By Oscar Hayek, Co-founder and CTO at Innerworks
In conversations around protecting the fairness and integrity of Web3 ecosystems, the focus often rests on known threats: bots exploiting APIs, scraping data, or deploying headless browsers to bypass verification measures. As detection strategies become more sophisticated, traditional automation grows easier to identify and mitigate. However, a quieter, low-technology threat is slipping beneath the radar: macro recorders. And their impact is proving to be both significant and difficult to counter.
Unlike conventional bots, macros do not behave in ways that immediately raise suspicion. They do not generate excessive traffic, abuse endpoints, or move with superhuman speed. Instead, they simply replay genuine human activity, captured through a recording of clicks, keystrokes, scrolls, and pauses, and replicate it at scale with enough subtle variation to evade existing detection frameworks. This is not automation attempting to imitate human behaviour; it is automation built directly from human behaviour itself.
This threat became particularly evident during a recent engagement supporting a blockchain network’s airdrop campaign. At first glance, participation levels appeared genuine. Wallets registered successfully, passed signature verification challenges, and engaged with the decentralised application in ways entirely consistent with expected user behaviour. However, as deeper analysis was conducted, anomalies began to surface.
Macro recorders, initially designed for legitimate purposes such as productivity enhancement and software testing, have now been repurposed as tools for exploitation. Unlike more complex forms of automation, macro deployment requires no coding skills and no specialist knowledge. A user records a single legitimate session and, with minor variations in timing and cursor movement, can reproduce that session hundreds of times. These interactions occur at human speed, use conventional browsers and are often layered with anti-fingerprinting measures, which blend seamlessly into legitimate traffic.
Traditional anti-bot measures are designed to flag behaviour that falls outside the bounds of normal human activity: suspiciously fast interactions, the use of non-standard browsers, API anomalies, or unnatural input patterns. Macros evade all of these. Every interaction looks, by design, entirely plausible. In fact, some macro-generated sessions introduce deliberate randomness in delay times and input speeds, creating behavioural profiles that can appear even more authentic than real users operating at scale.
In the case of the blockchain campaign, this subtle form of abuse was not immediately obvious. Only through clustering analysis, grouping and comparing user sessions based on detailed mouse movement trajectories and input timing, did the pattern become visible. Despite slight differences introduced by macro randomisation, a substantial proportion of sessions demonstrated near-identical behaviours that were statistically improbable for genuine human users. Ultimately, nearly 10% of participants were found to be engaging with the system via macro automation.
Read More: How AI Is Reshaping The Role Of Spreadsheets In Accounting
This is not an isolated incident. In the broader Web3 landscape, projects are increasingly reliant on user activity as a proxy for value and engagement. Whether it’s play-to-earn games, staking rewards, or governance participation, user behaviour is monetised and incentivised—making it a ripe target for exploitation. According to Messari, over $2.3 billion worth of airdrops were distributed in 2023 alone, often with minimal protection against macro-based abuse.
The implications are far-reaching. Any system that measures success, engagement, or eligibility for rewards based solely on observed user activity is exposed to this form of manipulation. Growth metrics can be artificially inflated, token distributions compromised, and trust within the ecosystem eroded, all without triggering conventional security alerts.
The challenge is compounded by the decentralised nature of Web3. Unlike traditional platforms, there is no centralised authority validating identities or usage patterns. Sybil resistance – the ability to distinguish between genuine users and clones – remains one of the most pressing unsolved problems. According to Electric Capital, more than 80% of wallet addresses participating in high-profile Web3 incentive programs exhibit some signs of anomalous behaviour.
And while there’s a growing ecosystem of “anti-bot” and fraud detection tools in Web3, many still focus on identifiable scripts and traditional automation signatures. These are less effective when dealing with macro automation, which is deliberately designed to mimic (or rather, replay) human inputs.
The reality is that macro recorders represent a low-cost, low-sophistication attack vector capable of undermining even well-defended projects. Detection requires a fundamental shift in approach. It is no longer sufficient to analyse interactions individually; patterns must be assessed collectively, and behavioural repetition over time must become a core focus of security monitoring.
At Innerworks, we’ve found that clustering behavioural data across sessions, devices, and wallets is critical. Instead of looking for “bad actors,” the emphasis must shift to identifying repeatable *patterns of engagement* that suggest automated repetition – even when the surface-level signals appear benign. This is akin to spotting digital “fingerprints” in the choreography of interaction, not in the tools being used.
This emerging threat highlights a broader truth: fairness in decentralised systems cannot be assumed based on surface-level activity. As malicious actors continue to adapt, organisations have to move beyond traditional anti-bot strategies and recognise that sometimes, the greatest risks are not the most complex, but the ones that most closely resemble the users we trust.
For Web3 to scale credibly into financial services, global payments, and institutional-grade applications, it must build in fraud resistance that goes deeper than script detection. The next generation of defences will rely on behavioural intelligence, anomaly clustering, and trust scoring – not static blacklists or browser fingerprinting alone.
In an industry built on transparency and decentralisation, credibility is the ultimate currency. Projects that fail to spot macro abuse risk losing more than just tokens – they lose the trust of their communities, investors, and partners. The tools used to exploit Web3 may be simple, but their consequences are anything but.
Sources:
- Messari, Airdrops & Token Incentives Report 2024, (https://messari.io)
- Electric Capital, Developer Report 2024, [https://www.electriccapital.com/developer-report]
- Chainalysis, Crypto Crime Report 2024, [https://www.chainalysis.com/reports](https://www.chainalysis.com/reports)
About Innerworks:
Offering Intelligent Bot Detection, Innerworks is building the future of behavioural data on web3. Offering highly accurate and totally invisible intelligent fraud detection.Trusted by partners including Cronos Lab, Avalanche, zeroShadow and more.
Read More: Global Fintech Interview with Slava Akulov, CEO & Co-Founder at Jupid Tax
[To share your insights with us, please write to psen@itechseries.com ]
