Author here: There’ve been a lot of HN threads lately about scraping, especially in the context of AI, and with them, a fair amount of confusion about what actually works to stop bots on high-profile websites.<p>This post uses TikTok’s obfuscated JavaScript VM (recently discussed on HN) as a case study to walk through what modern bot defenses look like in practice. It’s not spyware, it’s an anti-bot measure designed to make life harder for HTTP clients and non-browser automation.<p>Key points:<p>- HTTP-based bots skip JS, so TikTok hides detection logic inside a JavaScript VM interpreter<p>- The VM computes signals like webdriver checks and canvas-based fingerprints<p>- Obfuscating this logic in a custom VM makes it significantly harder to reimplement outside the browser (and so to scale an attack)<p>The goal isn’t to stop all bots, it’s to push attackers into full browser environments, where detection is more feasible<p>The post covers why simple solutions like "just require JS" don’t hold up, and why defenders use techniques like VM-based obfuscation to increase attacker cost and reduce replayability.