DevilsCaptcha — Privacy-First Bot Detection

The problem with existing solutions

Why not reCAPTCHA or hCaptcha?

Every major CAPTCHA system has a hidden cost that most developers never think about — your users pay it.

reCAPTCHA v3

Tracks users across every website using Google cookies. Blocked in Russia and China. Violates GDPR in strict interpretations. Complete black box — no explanation for blocks.

hCaptcha

Sells every puzzle your users solve as paid AI training data. Your visitors do unpaid labor for machine learning companies without knowing it.

FriendlyCaptcha

Burns user CPU with math puzzles. Punishes people with cheap phones or low battery. No behavioral scoring whatsoever.

Cloudflare Turnstile

Only works well inside Cloudflare's ecosystem. Closed source. Zero developer control over scoring thresholds or flagging reasons.

DevilsCaptcha

No tracking. No Google. No AI training on your users. Open source and auditable. Returns a real score so you decide. Free for small sites. GDPR safe out of the box.

How it works

Three stages. Most users see none of them.

The system runs silently in the background building a risk picture before any challenge ever appears. 90% of real users pass without ever knowing DevilsCaptcha exists on the page.

STAGE 01

👁

Silent observation

Widget loads invisibly. Monitors mouse movement, scroll behavior, typing rhythm, form interaction, and hidden honeypot traps. User sees nothing. Score builds in background.

STAGE 02

⚖

Risk scoring

45 signals processed server-side. Natural human behavior lowers score. Suspicious patterns raise it. If score stays low — user passes invisibly, signed token issued automatically.

STAGE 03

🔒

Challenge if needed

Only high-risk sessions see a challenge. Medium risk — one simple click. High risk — logic puzzle. Bots that are detected receive a fake success — they think they passed. They didn't.

Detection capability

45 signals. 8 categories. All analyzed server-side.

Every signal is processed on the backend where it cannot be faked from the browser. A signed JWT token is the only proof of passing — and it cannot be forged, reused, or transferred.

45

Total detection signals

8

Signal categories

7

Honeypot trap types

5min

Token expiry window

Detection signals

What DevilsCaptcha actually checks

Mouse behavior

6 signals

Path naturalness — wobble vs perfect straight lines
Speed variation and deceleration near buttons
Micro tremor — involuntary movements bots never have
Click position offset — humans never click dead center
Click hold duration — scripts release instantly
Approach angle to clickable elements

Keyboard behavior

5 signals

Keystroke timing rhythm between each key
Key hold duration per keystroke
Backspace and correction usage — bots never fix mistakes
Copy paste detection — zero millisecond fill means script
Typing speed variation — humans speed up and slow down

Touch behavior — mobile

4 signals

Touch pressure variation across contact surface
Finger roll on and off screen vs instant point
Touch contact area size — real finger always varies
Swipe naturalness and momentum curve

Scroll behavior

4 signals

Scroll velocity and natural momentum deceleration
Reading pause detection — humans stop mid scroll
Back scroll — humans re-read, bots never do
Scroll direction changes and rhythm

Session and time

4 signals

Time between page load and first interaction
Total session duration before form submission
Time spent per individual form field
Idle periods — humans pause to think, bots don't

Form behavior

4 signals

Field fill order — natural reading order vs surgical jump
Tab vs click navigation between fields
Field edit and correction patterns
Autofill detection and consistency check

Device and environment

7 signals

WebGL GPU — headless returns generic info
Timezone vs IP geolocation mismatch
Datacenter IP range detection — AWS, GCP, DO
Browser header consistency check
Font rendering — headless browsers have missing fonts
Touch support vs claimed device type
Screen resolution vs real device sizes

Honeypot traps

7 trap types

Hidden text fields off screen — humans never see them
Hidden checkbox that must stay unchecked
Hidden slider that must stay at zero
Invisible decoy buttons bots click automatically
Fields named to attract bots — email2, confirm-phone
JS injected traps with random delay
Dynamic rotation every page load — bots cannot hardcode avoidance

What makes it different

Features no other free CAPTCHA has

Unique feature 01

Bot confusion mode — silent failure

When a bot is detected, DevilsCaptcha does not block it loudly. The bot receives a fake success response — it thinks it passed. The attacker sees no error, no block, no signal that their bot failed. They keep running it. The data goes nowhere. This wastes their time and resources while giving them zero information about your defenses. reCAPTCHA blocks loudly and tells attackers to improve their bot. DevilsCaptcha lets them think they won.

Unique feature 02

Form-aware protection

Every other CAPTCHA sits separately from the form. DevilsCaptcha watches HOW the form is filled — tab order, field jump patterns, time between fields, whether the user went back to correct something. A bot that passes the behavioral check can still fail on the form interaction analysis. No standalone CAPTCHA product does this properly.

Unique feature 03

Bot farm replay detection

Across all sessions, the backend compares behavioral pattern hashes. If ten sessions in one hour show the exact same mouse timing curves and keystroke intervals, that is a bot farm running the same script. No human population ever shows microsecond-level similarity. This cross-session detection is only possible from a centralized service — which is why no self-hosted library can do it.

Unique feature 04

API route protection

Most websites have API endpoints that bots hit directly, completely bypassing any form or browser interaction. DevilsCaptcha issues short-lived signed tokens that prove a request originated from a real browser session. Your API endpoints verify the token. No other standalone CAPTCHA product extends protection to direct API routes.

Developer integration

Two lines to add. One endpoint to verify.

Website owners add one script tag. DevilsCaptcha handles everything silently. When needed, call the verify endpoint and get a real score back — not just pass or fail.

    <!-- Step 1: Add to your page -->

    <script src="https://cdn.devilscaptcha.dev/widget.js"></script>

    <div class="devils-captcha" data-site-key="YOUR_KEY"></div>

    // Step 2: Verify on your backend

    const result = await fetch("https://api.devilscaptcha.dev/verify", {

      method: "POST",

      body: JSON.stringify({ token: userToken })

    });

What you get back — a real score, not a black box:

{
  "verified": true,
  "score": 23,
  "risk": "low",
  "signals_triggered": ["natural_mouse", "normal_timing", "no_honeypot"],
  "token_valid": true,
  "expires_in": 287
}

Current build status

What is done. What is being built.

System architecture Concept finalized — how widget, backend, and token flow connects ✓ Concept Ready

Signal research and documentation 45 signals researched and listed across 8 categories ✓ Research Done

Honeypot engine design 7 trap types planned — dynamic rotation logic designed ✓ Concept Ready

Scoring algorithm design Risk scoring concept designed — weighted signals, 3 risk levels ✓ Concept Ready

Widget JavaScript Frontend signal collector — browser-side detection code ⚙ In Progress

Backend token server Cloudflare Workers — scoring engine and JWT issuance ◯ Planned

Public verify API Endpoint for third-party website backend verification ◯ Planned

Developer dashboard Score analytics, signal breakdown, site management ◯ Planned

Community trust network Cross-site anonymous behavioral pattern sharing ◯ Planned