Behavioral Antidetect: How AI Learns from Your Mouse Movements and What to Do About It

[Good Carder]

From a carder to carders. You bought expensive antidetect software, set up a proxy, perfectly substituted WebGL, Canvas, AudioContext, and even the font list. But the payment still failed with Fraudulent. Because you moved like a robot.

Modern antifraud systems (BioCatch, Forter, Sift) no longer rely on a static fingerprint. They analyze the dynamics of your behavior: how you move the mouse, how fast you type, how you scroll, whether you pause before submitting a form. And based on these 3,000+ parameters, they distinguish a bot from a human with up to 95% accuracy.

In this article, I'll discuss what exactly these systems collect, how to record your own movements to create a dataset, which libraries actually help emulate a human, and how to train LSTM to generate trajectories indistinguishable from real ones.

Part 1. What BioCatch, Forter, and Sift Collect and Why Antidetectives Are Powerless Against Them​

BioCatch collects over 3,000 anonymous data points — keystroke and mouse movements, touch behavior, physical device attributes, and more — as users interact with their digital banking platforms.

1.1. Three pillars of behavioral biometrics​

• BioCatch builds risk profiles of devices in real time by analyzing behavioral signals in conjunction with device and network data to identify inconsistencies characteristic of mule activity or coordinated APP fraud campaigns.
• Forter and Sift use behavioral analysis to assess the legitimacy of transactions, but their approach focuses more on account usage patterns in general rather than pure biomechanics.

What exactly do they measure:

Parameter	What is being analyzed	How the bot usually makes mistakes
Mouse movements	Trajectory, speed, acceleration, jitter, rotation angles, overshoot, micro-corrections	Straight lines, constant speed, no natural "shaking"
Keystrokes	Dwell time, flight time, rhythm, use of Tab	Perfectly equal intervals between all characters
Scroll	Speed, pauses, upward returns, abrupt stops	Perfectly smooth scrolling with constant speed without stopping
Time to fill out forms	Total time, pauses between fields, errors and corrections	Filling out 10 fields in 3 seconds will result in an instant ban.
Webcam traffic	Micro-movements of pupils, blinks (for video-KYC)	Complete absence of micro movements or their unnatural periodicity

• Touch behavior (mobile devices): screen pressure, swipe pattern, device rotation angle.

The main problem is that behavioral analysis is ongoing. The system doesn't check you just once when you log in. It monitors your every move throughout your entire session.

1.2. The Anatomy of Human Movement in Numbers​

To emulate a human well, you must know the numerical parameters of human behavior.

Field type	Delay between characters	Delay before the field	Pause after the field
First name / Last name	50–150 ms	200–500 ms	200–400 ms
Email	60–120 ms	300–600 ms	300–500 ms
Card number	80–200 ms + 300–600 ms pause after 4 digits	500–1000 ms	500–800 ms
CVV	100–250 ms	400–800 ms	200–400 ms
Address (street)	70–150 ms	500–1000 ms	400–600 ms

The total time to complete a typical payment form with 8–10 fields is at least 20–40 seconds. Less than 10 seconds is a guaranteed fraud signal.

Part 2. Recording and Analysis: Collecting a Dataset of Real Sessions​

Before you can emulate someone, you need to understand how they move. The best way to do this is to record your own sessions and analyze them.

2.1. rrweb - Recording everything the user does​

rrweb (Record and Replay the Web) is an open-source library for recording and replaying web sessions. It records DOM events, not just screenshots: DOM changes, mouse movements, clicks, keyboard inputs — all with timestamps and high resolution, sufficient for creating high-quality datasets.

The basic code for recording mouse movements:

<script src="https://cdn.jsdelivr.net/npm/rrweb@latest/dist/rrweb.min.js"></script>
<script>
let events = [];
let stopRecording = rrweb.record({
emit(event) { events.push(event); },
recordMouseMove: true, // Record every pixel of movement
recordScroll: true, // Record scroll
recordInput: true, // Record keyboard input
recordClick: true, // Record clicks
sampling: { mousemove: 10 } // 10 ms -> 100 points/second
});
setTimeout(() => {
stopRecording();
console.log(`${events.length} events collected`);
}, 300000); // 5 minutes
</script>

2.2. Export and manual markup​

After recording, you need to export the tracks to CSV for visual comparison. rrweb allows you to save an array of events, then filter out mouse events (type 3) and generate a CSV file with the timestamp, x, y, and target columns. You can visualize these tracks, overlay them with real movements, and mark areas with "natural" and "unnatural" behavior.

Part 3. Emulation Libraries: From Ghost Cursor to Human Mouse​

After collecting the dataset, we move on to emulation. Here are three main approaches, from the simplest to those virtually indistinguishable from humans.

3.1. Ghost Cursor (JavaScript, Puppeteer/Playwright)​

Ghost Cursor is a utility for Puppeteer that generates realistic mouse movements between coordinates. Instead of an instant jump (page.mouse.click()), Ghost Cursor moves the cursor along Bézier curves, simulating the natural trajectory of a hand.

const puppeteer = require('puppeteer');
const ghostCursor = require('ghost-cursor');
const browser = await puppeteer.launch({ headless: false });
const page = await browser.newPage();
await page.goto('https://example.com');

const cursor = ghostCursor.createCursor(page);
await cursor.moveTo('#submit-button'); // Human-like movement
await cursor.click(); // Click with a random offset

// Ghost Cursor can overshoot and adjust
// for elements that are too far away

Ghost Cursor generates multiple points on a smooth curve, simulating the trajectory of a human hand. However, it has limitations: it doesn't emulate individual micro-movements and doesn't remember your personal style. This is sufficient for most purposes, but the most advanced antifraud systems can detect even Ghost Cursor if used in its pure form without additional randomization.

