About ByeBot — Privacy CAPTCHA from Germany
ByeBot is a GDPR-compliant CAPTCHA from Germany. Built as an alternative to reCAPTCHA and hCaptcha — and at the same time as a technically stronger alternative to existing German GDPR CAPTCHAs. No data transfer to the United States, no cookies, no tracking.
I'm Leon Weinmann. In mid-2024, I examined non-interactive CAPTCHA systems in my master's thesis, focusing on German GDPR-compliant providers. In the same year, I presented the results at the G DATA Study2Protect Award — the first public analysis of German CAPTCHA providers beyond Big-Tech solutions like reCAPTCHA or hCaptcha. In early 2026, I confirmed the findings in a follow-up analysis of German GDPR CAPTCHAs — nearly two years later, the situation hadn't changed. This is the gap ByeBot closes. Legally clean like German providers, technically on par with the US competition.
Development started in late 2025, with public release set for mid-2026. Bots are detected through browser fingerprinting and behavioral analysis. Spam and automated requests are blocked by proof-of-work, time-to-pass, rate limiting, and interactive challenges. Hosted exclusively in Germany, with no user tracking.
Who's Behind ByeBot
My name is Leon Weinmann. I'm a software developer, penetration tester, and Red Teamer — and the founder of ByeBot.
In 2019, I began my computer science studies at Hochschule Niederrhein. I taught myself programming during my studies, at a time when AI wasn't yet available as a coding aid. My bachelor's thesis was a wrapper for the OpenSSL library, written in C, that significantly simplifies its use in applications — over 17,000 lines of code: CryptoWrap.
From the sixth semester onward, I worked in parallel at KPMG in cybersecurity, conducting penetration tests across a wide range of domains, most frequently against web applications. Starting in 2022, I also studied Cyber Security Management, again at Hochschule Niederrhein, and completed my master's in 2024. Since then, I've been working at thyssenkrupp AG as a Red Teamer and Penetration Tester, where I lead the development of the internal offensive security tools that have been deployed across numerous engagements.
I've been developing software for over six years, primarily in Rust in recent years. ByeBot's entire backend is implemented in Rust. For Red Team operations, I wrote a full Command-and-Control framework that stands on par with established frameworks in scope. It remains closed source — a publicly documented C2 would be trivial to identify through detection signatures.
On my blog (shigshag.com), I write about offensive security topics. These include an AMSI bypass that is frequently referenced, as well as the tools Zetsu, Tenten, and Phantom-Proxy.
I've been working on CAPTCHAs since 2024. During my master's thesis, I found a critical vulnerability in an established German provider. The follow-up analysis in 2026 extends the investigation to additional providers and documents a method to bypass bot detection for each one.
External Profiles
- GitHub: github.com/ShigShag
- LinkedIn: linkedin.com/in/leon-weinmann-b8b657227
- Blog (ShigShag): shigshag.com
Direct Contact
What Sets ByeBot Apart
German GDPR CAPTCHAs are usually legally clean but technically exploitable — which is exactly what my 2024 analysis showed and my 2026 follow-up confirmed. ByeBot was deliberately built at the points where existing providers are weak.
Strong JavaScript obfuscation
A CAPTCHA's client-side logic runs in the browser and is therefore potentially inspectable. Without obfuscation, the detection logic can be read and deliberately bypassed. All the German GDPR providers I examined use either no obfuscation or only weak obfuscation — as of April 2026, ByeBot is the only GDPR-compliant CAPTCHA with a mature obfuscation stack. Details and evidence in the public analysis.
Layered bot detection
Individual signals are easy to fool. In my analysis, I was able to develop a bypass for every German provider I examined — using regex to rewrite the non-obfuscated JavaScript code so that every client is classified as legitimate. The regex patterns themselves remain unpublished. The approach works against any provider without JavaScript obfuscation. ByeBot combines proof-of-work, time-to-pass, behavioral analysis, and optional interactive challenges instead. Many providers rely on proof-of-work alone, which doesn't hold up against hardware-optimized attacks: specialized computing power solves PoW challenges faster than the service accounts for. Only the combination with time-to-pass devalues raw computing power as an attack vector, since natural user interaction time is also required. Whoever breaks one layer, fails at the next.
