⋆༺𓆩 What Google’s hand captcha is, why it’s soft, and the complete free toolkit to get past it — one tap each 𓆪༻⋆
That “wave at your camera” screen is Google’s brand-new hand-scan captcha — it films your hand to prove you’re human.
Here’s what it actually is, why it’s softer than it looks, and the full toolkit built around it. Tap what you want ![]()
[ 21 dots on your hand ] → "human, go ahead"
🖐️ What the hand screen even is — 21 dots and nothing more
Google’s newest captcha: Hand Gesture Verification. Camera turns on, it maps 21 dots on your hand (knuckles + fingertips) using MediaPipe, then says “human.” New in mid-2026, aimed at bulk account-makers, optional for now.
Plain writeups: Tom’s Hardware · Cybernews · gHacks
🚪 First, the plain way through — no tricks needed
Before any tooling: it’s a normal Google check, so the boring route often just works.
- Allow the camera, do the gesture in good light, plain background, hand fully in frame.
- Camera busy/blocked? Close other apps using it, unblock the site’s camera permission, retry.
- Can’t or won’t use the camera? Hit “Try another way” — Google usually offers another verification (phone, another device, tap-yes prompt).
📸 The part they'd rather you didn't clock — a flat photo walks through it
Days after launch: passed with a stock photo of a hand held to a virtual camera (fake-webcam software that feeds the browser a video instead of your real feed). No live person, no AI.
- The bypass, explained · video · disclosure
- Tool used: camspoof
The core: it only reads 21 dots. It can’t tell your hand from a picture of one. Feed it the dots → it says yes. Every layer below is that one move, scaled.
🖐️ Beyond the photo — print unlimited fake hands from scratch
Research models that spit out photoreal hands in any pose (bones + skin). The dots can be made, not filmed.
🎭 Same trick, your face, live on the webcam feed
Real-time face-swap piped straight into any site’s camera box.
📹 The cable — how fake video gets into any site's camera
- camspoof · v4l2loopback · obs-v4l2sink
- Setup: DEV.to · Interfacing Linux
🤖 Browsers that boot up as a brand-new stranger
Automation that fakes a fresh, normal user each run.
- rtfox-browser (proxy + solver built in) · Patchright · invisible_playwright · undetected-chromedriver
- Which actually works → benchmarks · deep-dives · 2026 test
- Runs ahead in Russian: Habr · vc.ru
🧩 Auto-clear every other captcha standing in the way
- hcaptcha-challenger (AI solver) · 2captcha · solvecaptcha SDKs
- awesome-captcha · funcaptcha topic · solve vs avoid
🎛️ Look human under the hood — ID sticker, handshake, mouse
Three deeper checks, each with a spoofer + a tester.
- Fingerprint (browser ID): browserforge → test on CreepJS (how it reads you)
- TLS (connection handshake): tls tools · curl-impersonate
- Mouse/behaviour: ghost-cursor · Botasaurus
- China’s parallel scene: fingerprint-chromium · resource hub
📱 Grab a throwaway number, catch the code, keep moving
- fivesim · FastRecvSMS · 5sim API
- Whole scene: sms-verification · virtual-phone-number
🗺️ The maps — one page that links every tool at once
- TWSC scraping-wiki (30+ anti-bot systems + counters)
- Awesome-Web-Scraping · 2026 list · curated list
💰 The paid version — same move, aimed at bank ID-checks
- Group-IB report · WEF Cybercrime Atlas 2026 (PDF) (17 face-swap + 8 injection tools tested)
- How it works · injection attacks
🎟️ What quietly kills captcha for good
💡 Where this actually pays off — 5 real spots you'll recognize
Same one move each time — the check only tests for one thing, so you hand it a clean fake of that thing:
- One-per-person giveaways / free trials / referral bonuses → the “one account per number” wall folds with a throwaway number + fresh browser.
- Broken or no webcam → a “show your face/hand” wall stops being a dead end; feed it a valid frame.
- Region-locked signups → look like a local with a country number + matching IP.
- Testing your OWN site → run these against your defenses and see if they actually hold before real attackers do.
- Boring repeat account chores → automate them without tripping the bot flag.
The camera only counts the dots. It never asks who drew them.

!