A newly discovered Python-based framework known as AkiraBot has been responsible for spamming the contact forms and chat widgets of small
and medium-sized business websites, affecting more than 80,000 victims in the past six months, according to cybersecurity firm SentinelOne.
The framework gets its name from the repeated use of “Akira” in domain names tied to a supposed SEO service. It also features the branding “ServiceWrap” in some of its SEO-related domains. AkiraBot is designed to bypass CAPTCHA filters and avoid network detection, making it particularly difficult to stop. Notably, the framework employs OpenAI's services to generate unique, site-specific spam messages.
According to SentinelOne’s SentinelLabs, the framework has been active since September 2024. It initially focused on Shopify sites but later expanded to platforms like GoDaddy, Wix, Squarespace, and general-purpose contact forms. These platforms are commonly used by small to medium-sized businesses due to their simplicity and built-in support for eCommerce and business services.
Several iterations of AkiraBot have been identified. All versions include hardcoded OpenAI API keys and use the same proxy credentials and testing websites. The tool's user interface allows operators to select websites to target, monitor attack metrics, and control how many sites are attacked at once.
To generate spam messages, the framework uses templates fed into the OpenAI chat API. The AI is prompted to act like a marketing assistant, crafting customized messages that appear tailored to each website. This approach makes the messages more difficult to filter, since they are unique and don’t follow a fixed template.
AkiraBot also leverages Selenium WebDriver to simulate user activity and bypass CAPTCHA protections such as hCAPTCHA and reCAPTCHA. When that fails, it resorts to third-party CAPTCHA-solving services like Capsolver, FastCaptcha, and NextCaptcha. For avoiding network detection, the framework uses proxy servers, and all observed versions have relied on SmartProxy with shared credentials.
The bot tracks its success metrics, which revealed over 80,000 unique domains that were successfully spammed and over 420,000 domains targeted overall since its emergence. The SEO services “Akira” and “ServiceWrap” referenced in the spam messages have numerous suspicious 5-star reviews on TrustPilot—likely AI-generated—as well as 1-star reviews complaining about scams and spamming activity.
SentinelLabs concludes that AkiraBot is a rapidly evolving and complex framework, incorporating multiple updates to expand its target range and evade detection. As website hosting services adapt to block such threats, it is expected that the bot will continue to evolve in response.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
