Arkose Labs has published a detailed profile of a threat actor known as Greasy Opal — a Czech-based software developer who has operated a commercial CAPTCHA-solving toolkit for over two decades, generating more than $1.7 million in annual revenue by selling automated account-fraud capabilities to cybercriminal groups. The Microsoft Security blog previously documented one of Greasy Opal’s primary customers: Storm-1152, which used the toolset to register approximately 750 million fake Microsoft accounts in 2023.
Twenty Years of CAPTCHA Bypass Development
Greasy Opal’s toolkit has been active since at least 2008, when it could already bypass Microsoft’s Hotmail CAPTCHA implementation. The developer’s official website appeared in 2016, but internal software analysis shows the underlying OCR engine predates that significantly. The tool is built on custom Optical Character Recognition technology and machine learning models developed personally by the operator — not off-the-shelf libraries — giving it an accuracy advantage over commodity CAPTCHA-solving services.
Tool Capabilities and Pricing Structure
Greasy Opal markets the toolkit as “the world’s best CAPTCHA solver” and offers tiered licensing:
- Free tier — lower accuracy, limited functionality
- Premium tier — 90–100% accuracy, sub-second object recognition, $70 base + $10/month subscription
- Beta access — additional $100 on top of the premium tier
- Full toolkit — $190 + $10/month, restricted installation count
- Business package — $300, expanded installation allowance
The developer files taxes and maintains a public-facing business presence, operating in a legal gray zone that has allowed activity to continue for years without prosecution despite the toolset’s documented use in criminal campaigns.
Storm-1152 and Targeted Platform Attacks
Post-takedown analysis of Storm-1152’s infrastructure revealed that the Greasy Opal toolkit was customized for specific platform targets, including Amazon, Apple, Steam, and WhatsApp account creation flows. Government systems were also in scope: Russian public services portals, the Brazilian Ministry of Infrastructure, and the U.S. State Department’s Bureau of Consular Affairs were among the identified targets. This breadth indicates the developer actively updates attack modules as target platforms modify their CAPTCHA implementations.
Platforms and Organizations Targeted by Greasy Opal Customers
Any platform relying on CAPTCHA as a primary defense against automated account creation is a potential target for Greasy Opal customers. Consumer services with email or social account registration, government e-service portals, financial institution onboarding flows, and e-commerce platforms are all represented in the documented target set. Organizations using third-party CAPTCHA providers — including reCAPTCHA and hCaptcha — face elevated risk when the solving tool includes updated modules for those specific implementations.
Defending Against Commercial CAPTCHA-Solving Attacks
- Treat CAPTCHA as a friction layer, not a security control — implement device fingerprinting, behavioral analysis, and velocity limiting as primary defenses.
- Correlate registration and login events with downstream fraud signals (account takeover patterns, bulk messaging, credential stuffing velocity) rather than trusting CAPTCHA completion alone.
- Evaluate bot detection platforms that use behavioral biometrics and session-level risk scoring rather than static challenge-response.
- Monitor for bulk account creation from shared infrastructure — Greasy Opal customers typically operate from residential proxy networks to evade IP-based blocks.
- Review Arkose Labs’ published Greasy Opal indicators to identify whether your platform’s specific CAPTCHA implementation is listed as a targeted module.
Greasy Opal’s longevity demonstrates that gray-market CAPTCHA-solving infrastructure operates on the same development cycle as legitimate software — continuous updates, customer support, and pricing tiers — which outpaces the response time of platforms that update CAPTCHA implementations infrequently. Microsoft’s Storm-1152 takedown disrupted one customer group but did not affect the Greasy Opal toolkit itself, which remains commercially available.
