HackTCHA

• 

  Support for text-based CAPTCHA

• 

  Support for multi-select CAPTCHA

• 

  Options for obfuscation of CAPTCHA

Inspiration 💡

Imagine you’re looking for a new pair of headphones. You read through reviews that claim the sound quality is amazing, only to discover later that these reviews were automated—created by bots trained to mimic human language, opinions, and emotions.

This problem is only growing. In recent years, AI has become eerily good at solving CAPTCHAs—the very thing designed to separate humans from bots.

Traditional CAPTCHA testing is outdated. Companies rarely know which CAPTCHAs remain effective against evolving AI threats, nor do they have a real-time leaderboard showing which CAPTCHA types are safest. Instead of waiting for hackers to exploit vulnerabilities, we’re building a live testbed where AI itself uncovers weaknesses—so we can design the next generation of human-friendly, bot-resistant security.

What it does 🧑‍💻

HackTCHA tests how different AI models—like GPT, Google Gemini, Mistral, and Groq—perform against various CAPTCHA types (including text and multi-select image CAPTCHAs). Here’s how it works:

1.  User Inputs

• The user pastes the image URL of a CAPTCHA.
• The user enters the correct response for that CAPTCHA (e.g., the text in the image, or which squares contain a car).

2. AI Testing

• Clicking “Test CAPTCHA” launches the AI models to solve the CAPTCHA.
• Each AI’s response is displayed alongside its accuracy (whether it got it right) and time to respond.

3. Obfuscation Tools

• If you want to make the CAPTCHA harder, you can add obfuscations: --> Random Noise – Distorts the image with Gaussian noise via Python. --> Stylization + Warp – Uses OpenCV to give the image an artistic look, then applies a non-linear warp. --> Diff-CAPTCHA – A novel approach combining denoising diffusion models, UNet, and style transfer for robust anti-bot CAPTCHAs. https://blowai.com/diffusion-based-captcha-system https://arxiv.org/abs/2308.08367
• Each obfuscated result is assigned to a permalink via the Imgur API (this permalink is stored in a SQLite3 database) and displayed in the lefthand History tab.

4. Version History & Database

• A sidebar logs each obfuscation step with its own thumbnail.
• If you want to revert to a previous version, just click that thumbnail.
• All tests (images + AI responses) are saved in a SQLite3 database for easy reference and analytics.

How we built it 🌲

🔹 Frontend

• React (JSX) – Main UI framework.
• Tailwind CSS (via CDN) – Styling the frontend.
• Lucide-react – Icons (Loader, Check, X, AlertTriangle, etc.).
• fetch API – Calls Flask backend for CAPTCHA solving & image processing.

🔹 Backend

• Flask (Python) – Web server handling CAPTCHA processing, obfuscation, and database operations.
• Flask-CORS – Enables cross-origin requests from frontend to backend.
• SQLite – Stores CAPTCHA image URLs.
• UUID – Generates unique filenames for obfuscated images.
• Pillow (PIL) – Handles image processing.
• OpenCV (cv2) – Applies obfuscation techniques (noise, blur, warping).
• NumPy – Performs numerical operations on image arrays.
• Requests – Fetches CAPTCHA images and uploads to Imgur.
• Base64 – Converts images for AI processing.

🔹 Image Hosting

• Imgur API – Uploads and retrieves obfuscated images.

🔹 AI CAPTCHA Solvers

• OpenAI (GPT-4o)
• Google Gemini (gemini-1.5-flash, gemini-2.0-flash)
• Mistral (pixtral-12b-2409) --> For multi-select captchas, the following are also available:
• Groq (llama-3.2-90b-vision-preview, llama-3.2-11b-vision-preview)

Challenges we ran into 🔎

• Imgur: Blocks request so we had to force convert it to png and append it
• Rate Limiting: When sending requests to the AI models in our project, we reached rate limits quickly which made it difficult to test our changes
• Obfuscation Complexity: Striking a balance between human readibility and AI confusion was difficult as some of our methods warped images either too much so that even humans had trouble reading it or too little such that AI models were still able to correctly guess the captcha
• Groq: Internal server issues as well as error messages that came from our use of imgur urls in our queries

Accomplishments that we're proud of 🎯

• Wireframing on Figma to design an intuitive UI
• Learning documentation from different AI models to combine them all in the project
• Utilzing state of the art obfuscation model which we learned about from reviewing recent research papers about CAPTCHA
• Iterative development
• Deployed to Vercel and learned a lot of new technologies

What we learned 👀

• Learned about collaboration and CI/CD
• Different obfuscation techniques work better on different types of images and CAPTCHAs and AI models can be unreliable
• AI can beat certain CAPTCHAs more efficiently than we expected, prompting us to keep innovating.
• How to use Gemini, Groq, and Mistral as we were all beginners

What's next for HackTCHA ✅

• More CAPTCHA Types: Expand beyond text and image selection to audio CAPTCHAs, puzzle CAPTCHAs, and 3D CAPTCHAs.
• Enterprise Integration: Offer an API so organizations can plug their own CAPTCHAs into our stress-tester and run daily or weekly scans to keep up with AI evolutions.
• Accessibility Testing: Explore ways to measure the impact of each obfuscation on visually impaired or dyslexic users, ensuring CAPTCHAs remain inclusive.

