Anubis Is Malware

2026-06-28

If you've been on the internet any time recently you have probably noticed this fucking thing.

anubis mascot

Anubis is malware. I asked the server to serve me a webpage and instead it ran code on my machine without my permission. That is malware. It uses the exact same method as a crypto miner, that being running a javascript "proof-of-work" solver in your browser. The only difference is it doesn't actually mine crypto, it just uses up your computer's resources for no reason. Well, there is a given reason, that being to prevent AI scrapers from hammering your site. Whether this actually works is dubious at best. Codeberg reported in 2025 that crawlers had already learned to solve anubis challenges, and this article calculates that it wouldn't cost scrapers "a single cent per month in compute costs until several million sites have deployed Anubis." Deploying anubis in 2026 is as far as I can tell a pure act of superstition. At least something like iocane could theoretically harm AI companies by poisoning their data (although I remain sceptical, they likely mitigate this sort of thing). Anubis on the other hand, treats all users as guilty until proven innocent, or rather robot until proven human. And yet the manner in which it does this is highly suspect.

Here I will just quote directly from the post I referenced earlier:

"The CAPTCHA forces vistors to solve a problem designed to be very difficult for computers but trivial for humans.. Anubis – confusingly – inverts this idea. It insists visitors solve a problem trivial for computers, but impossible for humans."

The proof of work model doesn't filter out scrapers, who have 10s of billions of dollars worth of compute to waste pretending to mine crypto on your website, but it does hurt real people who are on slow or old hardware, or whom disable javascript on their browser, or use a browser which does not support javascript.

Who made anubis?

Anubis was created by Xe Iaso. In 2023, Xe participated in the "Ottawa Generative AI Hackathon" with a contribution which used chatGPT to generate long form fiction. Happy as they were to create the tools to automate other people's livelihoods, as soon as LLMs threatened their line of work, their tune changed.

Xe regularly discusses their use of LLMs on their blog, for example here's a recent post on the topic of token pricing. They even used LLMs to help them with post surgery anxiety. The original mascot for anubis was AI generated:

ai generated anubis mascot

Xe includes an AI generated "personification of ChatGPT" on their website here. I think it's safe to assume that Xe is a fairly regular use of cloud based LLMs and other AI services. Now I am not as rabidly anti-AI as some people, I'm not trying to #cancel anyone for using Claude or whatever. I'd have to cancel myself if that were the case. Rather, doesn't it strike you as odd that the person behind what might be the most publicly visible counter-measure against AI, is themself a heavy user of AI?

Techaro (the company founded to manage Anubis as it gained adoption), call themselves on their github an "anti-AI AI company". Let me get to my point.

Anubis is probably vibe-coded.

Now that in itself doesn't bother me too much, again, I'm not rabidly anti-AI to the point where I refuse to use any software written by it, but I am sure that there are people running Anubis right now who are of that opinion, and they are not aware of what's going on.

Why does Techaro's website list "Strategic guidance on integrating AI into your products and workflows, from architecture to deployment" among their services?

I wonder what would happen if a company contracted Techaro's AI consultancy service and asked them to help them bypass Anubis? Perhaps this is among their business goals. Step one convince a bunch of people to install mallware, Step 2 hope that it gets wide enough adoption that it actually causes a problem for AI web scrapers, human users be damned, Step 3 sell immunity to those web scrapers as a sort of protection racket. OK that's a conspiracy theory I just invented, I'm sure that isn't the case. Surely.

That's all well and good, but how do I stop scrapers from eating my bandwidth

This is not a problem with a technological solution. It is a political problem, not a technological one. I know, your programmer brain can't comprehend such ideas. AI is not a bubble, it is the largest case of transparent and legalised investment fraud in history. It is being knowingly endorsed by your government. And I reckon there's no voting our way out of this one. This will only end when ███████ █████ ██ ████ █████ ███ ██████ ████████ █████ ██████ ███ ██████ ███ ██████ █████ █████ ████ ████ ███ █████████. But that's never going to happen. So I guess we're all just fucked. Or maybe we all jump ship to some mesh network and wait for this whole thing to blow over.