AkiraBot: An AI-Powered Web Spam Tool
FPT Metrodata Indonesia
Summary
CRIL reviewed a blog post by SentinelOne describing AkiraBot, a new tool for sending spam through website contact forms and chat widgets, mostly targeting small and mid-sized businesses. It uses AI to create custom messages that promote a shady SEO service, making each message look different to avoid spam filters. The tool also rotates the websites it links to, which helps it stay under the radar.
AkiraBot is designed to bypass CAPTCHA protection and hide its traffic using proxy services often used by advertisers but also misused by cybercriminals. Although the name might suggest otherwise, AkiraBot has no connection to the Akira ransomware group—it just uses "Akira" as part of its fake SEO brand.
Technical Analysis
AkiraBot, active since at least September 2024, is a Python-based spam tool originally known as "Shopbot" for targeting Shopify websites. It later expanded to target platforms like GoDaddy, Wix, and Squarespace, primarily used by small to medium-sized businesses.
AI-Generated Spam Content
The bot uses GPT-4o-mini via OpenAI’s API to generate unique, context-aware messages by scraping content from target sites using BeautifulSoup. These messages are posted to contact forms and live chat widgets (e.g., Reamaze) to promote shady SEO services under the names “Akira” and “ServiceWrap.”
CAPTCHA Evasion
AkiraBot includes advanced CAPTCHA bypass techniques using headless Chrome, Selenium, and injected JavaScript. It modifies browser fingerprints to mimic real users and defeats reCAPTCHA, hCAPTCHA, and Cloudflare protection using services like Capsolver and NextCaptcha.
Proxy Usage and Network Evasion
The tool routes its traffic through SmartProxy, helping it hide its origin and rotate IP addresses to avoid detection. All versions analyzed use the same proxy credentials, indicating a single actor behind the operation.
Logging and Monitoring
Spam attempts and outcomes are logged in CSV and TXT files. Telegram bots are used to report metrics, manage proxy rotations, and update CAPTCHA bypass statuses in real time using monitor.py scripts and JavaScript injections.
Scale of Operations
As of January 2025, logs showed over 420,000 targeted domains, with more than 80,000 successful spam submissions. Only about 11,000 failed attempts were recorded.
Infrastructure and Domain Analysis
Spam domains are frequently rotated. Older domains like akirateam[.]com and goservicewrap[.]com were tied to known malicious infrastructure, including malvertising campaigns and banking trojans. There are suspicious connections to unj[.]digital, a digital marketing firm.
Fake Reviews and SEO Branding
Trustpilot reviews for “Akira” and “ServiceWrap” suggest review manipulation. Many 5-star reviews follow a consistent style, likely AI-generated, to build legitimacy. Some 1-star reviews accuse the services of spamming or being fraudulent.
Key Technical Details of the AkiraBot Campaign
| Category | Details |
| Target Platforms | Shopify, GoDaddy, Wix, Squarespace, general contact forms |
| Primary Targets | Small and medium-sized business websites |
| Spam Method | Website contact forms and Reamaze chat widgets |
| Message Generation | Uses OpenAI GPT-4o-mini with scraped site content via BeautifulSoup |
| CAPTCHA Evasion | Headless Chrome, Selenium, inject.js, CAPTCHA-solving services like Capsolver, etc. |
| Proxy Usage | Uses SmartProxy with the same credentials across all versions |
| Spam Logging | Logs to CSV/TXT files; over 420,000 domains targeted, ~80,000 successful submissions |
| Monitoring Tools | Telegram bots for tracking, proxy rotation via iproxyonline |
| GUI Features | Supports multi-threading, target selection, and result tracking |
| Domain Infrastructure | Uses rotating domains like akirateam[.]com, linked to known spam/malvertising hosts |
| Review Manipulation | Likely fake Trustpilot reviews for Akira/ServiceWrap to boost legitimacy |
| Detected Archives | Multiple versions with varied names (e.g., shopbotpyv2, wixbot, NextCaptchaBot-v6) |
| Operating System | Likely Windows Server (based on admin path usage) |
Recommendations
Deploy content filtering systems enhanced with AI/ML to flag unusual or synthetic message patterns. Combine this with monitoring tools that alert on form/chat misuse or sudden spikes in message volume.
Update blocklists regularly with domains associated with Akira and ServiceWrap SEO spam campaigns. Use domain reputation services and threat intelligence feeds to flag suspicious links.
Apply strict rate-limiting on contact forms and chat widgets and deploy bot detection tools that can identify abnormal behaviors such as rapid submissions or unusual browser fingerprints.
Use advanced and adaptive CAPTCHA solutions like reCAPTCHA Enterprise or hCAPTCHA Pro and regularly update configurations to detect headless browser traffic and automation frameworks like Selenium.
Conclusion
AkiraBot is a rapidly evolving spam framework that continues to adapt to new website platforms and defenses. Its advanced CAPTCHA bypass techniques show the operator’s strong intent to exploit online services at scale. The use of AI-generated spam messages makes detection harder, as each message is unique. The most consistent indicators for blocking remain the rotating domains linked to the Akira and ServiceWrap SEO scams.
Subscribe to my newsletter
Read articles from FPT Metrodata Indonesia directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by