Not All CAPTCHAs Are Created Equal
After spending months testing various CAPTCHA-solving approaches — from free vision models to paid APIs — one pattern became clear: the type of CAPTCHA matters more than the solver. Research from the Halligan project (USENIX Security 2025) on generalised visual CAPTCHA solving showed that different CAPTCHA families require fundamentally different approaches, and the best solver for one type can completely fail on another. Using the wrong approach for the wrong CAPTCHA type is like using a hammer on a screw. It sort of works, but the results are frustrating.
This article breaks down every major CAPTCHA type, which ones AI vision models can handle today, and which ones genuinely need a different approach. If you’re building automation and wondering why some CAPTCHAs are easy and others impossible, this is the reference you need.
Text-Based CAPTCHAs (Where Vision Models Shine)
These are the classic distorted text images — 4-6 characters, usually digits or alphanumeric, with background noise, wavy lines, and colour variations.
| Sub-type | Vision Model Accuracy | Notes |
|---|---|---|
| Clean digits, high contrast | ~100% (3-pass vote) | Trivial for modern VLMs |
| Wavy line + noise | ~70% (3-pass vote) | Preprocessing essential |
| Heavy speckles + overlapping lines | ~25% | Vision models struggle — consider paid service |
| Colour gradients + 3D text | ~50-80% | Blue channel extraction helps |
| Handwritten digits | ~60-85% | Highly variable by handwriting style |
Best approach: Vision model with preprocessing (remove wavy lines, median filter) + 3-pass majority vote. This is the one CAPTCHA type where the free DIY approach genuinely competes with paid services.
Image Selection CAPTCHAs (reCAPTCHA v2)
“Select all images with traffic lights” or “Click squares containing a crosswalk.” These are the most common type on the modern web.
Vision models can identify the objects in each tile (traffic light, crosswalk, bus) with high accuracy — object detection is one of their core strengths. The challenge is UI interaction: clicking the right tiles in the right order, handling the refresh when you get one wrong, and managing the multi-round validation.
Best approach: Paid CAPTCHA solving service. While a vision model can identify the objects, the interaction flow (clicking tiles, managing rounds, handling refreshes) makes DIY solving unreliable. Services handle this natively.
Invisible CAPTCHAs (reCAPTCHA v3 / v2 Enterprise)
reCAPTCHA v3 doesn’t show any challenge at all. It assigns a score (0.0 to 1.0) based on user behaviour, browser signals, and browsing history. If your score is below a site-defined threshold, your request is silently blocked or rate-limited.
Vision models are useless here — there’s nothing to see. The battle is entirely about browser fingerprint, IP reputation, and behavioural patterns.
Best approach: browser fingerprint spoofing (WebGL, canvas, audio context), realistic mouse movements (human-like curves and pauses, not straight lines), residential proxies for warm IP reputation, and maintaining persistent sessions with cookies and local storage.
Audio CAPTCHAs
These play a distorted audio clip of spoken digits or letters. Originally designed for accessibility, they’re increasingly used as a secondary challenge.
Speech-to-text models (Whisper, Deepgram, AssemblyAI) can transcribe audio CAPTCHAs with good accuracy — often 80-95% for clear speech, dropping to 40-60% for heavily distorted clips. The main limitation is that the audio is deliberately noisy, speed-altered, or mixed with background sounds.
Best approach: Whisper (open-source, runs locally) or a speech-to-text API. Accuracy varies significantly — test against your specific audio CAPTCHA before relying on it.
Behavioural Challenges (Cloudflare Turnstile, DataDome)
These don’t show a puzzle at all. They analyse mouse movements, scroll behaviour, keystroke timing, and browser interaction patterns to determine if a real human is present. Cloudflare Turnstile, in particular, is invisible to humans but blocks many automated tools.
There’s no image to analyse, no text to read — so vision models can’t help. The solution is simulating human-like behaviour rather than solving a challenge.
Best approach: A combination of realistic interaction simulation (human-like mouse curves, random delays, tab switching), browser fingerprint spoofing, and residential proxies. Some paid services have specialised Turnstile solving.
Puzzle CAPTCHAs (GeeTest, FunCaptcha)
These require you to slide a puzzle piece into position, rotate an image, or match objects. GeeTest shows a slider puzzle where you drag a piece to fill a gap. FunCaptcha asks you to select the correct orientation of an image.
Vision models can analyse the puzzle and identify the correct position. For GeeTest sliders, the model can calculate the exact pixel offset needed. The challenge is executing the drag with pixel-perfect precision — too slow or too fast and the system flags it as a bot.
Best approach: Paid service with native GeeTest/FunCaptcha support. While a vision model can calculate the correct answer, executing the interaction with sufficient human-like precision requires specialised tooling.
Quick Reference: Which Solver for Which CAPTCHA
| CAPTCHA Type | Best Free Approach | Best Paid Approach |
|---|---|---|
| Text-based (distorted numbers/letters) | Vision model + preprocessing + majority vote | NoCaptcha AI / 2captcha |
| Image selection (reCAPTCHA v2) | Vision model (partial — object ID works, interaction fails) | CapSolver / 2captcha |
| Invisible scoring (reCAPTCHA v3) | Fingerprint spoofing + proxy rotation | Not applicable (behavioural fix) |
| Audio challenges | Whisper (local, open-source) | Speech-to-text API |
| Behavioural (Cloudflare Turnstile) | Human-like interaction simulation | Specialised anti-detect browsers |
| Puzzle slider (GeeTest) | Vision model + pixel calculation (partial) | CapMonster / 2captcha |
Why This Matters for Your Automation
The biggest mistake we see is developers trying one CAPTCHA-solving approach for everything. They buy a 2captcha subscription and wonder why it doesn’t help when Cloudflare Turnstile blocks their agent. Or they spend days tuning a vision model for text CAPTCHAs and then hit a reCAPTCHA v3 page where there’s nothing to read.
The right strategy is type detection first, solving second. Your automation pipeline should identify the CAPTCHA type before choosing a solver. A simple classifier can detect the type in milliseconds, then route to the appropriate handler. This saves time, money, and frustration.
At AutoRunBiz, we build automation systems for Malaysian SMEs that handle CAPTCHAs intelligently — detecting the type and applying the right solver instead of hammering every problem with the same tool. Book a free 15-minute ops audit to see how we handle the messy edge cases that off-the-shelf tools miss.
