Related videos:
An online security tool widely recognized—the CAPTCHA—is being exploited by cybercriminals to steal passwords, banking data, and personal information from unsuspecting users, as warned by the Identity Theft Resource Center (ITRC) in a report from Telemundo.
Legitimate CAPTCHAs, such as the well-known "I am not a robot" checkbox or image selection puzzles, were designed to distinguish human users from automated programs. However, criminals are now creating fake pages that perfectly mimic these verifications to deceive their victims.
The most important warning signal is an error message instructing the user to press a sequence of keys to continue. Experts warn that this should raise immediate alarm: if it happens, one should stop and not follow any instructions on the page.
The most prevalent technique is known as "ClickFix": by clicking on the fake CAPTCHA, a JavaScript script automatically copies a malicious command to the user's clipboard. The page then instructs the user to open the Windows "Run" dialog with the Win+R keys, paste the content using Ctrl+V, and press Enter, which executes the code without the victim suspecting anything.
This method installs malicious software, which are simply programs designed to infiltrate, damage, steal information, or disrupt computer systems.
According to the ITRC, with a fake CAPTCHA, the malicious program that is introduced can look for saved passwords in browsers, collect cookies from active sessions, capture screens, and gather details from the infected device, as well as extract credit card data and cryptocurrency wallet information.
So far, the most reported virus is "StealC," which operates as a criminal service available for any criminal who "rents" it. Its infection model is swift: it extracts data in seconds and sends it encrypted to servers controlled by the attackers. The stolen data is then sold on dark web markets or through Telegram channels.
These campaigns have been active since 2024, intensified in 2025, and continue into 2026, affecting users of Windows, macOS, and Android.
In Latin America, detections increased by 40% according to threat intelligence from Kaspersky, with campaigns in Spanish propagated via WhatsApp, Telegram, and malicious ads.
False CAPTCHAs arrive through phishing emails, compromised websites, malicious ads, pirate streaming sites, and social media. A real CAPTCHA never asks to download files, run commands, or enter personal data: that is the fundamental difference.
If someone encounters a suspicious CAPTCHA page, experts recommend closing the tab immediately and navigating directly to the desired site by typing the address in the browser, rather than clicking on links. They also advise using access keys and enabling multi-factor authentication whenever possible.
For those who believe they have already downloaded malicious software, the steps are clear: disconnect from the Internet by turning off the Wi-Fi or unplugging the network cable, change passwords from another device, run a full scan with a trusted antivirus, and closely monitor financial accounts.
Regularly checking and freezing credit reports also helps to detect potential identity theft in a timely manner and limit the damage if personal information is compromised.
Filed under: