A new Python-based spamming tool called AkiraBot has been exposed after flooding over 80,000 websites with AI-generated messages over the past six months. According to cybersecurity firm SentinelOne, the tool is designed to bypass CAPTCHA defenses and overwhelm website contact forms, particularly those used by small and medium-sized businesses.
AkiraBot stands out for its stealth and scale. It’s capable of evading standard anti-spam measures by leveraging automation frameworks and AI-generated messaging. The name “AkiraBot” stems from domains promoting an SEO service branded “Akira,” while another alias, “ServiceWrap,” frequently appears in related domain names. These domains, with polished TrustPilot profiles, feature glowing 5-star reviews—many likely written by bots. Meanwhile, legitimate reviewers complain about spam or label the services as scams.
The botnet’s operation appears highly coordinated. Using hardcoded OpenAI API keys, AkiraBot generates custom spam for each target site. Instead of mass-sending identical messages, it tailors each one using AI, making them appear more relevant—and harder for spam filters to detect. This is especially effective when combined with the bot’s ability to simulate legitimate browsing behavior using Selenium WebDriver.
Initially, AkiraBot targeted Shopify websites when it surfaced around September 2024. Since then, it has expanded to platforms like GoDaddy, Wix, and Squarespace, along with general-purpose contact forms. These platforms are widely used by SMBs for their simplicity and built-in eCommerce and service tools—making them ideal victims for mass spam campaigns.
Inside the tool’s interface, operators can choose their targets, set how many sites to hit at once, and monitor spam success metrics in real-time. The backend logs everything—including which sites were reached and which attempts failed. So far, SentinelOne has tracked successful spam hits on over 80,000 domains, with total attempted targets exceeding 420,000.
To get around CAPTCHA challenges like hCAPTCHA and reCAPTCHA, the bot uses multiple techniques. It automates page loading and user interaction using Selenium. When that fails, it falls back on external CAPTCHA-solving services such as Capsolver, FastCaptcha, and NextCaptcha. For added stealth, all versions of AkiraBot connect through proxy services—primarily SmartProxy—using shared login credentials.
What makes AkiraBot especially dangerous is how its AI-generated spam mimics real marketing messages. Operators feed a simple outline into OpenAI’s chat API, prompting it to act like a promotional assistant. Each message it produces includes a brief, customized description of the targeted website. This adds a layer of credibility to the outreach, making it more difficult for spam filters to block.
Researchers believe this spamming campaign will likely continue to evolve. AkiraBot has already gone through several updates to stay ahead of website defenses. With its scalable design and integration of AI and automation, it’s expected to remain a serious threat, especially as more small businesses shift to hosted platforms that offer little protection against such tactics.
