How EVANDALIZE Works

The Problem

Traditional CAPTCHAs verify that you are human. They stop bots. They do not stop a human operative sitting in a government office in Pyongyang, running cyberattacks on your platform between lunch and their mandatory loyalty session.

State-sponsored hacking groups (APT28, Lazarus, APT41, and others) are staffed by real people. They click traffic lights just fine. They solve reCAPTCHAs in seconds. Every existing CAPTCHA system is completely transparent to them.

The Solution

EVANDALIZE flips the model. Instead of proving you are not a robot, you prove you are not operating under authoritarian surveillance. The challenge is simple: deface a portrait of a dictator. Draw on it. Scribble. Go wild.

For most people, this takes three seconds and is mildly entertaining. For a government operative in a monitored facility, it is a criminal act. Lese-majeste laws, portrait desecration statutes, and surveillance systems in authoritarian states make this action genuinely dangerous for those operatives to perform.

The Science

EVANDALIZE operates on an asymmetric compliance cost. The task is trivial for someone in a free society and carries real legal risk for someone operating under an authoritarian regime. This is not theoretical. Portrait defacement laws exist in North Korea, China, Thailand, and other states where APT groups originate.

The system uses face region detection to confirm the defacement targets the portrait itself, not just the background. Session tokens are time-limited and single-use. No defaced images are stored or redistributed.

It is not perfect. It does not need to be. It adds a friction layer that no other CAPTCHA system even attempts: a compliance cost that scales with how authoritarian your operating environment is.