Alex Spring

@0x1_0xyd3 I think we're still early on seeing antibots in prod requiring key attestation. It has been mocked up by some, but Google seems to be one of the first indicating things are moving this direction. I'd say 6-12 months before others start implementing variations.

@_alexspring any antibots which are checking real hardware key ?? I only know about google as it checks during creating a account as it requires a real phone for account creation.

Scraping the web is about to require buying phones. Antibots want to know if it's a real device, not a real browser. Google's recaptcha QR code is the canary. Patched chromium dies. No more web agents, no more automation. The next moat is real phones and arm servers.

@parzival1213 This has nothing to do with hardware key attestation

@_alexspring Agree. Browser agents win when they use a normal user Chrome profile, not patched headless Chromium. Auth state, visible proof, approvals, and cleanup matter as much as the model. That is the layer FSB is built around github.com/LakshmanTurlap…

@montanaflynn We use Framer for our landing page. They're doing the same. framer.com/marketplace/te…

@_alexspring Hey @_alexspring, curious why your site looks like a carbon copy of tryardent.com

This $200 Android box has better stealth than any browser infra provider. Don’t pay a browser service $500/mo to fake hardware on EC2 instances.

@korymath I'm in Toronto

i'm looking for great founders and early stage companies across canada. who should I talk to in montreal, toronto, waterloo and east, edmonton, calgary, vancouver and west?

@N104AP Good to know, thanks for sharing. What site are you reproducing the on? It's still early rollout. Wouldn't surprise me if Play Integrity integrated in future.

felt inclined to share play integrity doesnt matter, my device runs gms but isnt play certified in the slightest, only achieving basic integrity still really shitty though

@DCubbins Yea, it's backed by Play Integrity. developer.android.com/google/play/in…

@_alexspring Just FYI: This might not work well on phones without Play Services - piunikaweb.com/2026/05/07/goo…

Google's next evolution of reCAPTCHA is QR codes. An effort to block web infra companies. It will be interesting to see if they tie in Play Integrity.

@robin_blix I agree. Likely more for scalping.

@_alexspring How would a captcha help with that? Just enable 3-D secure or whatever the credit card company calls it when you have to login to verify your transaction

@robin_blix Payments fraud

@_alexspring A shopping site is a weird example pick because why would they care if I'm human during checkout? The verification method is payment

@ArieWindmill I've seen discussions mentioning it on archive.today, but I haven't been able to reproduce yet. That QR code on the image is valid as well.

@_alexspring can anyone send me a link to a site that uses this?

@BlakjakTheGamer It requires a mobile device connected to Google Play Services. It is backed by Play Integrity. developer.android.com/google/play/in…

@_alexspring I'm sure websites exist that can decode screenshots of qrcodes. So this will be easily bypassed.

@FullStackNate @strajk_ Likely App Attest. developer.apple.com/documentation/…

@_alexspring @strajk_ How would that work for iOS then?

@strajk_ It's likely backed by Play Integrity. Meaning you'll need an Android device with Google certified attestation keys.

@_alexspring What happens after scanning the code? Because parsing that is way easier than solving a captcha. I can shit out a browser extension in 5 minutes that does that for me with easy. There has to be something like a secondary captcha or device informations that get uploaded to verify

@jawschamp Yep, we're pushing an update soon. Rotating Android infra with full Play Integrity passes. Hope to share our findings. It's expanded upon: x.com/_alexspring/st…

@_alexspring Does it successfully deal with the QR code

@Shpigford @browserbase Saving you many headaches x.com/_alexspring/st…

okay, what's the secret to getting browser automation to work on hermes that doesn't constantly get tripped up by fancy javascript forms and/or anti-bot tooling? i've tried @browserbase (with residential proxy) to no consistent effect. (hermes is on a mac mini, fwiw)

Browser automation has a GPU fingerprint problem. Pre-baked canvas pixels are duct tape. GPU-over-IP fixes it at the layer below. Real rendered pixels. One company nailed it. HP just acquired them, so good luck to all 🫡

@assemblyenjoyer @CustomWetware Good luck, here are some references. Keep in mind, the solution requires dynamic approach; Not a static approach like existing solutions. Challenges can change at any moment. castle.io/research/finge… fp.bablosoft.com

@_alexspring @CustomWetware yeah I will go to do it just for the sake of it

Your "stealth" browser fakes a GPU and it gets detected by pixels. Antibot scripts draw test scenes through WebGL and Canvas APIs, then read back the pixel output. They're checking the rendered pixels, not your spoofed renderer string. Fake GPU = SwiftShader. String says NVIDIA. But pixels say software. Detected. GPU-over-IP forwards calls from a CPU-only machine to a real GPU over TCP. Real hardware, real pixels. You can fake the string. You can't fake the pixels.

At driver.dev we build and run our own hardware. Not replayed fingerprints sourced from sketchy vendors. If you want a cabinet like our shoot me a msg

Your device fingerprint is being sold to browser providers. You visit a normal website. Nothing shady. Hidden “stealth” scripts quietly collect your Canvas, WebGL, fonts, and hardware profile. Browser companies purchase access behind closed doors. $5 per 1,000 prints. They replay your exact fingerprint and sell it as infrastructure. It passes antibot checks because it came from a real device. The fix: defenses need to assume replay.