against determined attackers.
How much does a captcha farm cost?
Commercial captcha farms publish price lists openly. Typical rates in 2026:
- reCAPTCHA v2 image challenges: $0.50 to $1 per 1,000 solved.
- reCAPTCHA v3 tokens (score-based): $2 to $3 per 1,000, higher for scores of 0.7+.
- hCaptcha: $1 to $3 per 1,000 solved.
- Cloudflare Turnstile tokens: $1 to $2 per 1,000.
- FunCaptcha / Arkose Labs: $2 to $5 per 1,000.
Volume discounts apply above 10,000 solves per hour, and some farms sell dedicated pools of residential IPs and pre-warmed browser profiles as an add-on for another dollar or two per thousand. Compared with the value of the tickets, accounts or scraped data on the other side of the CAPTCHA, these prices are trivial. A scalper who resells one high-demand ticket at £500 mark-up has covered a million captcha-farm solves.
This economic asymmetry is why traditional image CAPTCHAs have stopped functioning as a serious deterrent for attackers with commercial intent.
What captcha farms are used for
Captcha farms are the enabling infrastructure behind several categories of automated abuse:
- Ticket scalping. Bots that buy inventory at high-demand on-sales rely on farms to defeat CAPTCHAs at the queue and checkout.
- Credential stuffing. Attackers testing stolen username and password pairs against login forms outsource the CAPTCHA solving so the attack keeps running unattended.
- Web scraping. Commercial scraping operations use farms to keep collection running against sites that show CAPTCHAs to suspicious IPs.
- Denial of inventory. Bots that add stock to carts to make it unavailable to real shoppers use farms to defeat challenges at the add-to-cart endpoint.
- Fake signups, review spam and referral fraud. Mass-account creation attacks rely on farm-solved CAPTCHAs at the registration form.
The common pattern in each case is the same. The attacker's economics work only because the CAPTCHA cost is low. Raise that cost and the attack becomes unprofitable.
How to stop a captcha farm
There is no single silver bullet against captcha farms, but the effective defence has three properties.
First, make each solve computationally expensive. Image CAPTCHAs are cheap because solving one image is cheap. Proof-of-work CAPTCHAs, in contrast, force the solving device to spend measurable CPU or GPU cycles per attempt, and the difficulty scales with how suspicious the request looks. Prosopo's Procaptcha uses proof-of-work challenges precisely to invert the farm's economics. At low difficulty a real user's browser burns a few milliseconds. A farm running thousands of parallel solves per second sees its per-solve compute cost dominate the whole operation.
Second, look at more than the CAPTCHA response. Even if the token verifies, the surrounding request usually leaks farm characteristics. JA4 TLS fingerprints inconsistent with the User-Agent. Behavioural signals (mouse movement, keystroke timing) that do not match a human session. IP reputation from datacentres and known residential-proxy networks. Prosopo's risk scoring combines these signals with the CAPTCHA verdict, so a farm-solved token is not sufficient on its own.
Third, rate-limit per endpoint, not per session. Farms are built to look like many independent users. Rate limits applied per IP or per cookie assume the attacker plays fair. Per-endpoint budgets (X login attempts per minute, X checkout submissions per second at the given SKU) make it much harder for a farm-backed attack to move fast enough to matter.
Prosopo is committed to combating the misuse of captcha farms by promoting privacy-first CAPTCHA solutions that leverage proof-of-work, behavioural analysis and smart rule-based restrictions.