Citations (papers we read)

• https://www.usenix.org/system/files/sec21fall-gao.pdf
• https://www.researchgate.net/publication/304995447_A_Survey_of_Current_Research_on_CAPTCHA
• https://www.irjms.com/wp-content/uploads/2024/07/Manuscript_IRJMS_0828_WS.pdf
• https://arxiv.org/abs/2308.08367

How HackTCHA Aligns with Sponsor Goals 💛

• Education Grand Prize: HackTCHA aims to provide education about and raise awareness for AI security and adversarial techniques through a hands-on, interactive platform. By integrating easily into virtual classroom demos or work trainings, we’re educating the public about CAPTCHA vulnerabilities and obfuscation.
• Sustainability Prize: Best prototyping process We rapidly iterated on our CAPTCHA obfuscation methods—using minimal data and energy—to validate each approach before full-scale deployment. This lean, feedback-driven prototyping process highlights reduced resource consumption and responsible experimentation.
• Tesla: Excellence Prize: HackTCHA pushes AI excellence with new obfuscation algorithms that test and improve CAPTCHAs against top AI models. Our approach is creative, precise, and efficient, setting new standards in AI security and interpretability, aligning with Tesla’s focus on efficiency and precision.
• Google Cloud: Best Use of Gemini HackTCHA leverages the Gemini family of multimodal models to simultaneously handle text-based and image-based CAPTCHAs for robust stress-testing. By tapping into Gemini’s real-time streaming and advanced context capabilities, we can deliver rapid, accurate AI responses to secure websites.
• Vercel: Most Creative Use of Vercel in Edge AI track We deployed HackTCHA’s front end on Vercel for lightning-fast global access, integrating edge functions to handle quick CAPTCHA image transformations. This setup ensures minimal latency for AI queries, offering a seamless user experience with a creative spin on web-based AI tasks.
• Otsuka Valuenex: VALUENEX Big Data Visualization Award HackTCHA analyzes and visualizes CAPTCHA attack data to reveal AI success patterns and obfuscation effectiveness. Our easy-to-use dashboard makes complex metrics clear, aligning with VALUENEX’s focus on broad data insights.
• Codegen: Best Developer Tool HackTCHA’s obfuscation techniques and AI testing routines can be seamlessly integrated into developers’ workflows to bolster product security before shipping. Through easy-to-use endpoints and auto-generated scripts, it empowers dev teams to identify CAPTCHAs’ weak points with minimal friction.
• DAIN Labs: AI Agent Excellence & Innovation Awards HackTCHA orchestrates multiple autonomous AI agents that each employ different solving strategies to enable users to see what performs better Our dynamic agent collaboration, memory storage for past attempts, and adaptive obfuscation illustrate advanced workflow orchestration and responsible AI deployment.
• Delve: Best Agentic Workflow HackTCHA’s multi-agent system allows browser-based AI solvers to retrieve CAPTCHA images, analyze them, and respond, all within a streamlined, user-friendly interface. Each agent’s workflow is transparent and modular, exemplifying seamless online interaction and practical task execution.
• Delve: Most Secure App HackTCHA fortifies application security by rigorously testing and iterating on CAPTCHAs until they’re resistant to cutting-edge AI models. This iterative approach helps developers close security gaps, ensuring end-users remain protected from bot-driven threats.
• Delve: Most Intuitive UX Despite its complex underpinnings, HackTCHA’s interface is clean and straightforward—users can upload a CAPTCHA, run tests, and apply obfuscations in just a few clicks. Interactive visual feedback and version history tracking make advanced security testing feel approachable and streamlined.
• Groq: Best on Groq Multimodal App Challenge HackTCHA taps into Groq’s capabilities to handle text and image inputs simultaneously, stress-testing CAPTCHAs with cutting-edge compute. By leveraging Groq for rapid inference across multiple modalities, we demonstrate innovative, high-performance AI that tackles real-world security challenges.
• Mistral: Best Use of Mistral AI API HackTCHA integrates Mistral’s advanced language and vision models to evaluate CAPTCHA difficulty and accuracy in tandem. By coupling Mistral with our obfuscation techniques, we can surface the fine-grained strengths or weaknesses of each CAPTCHA design.
• Neo: Most Likely to Become a Business HackTCHA solves a pressing problem—bot infiltration—at scale, offering a B2B SaaS model to continuously assess and update CAPTCHA robustness. Its wide market potential, from e-commerce to Web3, positions it for significant growth and real-world adoption.
• OpenAI: Most Creative Use of OpenAI API HackTCHA introduces a creative approach: we use the OpenAI API to generate adversarial obfuscations and orchestrate multi-turn agentic CAPTCHA-solving approaches. By mixing GPT’s image reasoning and language processing, we push the boundaries of creative security testing.
• Paradigm: Best Spreadsheet-Adjacent Hack HackTCHA stores AI accuracy, response times, and obfuscation details in a live spreadsheet. This direct integration with spreadsheet data not only tracks improvements but also empowers teams to iterate swiftly on CAPTCHA design.
• Rox: Best Agents Hack HackTCHA automates CAPTCHA-solving with multi-agent LLM orchestration, employing context fetching, prompt orchestration, and tool calling. Each agent refines its approach based on prior failures, showcasing advanced agentic workflows and complex technical design.
• Vespa.ai: Best Hack Using a Vision Language Model HackTCHA uses VLMs for both text-based and image-based CAPTCHA interpretation, measuring their strengths and weaknesses side-by-side. This approach not only tests vision-language understanding but also exposes how adversarial obfuscations can challenge even top-tier VLMs.
• Warp: Best Developer Tool HackTCHA provides a robust, developer-centric toolkita for testing and refining CAPTCHA security right within their workflows. With minimal setup, devs can quickly evaluate AI models, apply obfuscations, and iterate, enhancing productivity and bolstering application defense.

Built With

• flask
• gemini
• imgur
• javascript
• jsx
• lucide
• numpy
• python
• react
• sqlite
• tailwind
• vite