Research
·
Ant traps, fraud graphs, and the cost of blocking too soon
I recently had an ant problem in my apartment. At first, it looked simple. We saw ants coming through the
Antoine Vastel
Antoine is currently the Head of Research at Castle. In this role, he focuses on improving Castle's bot detection engine using different approaches, including behavioral detection, and fingerprinting.
Latest
SMS verification abuse at scale: releasing our open source disposable phone number list
A few weeks ago, we released an open source list of disposable email domains observed in real abuse activity: https:
Research
·
Inside the infrastructure behind fake signups: our open source disposable email domain list
Disposable email addresses are a foundational piece of infrastructure for online abuse. Just like proxies help attackers distribute traffic and
Research
·
You thought your growth was working. It wasn’t.
You just got a Slack webhook notification. You have 3 new users who created an account on your SaaS: * john.
Research
·
Introducing Castle’s Research Team
How we think about research at Castle Bot detection and fraud prevention are adversarial by default. It is a cat-
Research
·
Inside a bot operator’s email verification infrastructure
During an investigation into a large-scale automated account creation attack targeting one of our customers, we observed a burst
Research
·
Account enumeration in the wild: analyzing a real-world Spotify enumeration tool
In this blog post, we study the Spotify-Account-Checker open source project. The author describes it as: “An automated
Research
·
You see an email ending in .eu.org. Must be legit, right?
At first glance, an email address ending in .eu.org looks trustworthy. It feels institutional, maybe even official. Many people
Research
·
Detecting forged browser fingerprints for bot detection, lessons from LinkedIn
In my previous post, I showed how LinkedIn detects browser extensions as part of its client-side fingerprinting strategy. That
Research
·
Detecting browser extensions for bot detection, lessons from LinkedIn and Castle
Modern bot detection rarely deals with obviously fake browsers. Most large-scale automation today runs inside browser instances, with patched
Research
·
Fingerprints beyond device IDs: engineered representations for fraud detection
In fraud and bot detection, people usually think of fingerprinting as the classic browser or device fingerprint. This comes from
Research
·
Fraudulent email domain tracker: December 2025
Every month, we publish a snapshot of the email domains most actively used in fake account creation and related abuse