Decentralized, privacy-preserving malicious traffic protection with hCaptcha

    26 March 2021. Written by Daniel Hwang

    f2pool has made the switch from reCaptcha to hCaptcha to block malicious automated traffic.


    f2pool has made the switch from reCaptcha to hCaptcha to block malicious automated traffic, all while:

    • Maintaining user privacy
    • Supporting all regions around the world
    • Assisting accessibility challenges

    Until recently, we used reCaptcha for malicious traffic mitigation. However, due to a variety of issues and concerns with user privacy, payment schemes, geographic limitations, and accessibility issues, we now support and use an alternative CAPTCHA service: hCaptcha.


    CAPTCHA services, or “Completely Automated Public Turing Test to Tell Computers and Humans Apart,” help companies mitigate and block malicious automated traffic (bots) through challenges. The CAPTCHA Turing test provides a valuable and scalable solution to ensure access is provided to humans and not bots. These tests should be easy for humans but difficult for bots. These types of tasks include things like identifying obscured images of buses, traffic lights, and other trivial images that are usually only easy to discern via context clues.

    Problems with reCaptcha

    Our issues with reCaptcha have been with changing business models that are beginning to require pricing tiers, concerning privacy practices, and geographic inaccessibility. Although it began as a free service, reCaptcha has begun to charge, at scale, for their services—which is completely within their rights. However, at the expense of targeted advertising and the privacy concerns it brings, this change has encouraged us to be cautious on behalf of our users. The provision of identification and free access to our data for machine learning services are some examples. Finally, the geoblocking issues that reCaptcha enforces for many specific regions our clients are located in motivated us to look for other solutions.

    Benefits of hCaptcha

    hCaptcha is an alternative to reCaptcha that protects privacy by default and does not geoblock by location. The temptation of collecting more and more data is a significant one for services provided by CAPTCHA and has served to provide potentially massive, distributed data aggregation and targeted advertising.

    However, when websites use Google’s reCaptcha services, users who interact with them have their data presented to the search engine provider for tracking purposes, as well as to conveniently serve their machine learning data labeling models. hCaptcha, however, does not care about user identification and will not go to the lengths of user data identification and aggregation. hCaptcha also supports privacy-preserving initiatives like Privacy Pass! (Privacy Pass is a standard that allows users to cryptographically sign once on a website requiring CAPTCHA and have that authentication endure for that user, drastically reducing the friction of CAPTCHA use).

    hCaptcha provides its services in a trustless and decentralized manner befitting our services in the blockchain industry. It uses Human Protocol, an “open and decentralized protocol for human review that runs on Ethereum”—essentially decentralized labor pools with appropriate trustless incentive mechanisms. Websites like ours that use hCaptcha earn HMT tokens. Further, the data from hCaptcha challenges can be labelled by machine learning companies that pay using HMT tokens. In a decentralized and privacy-preserving manner, the reward cycle evokes the principles we hold as a blockchain infrastructure provider and allows us to use a service that solves the problems we were having with reCaptcha.

    To summarize, our use of hCaptcha will provide:

    • Privacy in accordance with GDPR- and CCPA-friendly privacy policies. “This unique focus on privacy means that we can offer zero individual data retention, cookie-free operation, and other contractual privacy guarantees as required while maintaining excellent security.” - botstop by hCaptcha
    • Decentralization and transparency via the Human Protocol incentivization scheme: Incentivization for the data marketplace and adoption and the protocol clearly shows which data is sent where: “Don’t trust, verify.”
    • Complete geographic access: No more geoblocking of certain regions

    To this end, we are happy to announce that we have chosen to use hCaptcha to provide our users with a quality experience, and we are excited to embrace the use of decentralized services like hCaptcha. We value data sovereignty and privacy. It has been about eight years since f2pool was established, and we have always stayed on the side of blockchain integral components. We have secured blockchain infrastructure layers (adding new coins, such as decentralized domains, storage, and so on) and have also played an active role in adopting new applications of blockchain technology. In the end, we want to provide the best service possible for all of our customers.

    Resources of interest:

    Written by Daniel Hwang

    Daniel Hwang