3.2. @@extra /humanize — plugin for Puppeteer and Playwright​

@@extra /humanize is a plugin that emulates human input, with a particular emphasis on mouse movements. Its key feature is built-in support for various randomization algorithms and the ability to customize the randomization based on your own statistics.

const humanize = require('@extra/humanize');
await humanize.click(page, '#button', {
waitTime: 500, // pause before movement ("aiming")
moveSpeed: 0.8, // relative speed
variation: 5 // pixels offset from target
});

3.3. Human Mouse – the most realistic Python tool​

Human Mouse is a Python package that generates ultra-realistic mouse movements using Bézier curves and spline interpolation. It creates natural-looking trajectories with smooth accelerations, decelerations, and micro-jitters that are nearly indistinguishable from real human movements.

from human_mouse import HumanMouse
import pyautogui
human = HumanMouse()
# Move the mouse from the current position to (500, 500) in 0.8 seconds
human.move_to(500, 500, duration=0.8, bezier=True)
# Click with a human pattern (hover + variation)
human.click(500, 500, hover_duration=0.2, variation=5)

Other libraries for Python:

• BezMouse is a lightweight Bezier motion simulation tool that has not triggered any detections in over 400+ hours of continuous use in one project (RuneScape bot).
• OxyMouse is a motion generation library compatible with any browser automation framework.

Part 4. Advanced: LSTM and AI Trajectory Generation​

Ghost Cursor and Human Mouse generate "average" human movement. But if you want to be truly indistinguishable, you need your bot to move like you, not like the average person. That's what LSTMs are for.

4.1. Bumblebee – AI package for natural mouse and keyboard control​

Bumblebee is an open-source Python package that uses an RNN with an LSTM layer to generate smooth, human-like mouse trajectories. The generated paths are enriched with natural noise and variable speed, creating movements that are as close as possible to real human behavior.

Bumblebee's main advantage over static libraries is that it learns from your data. You record your session via rrweb, convert the tracks into a training dataset, and the model generates new trajectories that are statistically indistinguishable from your original ones.

4.2. Creating a training dataset​

To train LSTM, you need a labeled dataset of real mouse trajectories. You can use:

• Your own recordings via rrweb (the more the better – at least 50 sessions of 5–10 minutes each).
• Public datasets like SapiMouse (from Microsoft research).
• Data from crowdsourcing platforms, if you have access.

Data format for LSTM:

Input parameters of the model	What do they mean?
X	Array of previous N points (x, y, timestamp)
and	Next point (x, y)
seq_length	The number of previous points used to predict the next one

The longer the seq_length, the more accurately the model will replicate your movement style, but the more data you'll need (at least 1000 sequences for seq_length=30). Normalizing the coordinates is a mandatory step.

4.3. Trajectory generation using a trained model​

After training an LSTM model (for example, in PyTorch with an architecture consisting of a single 64-neuron LSTM layer and a linear output layer), you can generate new trajectories while preserving their unique behavioral signature. Adding controlled random noise (with a temperature of 0.1–0.3) will prevent pattern-based detection.

Part 5. Testing and checklist before cading​

Once you've created your emulator, you need to test it. Run it through fingerprint verification services.

5.1. Anonymity Verification Tools​

Service	What is it testing?	Target indicator
BrowserLeaks	All types of leaks: WebRTC, Canvas, WebGL, AudioContext	No matches with real IDs
CreepJS	The degree of uniqueness of your device	Your device should not stand out from the noise.
Whoer.net	Percentage of anonymity	85–95%
Pixelscan	Comprehensive fingerprint analysis	No red flags

Why is AudioContext important? In 2026, platforms use audio fingerprints, along with Canvas and WebGL, to create 99%+ unique identifiers across a pool of 100,000 users. If your AudioContext is disabled or incorrectly substituted, it will result in a ban.

5.2. What should be in the ideal result?​

• Canvas and WebGL should be silently replaced, but not blocked completely. Complete blocking is the first and most glaring red flag for any antifraud program.
• The User-Agent and headers must match. If the User-Agent states Windows 11, but the Sec-Ch-Ua-Platform states macOS, you're guaranteed a ban.
• Time zone, language and IP must be fully synchronized.
• Fingerprints must be consistent with each other. In 2026, platforms will verify up to five independent fingerprint sources simultaneously, including TLS ClientHello and HTTP/2 settings.

I recommend creating a standard script for testing: it should run before each important session and immediately notify you of any deviation, indicating the specific discrepancy.

5.3. Final checklist before carding​

• Technical fingerprint tested via BrowserLeaks and Whoer.
• WebRTC and DNS do not leak.
• The behavioral trace is verified by recording and analyzing your test session.
• Delays in scripts are configured with randomization.
• Mouse movements are generated via Ghost Cursor / Human Mouse rather than instant clicks.
• AudioContext is not disabled, but replaced correctly.
• The LSTM model (if using) has been retrained over the last 3 months on fresh data.

Resume from a carder​

Behavioral biometrics is the new frontier. Old antidetect methods that only replaced static parameters no longer work. Today, we need to emulate dynamics: how you move the mouse, how you type, how you scroll the page.

The tools are available: Ghost Cursor and Human Mouse for basic emulation, rrweb for recording and analysis, Bumblebee and LSTM for advanced AI generation. The main rule is: don't be lazy in testing. Every time before hit data, run your profile through all available fingerprint verification tools. A behavioral error costs you a card. And a persistent error costs you an entire pool.

A quick one-line reminder:
"BioCatch collects 3000 parameters per session. Ghost Cursor hides an instant click behind a Bézier curve. LSTM teaches your bot to move like you. rrweb records the standard. And BrowserLeaks catches those who think Canvas and WebGL are everything. Behavior is the final frontier." "Beat him and you beat the system."