Traces how WebRTC ICE candidate gathering uses STUN to surface local and real public IPs in JavaScript regardless of an HTTP proxy or VPN, the mDNS hostname mitigation Chrome shipped in 2019, and how anti-fraud systems use the mismatch.
A source-level read of the open-source FingerprintJS agent: its entropy sources, how x64hash128 turns them into a visitorId, the confidence formula, and what Fingerprint Pro adds server-side with Smart Signals and bot detection.
A reference on the detection side of mouse dynamics: the curvature, velocity, acceleration and pause features detectors extract, the classifiers that separate human from bot, and the Balabit dataset that anchors the literature.
Traces how scalper and Grinch bots monitor stock, race the add-to-cart and checkout, and hoard inventory, what the BOTS Act actually covers, and how queues, raffles, and bot management push back.
Traces how mass fake-account creation works: SMS-verification farms built on infected phones, disposable email, the phone-number economy, and the defenses that fight back, velocity, device fingerprint, proof-of-work, and phone reputation.
How to read obfuscated anti-bot JavaScript without running it blind: beautify, scope and string-array recovery, Babel AST transforms, runtime hooking, and where the workflow hits a wall against bytecode VMs.
Traces how VM-based JavaScript obfuscation works: a custom opcode set and dispatcher loop replace readable code with bytecode, why this is the strongest JS obfuscation, and how devirtualization recovers the logic.
A reference on the JavaScript primitives obfuscators lean on most: dynamic eval and Function construction, the with statement for scope confusion, and string-array rotation, plus how AST deobfuscators take them apart.
Traces why anti-bot vendors compile fingerprinting and proof-of-work logic into WebAssembly, what a wasm module hides that minified JS cannot, and how far the wasm decompiler toolchain has caught up by 2026.
A reference on the two staple transforms in obfuscated anti-bot JavaScript: the dispatcher-driven flattened state machine and the rotated, encrypted string array, and how deobfuscators undo both.
Traces how Anubis gates HTTP requests behind a browser-solved SHA-256 proof-of-work puzzle: the challenge construction, the JWT cookie, the Mozilla heuristic, the FOSS adoption wave, and why native solvers undercut it.
Traces the anti-analysis layer inside anti-bot JavaScript: the debugger statement, timing checks, devtools-open detection, toString integrity checks, and self-defense against hooking, plus the moves analysts use to counter each one.
How bot mitigation became an industry: the founding of Distil, Shape, PerimeterX, DataDome and Kasada, Akamai and Cloudflare moving in, the 2019-2023 consolidation wave, and where the market sits in 2026.