[arp242]

They don't detect if you're a bot or not; it just makes it more expensive, the idea being that doing $action 10,000 (or more) times becomes much more costly for the attacker, preferably to the point where doing $action (posting spam, creating accounts, etc.) is no longer profitable. It's probably more useful to see it as a ratelimiter than a bot detection mechanism.

[Tadpole9181]

Until, of course, the attackers reprogram their FPGAs and can solve challenges 10,000 times faster than a legitimate user. And since you can't request a user to have their phone toast itself at 100% load for 10 seconds, the attackers can solve it in micro/milliseconds for a sip of power.

Actually, this just uses SHA-256 hashing, which already has specialized CPU instructions (that browser WASM can't use) and ASICs.

I can't see how this isn't DOA?