Five widget modes
Operators choose per website between Click (checkbox with background challenge), Auto (invisible in the background), Interactive (visible challenge for the highest detection strength), Invisible (no UI), and Demo (sandbox for testing). No one-size-fits-all, but the right balance between security and UX for each use case.
The most configuration options in the GDPR segment
PoW difficulty, time-to-pass, interactive-challenge difficulty, IP whitelisting, IP blacklisting, rate limiting, and geoblocking are all directly adjustable in the dashboard — manually or automatically tuned to the current traffic pattern. With Big-Tech providers, these options sit behind enterprise tiers. With other German GDPR alternatives, they are missing entirely.
Real-time analytics dashboard
Validations, traffic patterns, bot activity, and success rates in a single dashboard, in real time. Operators see directly what ByeBot blocks on their website — without exports, without external analysis, without additional tools.
All features included
No feature gates, no enterprise upcharges. The pricing tiers differ only in volume (validations per month, number of websites, stats retention), never in feature scope.
Each of these layers closes a gap I documented or practically exploited in my research on German CAPTCHA providers. The result: GDPR compliance like German providers, detection quality and configuration depth like the US incumbents.
Why Germany, Why GDPR-Native
Big-Tech CAPTCHAs like Google reCAPTCHA and Cloudflare Turnstile are typically embedded free of charge — the price is paid with the data of your own visitors. That's not only a privacy problem. It's a compliance problem that hits the operators of the embedding websites.
The business model of free US CAPTCHAs
Google reCAPTCHA and Cloudflare Turnstile are operated by US companies. As soon as a visitor loads a website with an embedded CAPTCHA, their browser automatically makes requests to these providers' servers — usually servers in the United States. At minimum, IP address, User-Agent, and Referer are transmitted with every request. This happens before the visitor can make any choice.
What happens to this data on the provider side is outside the website operator's control. It is widely understood in the industry that visitor interactions on such services feed into the training of the providers' own AI models and into cross-cutting analyses. Google itself confirms this for reCAPTCHA — the bot scoring is based on machine learning fed by the interactions of real visitors on every embedding website. For Cloudflare Turnstile, the data processing is less documented, which is not necessarily less risky, merely less transparent. For what specific purposes the data is ultimately used cannot be verified from the outside.
The legal problem: Schrems II
Since the CJEU's Schrems II ruling of July 2020, the transfer of personal data to the United States is only permissible under additional safeguards. According to the European Data Protection Board, Standard Contractual Clauses alone are often not sufficient, because US surveillance laws such as FISA 702 allow state access to data held by US providers. German Data Protection Authorities have repeatedly classified the use of Google reCAPTCHA without informed visitor consent as problematic. In practice, this consent is rarely properly obtained — or consent banners are not set up at all.
What GDPR-native means in concrete terms
ByeBot runs exclusively on German servers of Hetzner Online GmbH, a GDPR-compliant EU provider. Processing takes place entirely within Germany — no transfer to third parties, no transmission to the United States or other third countries. User-related data, if stored at all, is kept only temporarily as a hash.
Contact & Feedback
Business inquiries, partnerships, press
Support and technical questions
Bug reports and feature requests are fastest to submit through the feedback widget in the customer dashboard.
Frequently Asked Questions
Who is behind ByeBot?
ByeBot is developed by Leon Weinmann, a software developer and Red Teamer from Germany. Background and external profiles can be found above in the Who's Behind ByeBot section.
Is ByeBot open source?
No. ByeBot is a commercial product. The backend and detection logic are intentionally closed source — a publicly documented bot detection would be trivial for attackers to bypass. This approach is standard in the CAPTCHA segment.
How is ByeBot funded?
Exclusively through the subscriptions of paying customers. No VC funding, no investors, no data sales, no advertising business. The business model is deliberately set up so that customer invoices remain the only revenue source.
Why is the company called Luvion Labs and not ByeBot?
Luvion Labs UG (i.G.) is designed as a parent company, so that future products can also be bundled under a single legal structure. ByeBot is the first and currently only product under this umbrella.