← Glossary / FunCaptcha

What is FunCaptcha?

FunCaptcha (now Arkose Matchkey) is an interactive, gamified CAPTCHA system that relies heavily on behavioral biometrics and device telemetry rather than just visual puzzle-solving. For scraping pipelines, the visual challenge—rotating a 3D animal or counting dice—is a distraction. The real test is the encrypted telemetry payload submitted before the puzzle even renders. Fail the telemetry check, and your token is silently rejected even if you solve the puzzle perfectly.

Arkose LabsTelemetryBehavioral BiometricsToken GenerationVision AI
// 02 — definitions

More than
a game.

Why rotating a 3D rhino is actually a cover for a massive device and behavioral telemetry dragnet.

Ask a DataFlirt engineer →

TL;DR

FunCaptcha evaluates 70+ client signals—from canvas hashes to mouse velocity—before deciding which puzzle to show you. If your fingerprint is weak, you get an unsolvable puzzle or a token that the target server silently rejects. Bypassing it at scale requires reverse-engineering the telemetry encryption, not just pointing a vision model at the images.

01Definition & structure
FunCaptcha (Arkose Matchkey) consists of two distinct layers. The first is a silent telemetry collector that gathers device fingerprints, canvas hashes, and behavioral data into an encrypted JSON payload called `Bda`. The second is the visual enforcement challenge—a gamified puzzle. The visual puzzle is merely a fallback; the primary defense is the telemetry evaluation.
02The Bda payload
Before a puzzle is requested, the client executes heavily obfuscated JavaScript to build the Bda payload. This includes screen resolution, font enumeration, WebGL renderer strings, and mouse trajectory data. It is encrypted using AES-GCM with keys dynamically derived from the session. If this payload is malformed or contains anomalies (e.g., a Linux user-agent with Windows fonts), the resulting token will be poisoned.
03Puzzle variants and waves
If the telemetry score is marginal, Arkose serves a puzzle. The difficulty is dynamic. A low-risk session might get a 1-wave "pick the matching animal" task. A high-risk session might get a 20-wave "calculate the sum of the dice" task. Failing a wave resets the counter. The goal is to make automated solving computationally expensive and human solving frustratingly slow.
04How DataFlirt handles it
We treat Arkose as a cryptography and fingerprinting problem, not an image recognition problem. Our infrastructure generates mathematically perfect Bda payloads bound to high-reputation residential IPs. This forces Arkose to serve the easiest 1-wave puzzles. We then pass the images to our proprietary Vision-Language Models, which return the correct coordinates in under 800ms, allowing us to maintain high throughput without third-party solver costs.
05Did you know?
Arkose uses "honeypot" puzzle variants. Occasionally, it will serve a puzzle where multiple answers are technically correct, or none are. It uses these to profile the solving behavior of automated vision models. If your solver picks the mathematically perfect center of an image every time, it gets flagged. Human solves have variance; production solvers must simulate that variance.
// 03 — the arkose model

Scoring the
telemetry.

Arkose calculates risk before the puzzle is shown. DataFlirt monitors the puzzle difficulty tier (number of waves) as a proxy for our fingerprint health. Better telemetry means fewer waves.

Risk Score = R = Wfp(Fingerprint) + Wip(IP_Rep) + Wbeh(Behavior)
The weighted sum of your client's credibility. High R triggers harder puzzles. Arkose Labs architecture
Puzzle Difficulty Tier = D = 1 + floor(R × 10)
Determines the number of 'waves' (1 to 20) you must solve. Observed Matchkey behavior
DataFlirt Solve Latency = Tsolve = Trender + (Nwaves × 0.8s) + Tsubmit
Our sub-second vision models keep total latency under 3s for low-wave challenges. DataFlirt internal SLO
// 04 — arkose token flow

Generating a valid
Matchkey token.

A trace of a successful FunCaptcha bypass. Notice the heavy emphasis on the encrypted telemetry payload (Bda) before the puzzle is even requested.

