A sophisticated AI-powered spam campaign, dubbed "AkiraBot," has been discovered targeting over 400,000 websites, successfully spamming at least 80,000 of them since September 2024. This malicious framework leverages the OpenAI API to generate personalized spam content, effectively bypassing traditional spam filters and CAPTCHA protections. The campaign primarily targets small to medium-sized businesses (SMBs) using popular website builder platforms such as Shopify, GoDaddy, Wix, and Squarespace.

AkiraBot functions by analyzing a website's content to create customized promotional messages, primarily advertising dubious SEO services under the names "Akira" and "ServicewrapGO". This personalized approach makes the spam messages appear legitimate, significantly increasing their chances of reaching their intended targets. The bot leverages the GPT-4o-mini model through the OpenAI API, instructing it to act as a "helpful assistant that generates marketing messages" based on the website's content. Researchers at SentinelOne traced the tool's development back to September 2024, identifying various versions with code names like "Shopbot," "GoDaddy," and "Wixbot," indicating continuous improvements to its targeting capabilities. Initially focused on contact forms, newer versions also target live chat widgets, including those provided by services like Reamaze.

AkiraBot's effectiveness is further enhanced by its ability to evade CAPTCHA challenges. It employs various techniques, including mimicking real user browser behavior and utilizing external CAPTCHA-solving services like Capsolver, FastCaptcha, and NextCaptcha. The bot also uses multiple proxy hosts to avoid network detection. The operators of AkiraBot meticulously track their progress, logging successful and failed spam submissions. As of January 2025, the bot had successfully spammed 80,000 websites. Success metrics related to CAPTCHA bypass and proxy rotation are also collected and posted to a Telegram channel via API.

In response to the discovery of AkiraBot, OpenAI has disabled the API key and other associated assets used by the threat actors. However, the emergence of this AI-powered spam campaign highlights the growing challenges of defending websites against increasingly sophisticated attacks. AkiraBot represents a concerning evolution in spam technology, demonstrating how AI can be used to create personalized messages that bypass traditional spam filters. Its ability to evade CAPTCHA protections and use sophisticated network evasion techniques makes it particularly effective at targeting SMBs. Website owners should remain vigilant and implement robust security measures to protect against these increasingly sophisticated attacks.