A reference catalog of the signals that give headless Chrome away: the webdriver flag, empty plugin lists, the permissions contradiction, missing proprietary codecs, software WebGL renderers, and what --headless=new actually fixed.
The biography of one bot-detection signal: how logging an Error object exposed a CDP-driven browser, how DataDome made the trick public in 2024, and the two V8 commits that quietly broke it in May 2025.
Traces how anti-bot systems read the clock instead of the cursor: event-dispatch latency, requestAnimationFrame cadence, input-to-action gaps, and why synthetic interaction keeps a suspiciously clean beat.
Traces how pointer motion becomes a biometric for bot detection: Fitts's law, bell-shaped velocity profiles, the two-thirds power law, micro-jitter and overshoot, and why straight-line and Bezier synthetic paths get flagged.
Traces what mouse, keystroke, and touch dynamics actually measure, how continuous authentication differs from a login check, how BioCatch and BehavioSec build the profile, and why behavioral data sits in a regulatory grey zone.
A reference on the detection side of mouse dynamics: the curvature, velocity, acceleration and pause features detectors extract, the classifiers that separate human from bot, and the Balabit dataset that anchors the literature.
How DeviceMotion and DeviceOrientation readings separate a handheld phone from an emulator, why flat or looped sensor streams give automation away, and how the iOS and Android permission models gate the whole signal.
Behavioral models need history to judge a user, so first-session and new-account verdicts are structurally weak. Traces how vendors bootstrap with population models, device signals, and progressive trust, and where each fallback breaks.
Traces how account-takeover detection scores a login: credential-stuffing velocity, device-fingerprint continuity, impossible-travel and geovelocity, the false-positive problem, and where risk-based step-up auth fits in.
Traces how scalper and Grinch bots monitor stock, race the add-to-cart and checkout, and hoard inventory, what the BOTS Act actually covers, and how queues, raffles, and bot management push back.
Traces how invalid traffic gets monetized in programmatic advertising, from the Methbot and 3ve botnets to domain spoofing, and how the IVT-detection industry and ads.txt try to catch it.
Traces how mass fake-account creation works: SMS-verification farms built on infected phones, disposable email, the phone-number economy, and the defenses that fight back, velocity, device fingerprint, proof-of-work, and phone reputation.
How a device fingerprint plus proxy, velocity, and history signals turns into a fraud risk score, traced through Sift, SEON, and Fingerprint Pro, and where it diverges from bot detection.