Arkose LabsBda payloadVision AI
edge.dataflirt.io — live
CAPTURED
// 1. Init session & submit telemetry
POST /fc/gt2/public_key/8A9D...
bda: "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..." // encrypted payload

// 2. Server response
token: "44782b...|r=us-east-1|meta=3"
supress: false // challenge required

// 3. Fetch challenge
GET /fc/get_image/
variant: "game_core_matchkey"
waves: 3

// 4. AI Solver execution
wave_1: solved (angle: 45) [840ms]
wave_2: solved (angle: 180) [790ms]
wave_3: solved (angle: 90) [810ms]

// 5. Submit & Verify
POST /fc/ca/
response: "solved"
target_login: 200 OK // token accepted by target
// 05 — failure modes

Why your tokens
get rejected.

Solving the puzzle visually is only half the battle. If the telemetry doesn't match the solve pattern, the token is silently invalidated by the target server.

SAMPLE SIZE ·  ·  ·  ·    2.1M solves
WINDOW ·  ·  ·  ·  ·  ·   30d trailing
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Bda payload encryption mismatch

% of failures · Using outdated cipher keys or malformed JSON
02

Fingerprint / IP mismatch

% of failures · Datacenter IP with mobile telemetry
03

Solve speed anomaly

% of failures · Solving 10 waves in 200ms looks mechanical
04

Incorrect puzzle solution

% of failures · Vision model failure on new variant
05

Token expiration

% of failures · Taking too long to submit the final token
// 06 — our solver stack

Perfect telemetry,

backed by sub-second vision models.

DataFlirt doesn't rely on third-party CAPTCHA farms for Arkose. We reverse-engineer the Bda encryption to submit flawless device telemetry, forcing Arkose to serve the easiest puzzle variant (or suppress the challenge entirely). We then route the images to our in-house Vision-Language Models (VLMs) optimized specifically for Matchkey variants, achieving human-like solve trajectories in under 3 seconds.

arkose_solve_job.log

Live trace of an automated FunCaptcha solve on a social media target.

target.public_key 8A9D...4B21
telemetry.bda generated · v124
puzzle.variant 3D_rollball
puzzle.waves 1 wave
solver.engine df-vlm-nano
solver.latency 1.24s
token.status accepted

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

About Arkose Matchkey, telemetry payloads, shadow bans, and how DataFlirt maintains high solve rates.

Ask us directly →
What exactly is FunCaptcha? +
FunCaptcha (rebranded as Arkose Matchkey) is an anti-bot system that combines heavy client-side telemetry collection with gamified visual puzzles. Unlike reCAPTCHA, which relies heavily on Google cookies, Arkose relies on real-time behavioral analysis and device fingerprinting to assess risk before rendering the puzzle.
Why is my correct solution being rejected? +
This is a "shadow ban." Arkose lets you solve the puzzle, but flags the resulting token as invalid because your background telemetry (the Bda payload) looked suspicious. The target server checks the token against Arkose's API, sees the high risk score, and silently drops your request.
Can I bypass FunCaptcha without solving the puzzle? +
Yes. If your IP reputation is pristine and your telemetry payload perfectly matches a credible human profile, Arkose will return supress: true in the initial response. You receive a valid token immediately without any visual challenge being rendered.
How does DataFlirt handle Arkose updates? +
Arkose frequently updates the encryption keys and structure of the Bda payload. We monitor the obfuscated JavaScript served by Arkose across our target fleet. When a cipher change is detected, our automated pipelines extract the new keys and update our telemetry generators, usually within 4 hours.
Are CAPTCHA farms effective for FunCaptcha? +
Increasingly no. Arkose correlates the IP address that requested the puzzle with the IP address that submits the solution. If you use a CAPTCHA farm, the IP mismatch often flags the token. In-house AI solvers running on the same proxy as the request are the only reliable method at scale.
Is bypassing FunCaptcha legal? +
Bypassing a CAPTCHA to access publicly available data is generally lawful, supported by precedents like hiQ v. LinkedIn. However, bypassing CAPTCHAs to access authenticated areas, commit fraud, or execute credential stuffing is illegal. We only bypass challenges to extract public, unauthenticated data.
$ dataflirt scope --new-project --target=funcaptcha READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Anti-Scraping

Arkose Labs FunCaptcha Trigger

The specific network and behavioral thresholds that cause Arkose to serve a challenge.

Read →
Anti-Bot Bypass

CAPTCHA Farm

Why outsourcing puzzle solves to human workers is failing against modern telemetry checks.

Read →
Anti-Bot Bypass

Behavioral Biometrics

How mouse movements and typing cadence are used to build the Bda payload.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The device-level signals Arkose collects before deciding your puzzle difficulty.

Read →