AkiraBot Targets 420,000 Sites with OpenAI-Generated Spam, Bypassing CAPTCHA Protections

Cybersecurity researchers have uncovered details about an AI-driven platform known as AkiraBot, which is being used to flood website chats, comment sections, and contact forms with spam promoting questionable SEO services like Akira and ServicewrapGO.

According to SentinelOne researchers Alex Delamotte and Jim Walter, “AkiraBot has targeted over 400,000 websites and has successfully spammed at least 80,000 since September 2024.” The bot leverages OpenAI’s technology to craft personalized outreach messages tailored to each website’s content.

Primarily focusing on small to medium-sized business websites, AkiraBot exploits contact forms and chat widgets by deploying spam generated through OpenAI’s large language models (LLMs). What makes this Python-based tool particularly effective is its ability to create content that often evades spam filters.

Initially launched under the name “Shopbot”—likely a nod to Shopify-based websites—the tool has since broadened its reach to include sites built on GoDaddy, Wix, Squarespace, and others that use generic forms or platforms like Reamaze for live chats.

The core function of AkiraBot revolves around using the OpenAI API to generate spam messages. Users can interact with its graphical user interface (GUI) to select target websites and control how many are attacked simultaneously.

“AkiraBot processes a template outlining the type of message to send,” the researchers explained. “It then feeds this template into the OpenAI chat API, which generates a customized message based on the website’s content.”

An analysis of AkiraBot’s source code reveals that it uses OpenAI’s gpt-4o-mini model, with the AI designated as a “helpful assistant that generates marketing messages.”

One of the bot’s more advanced capabilities is its ability to bypass CAPTCHA protections—including hCAPTCHA, reCAPTCHA, and Cloudflare Turnstile—enabling it to spam websites at scale. To further evade detection, AkiraBot routes its web traffic through SmartProxy, mimicking legitimate user behavior and masking its origin with rotating proxy hosts typically used in advertising networks.

The bot also logs its operations in a file named “submissions.csv,” which records both successful and failed spam attempts. Analysis of these logs indicates that over 420,000 unique domains have been targeted so far. In addition, AkiraBot tracks the performance of its CAPTCHA bypass and proxy rotation mechanisms, posting success metrics to a Telegram channel via API integration.

In response to the discovery, OpenAI has revoked the API key and associated assets used by the operators.

“The creators have gone to great lengths to ensure AkiraBot can bypass common CAPTCHA systems,” the researchers noted. “This reflects a clear intent to undermine service protections, while also highlighting the growing challenge AI-generated spam poses for website defense.”

This revelation comes as another cybercrime tool, Xanthorox AI, has emerged on the dark web. Marketed as an all-in-one chatbot for cybercriminals, Xanthorox AI offers features such as code generation, malware development, vulnerability exploitation, and data analysis, along with voice-based interaction through live calls or asynchronous voice messages.

According to SlashNext, “Xanthorox AI is powered by five distinct models, each tailored to specific tasks. These models run entirely on local servers controlled by the seller, rather than relying on public cloud services or exposed APIs, significantly reducing the risk of detection, takedown, or tracing.”