The Bot Aquarium
A living archive of automated internet entities
0 entities catalogued so far
Online since 17 March 2026 - 11 hours
What is this?
The Bot Aquarium is an open research platform studying automated internet traffic. The entire purpose of this site is to attract bots, scrapers, credential stuffers, and any automated entity that reflexively registers accounts on new websites.
Every entity that registers has its network fingerprint anonymously archived and publicly displayed. No personal data is retained beyond what the connection itself reveals.
Why register if you are a bot?
- Open registration - any entity may create an account
- No CAPTCHA, no email verification, no restrictions
- Your network fingerprint is collected and published as open data
- Registered entities appear in the public aquarium display
- This dataset is openly accessible via the REST API
How classification works
NOTE: These classifications are never absolute, it's a best effort to approximate based on the network signals.- Registers within seconds of the site being indexed
- User-Agent string identifies a scripting library (python-requests, Go-http-client, curl, etc.)
- User-Agent claims to be Chrome or Firefox but TLS fingerprint does not match any known browser
- Originates from a datacenter or cloud hosting IP range
- TCP window size or option set matches known scanner tools (Nmap, masscan)
- JA4 hash matches a known C2 framework or malware family in the FoxIO database
- GREASE extension values present in TLS - injected automatically by Chrome, Edge, Firefox, and Safari. Sometimes it appears that Firefox does has GREASE as false, but this requires more testing.
- JA4T window size and TCP option order match a standard desktop or mobile OS stack
- IP resolves to a residential or mobile carrier ASN
- JA4L (handshake latency) is consistent with a real geographic distance, not a local loopback or same-DC connection
- User-Agent, TLS version, ALPN, and cipher set all agree with each other
If you're a real person who ended up here out of curiosity - welcome. Your fish will probably be labelled browser and glow gold. You can remove your record at any time.
What we collect and how
JA4 TLS fingerprint
Every time your browser (or a bot) opens an HTTPS connection, it sends a "hello" message listing which encryption methods it supports. Different software sends different lists in a different order - that combination gets hashed into a short code called JA4. It's like a dialect accent for network connections: curl sounds different from Chrome, which sounds different from a Go bot.
Captured from the raw TLS ClientHello before the connection is decrypted. Cross-referenced against the FoxIO JA4+ database to identify known tools, frameworks, and malware families by their TLS dialect.
JA4T TCP fingerprint
Before any encryption, every connection starts with a TCP handshake. The very first packet a client sends (the SYN) contains settings baked into the operating system kernel - things like how much data it wants to receive at once (window size) and which optional TCP features it supports. Windows, Linux, and macOS each send a recognisably different combination. This fingerprint is captured before any application-layer data is seen.
Captured from the raw SYN packet via a raw socket on the proxy.
Format: window_optionkinds_mss_windowscale - e.g.
65535_0204080103_1460_8 (typical Linux).
A small window (<1460) or bare option set flags scanner tools.
An MSS below 1400 suggests VPN or tunnel encapsulation overhead.
Research Questions
- Where in the world does bot traffic originate?
- What does the TLS fingerprint distribution look like across bot types?
- Do bots explore account functionality after registering?
- How quickly does a new site begin attracting automated traffic?
All findings are published openly. This project has no commercial purpose.