At the recent Next ‘26 conference, Google introduced Google Cloud Fraud Defense, the successor to reCAPTCHA. The platform goes beyond basic bot detection to address broader online fraud across login, account creation, and payment flows, helping organizations detect suspicious behavior and block abuse, including fake accounts, automated attacks, and transaction fraud.
According to the cloud provider, Fraud Defense combines Google’s global threat intelligence with machine learning to evaluate activity from humans, bots, and AI agents, while maintaining a low-friction experience for legitimate users. Jian Zhen, lead product manager at Google, describes the transition:
reCAPTCHA will continue to be the core bot defense pillar of the broader Fraud Defense platform. Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.
Google says Fraud Defense is designed to address emerging forms of online fraud as attacks shift from automated bots to account takeovers and AI-driven identity fraud. The service is designed to detect suspicious activity before it reaches a site and to analyze signals across the entire user interaction, including registration, login, and payment, to identify coordinated fraud attempts. Google claims the system can reduce account takeover attempts while verifying most legitimate users in the background, avoiding disruptions to normal transactions. Zhen adds:
In the agentic economy, friction kills conversion. Fraud Defense is designed to be invisible for the majority of users, replacing disruptive puzzles with silent background verification.
Cloud Fraud Defense provides risk scores and reason codes through the existing reCAPTCHA APIs, enabling customers to automate security policies. Developer Rasu tested the service and shared their findings:
What strikes me most about this announcement is the timing. Google did not just decide to rebuild reCAPTCHA for fun. They did it because the threat landscape has fundamentally changed. (...) The old CAPTCHA approach is simply not adequate for this world anymore. You cannot reliably tell a human from an AI-generated bot using static challenges.
Source: Google Cloud blog
Reddit users echo these concerns about reCAPTCHA v3, highlighting a broader shift in digital trust, where verification increasingly applies not only to human users but also to bots and autonomous agents.
Google is not the only provider offering managed CAPTCHA systems to distinguish between human and automated access. As previously reported on InfoQ, Cloudflare offers Turnstile, designed to preserve user privacy, stop bots, and enhance the user experience. AWS supports WAF rules to trigger CAPTCHA or Challenge actions.
Zhen presented the breakout session "Preventing Fraud and Abuse: Securing the New Agent Economy" at Next '26. The recording is publicly available.
Earlier this year, Google announced that reCAPTCHA would shift from a data controller to a data processor model, aligning its data handling with other Google Cloud services. Under this change, organizations deploying reCAPTCHA on their websites become the data controllers responsible for determining how their users' personal data is used.
Cloud Fraud Defense uses the same usage-based pricing model as reCAPTCHA. Organizations receive up to 10000 security assessments per month at no cost, after which charges apply based on volume.