Scalping bots: What are they, how do they work & how can you beat them
What are scalper bots? How do they work? Is scalping illegal? Discover the answers to all these questions & learn everything you need to know about scalping bots in this comprehensive blog post.
Table of contents
Scalping is the process of buying an item with the goal of reselling it for a higher price. The people who practice scalping are called scalpers, and they typically operate in situations where demand exceeds supply—think concert ticket sales, sneaker drops, limited-edition product drops.
The term scalper was first used in the U.S. in the 19th century to derisively describe ticket brokers who bought and resold railway tickets for profit. An 1881 New York Times article quotes one of these early scalpers:
“We buy portions of tickets, of course, especially during the Summer months, … and in this way make a handsome profit. The company knows when they sell a ticket … [it] is going to be used for all it is worth, and when we catch a part of it we put it on the market.”
Scalping has changed a lot in the past 150 years. And the biggest leap forward for scalping as an “industry” is the invention of the scalper bot.
RELATED: Everything You Need to Know About Ticket Bots
Scalping bots, also known as scalper bots, are pieces of software designed to automate bulk purchases of goods or services. They do this through generating fake accounts in bulk, executing purchases at lightning-fast speeds, and finding product pages or updated inventory before genuine customers.
If buying hyped sneakers, gaming consoles, or concert tickets were a competition, then scalpers and their bots would be the cheaters. They’re the bad actors with the means and motive to break the rules, ruin the game, and profit in the process.
Some real-world examples of scalping bots in action include:
- The single scalping bot that bought over 1,000 U2 concert tickets in day.
- The 12 billion illegitimate sneaker raffle entries Nike gets every month.
- The 20 million bots that hit and crashed Walmart’s site in the first 20 minutes of its PlayStation 5 release.
- The 1.6 million bots Queue-it discovered in a post-sale audit of a sneaker drop from a top 10 sneaker brand—with bots accounting for 97% of the total web traffic.
Scalping bots use software to complete automated tasks based on instructions bot makers provide. These automated tasks vary widely depending on the product and the website being targeted.
The two most common methods of attack involve speed and/or volume.
With speed, scalper bots breeze past regular users—completing purchases in the time it takes you to find your credit card.
Scalper bots automate the entire checkout process. In less than a few seconds, they can login, add items to cart, enter personal details and credit card information, and complete the purchase.
With volume, scalper bots exploit purchase limits or improve their odds in things like sneaker raffles.
Take the example above of a bot checking out in a few seconds. If the company has set a purchase limit, the scalper will simply get 1,000 bots to all make these lightning-fast purchases at once.
“Max 2 products per customer” becomes “max 2 products per bot”. Which means with 1,000 bots, they can walk away with 2,000 products.
Do you have a bot problem? Get your free guide to uncover the risks of bots & discover how you can beat them
Scraping bots
Scraping bots monitor web pages and scan websites for information. If a scalper wants to get their hands on a product that’s out of stock, for example, they’ll set up a scraping bot to constantly check the product page for a restock. When the scraper detects stock, it’ll notify the scalper or activate another bot to purchase the item.
Scraping bots can also be used to scrape for pricing information—giving scalpers a full view of their pricing options and the possibility to buy low and sell high.
Footprinting bots
Footprinting bots are like scraping bots, but instead of searching public web pages, they look for hidden pages. If a scalper knows a company is about to release a high-demand item, they’ll use footprinting bots to test thousands of URLs to try and find the unpublished product page.
When the manager of a U.K.-based reseller group was asked how he bought so many PlayStation 5 consoles he answered: “We knew where to go before they announced it”. That’s footprinting in action.
Footprinting is also behind examples where bad actors ordered PlayStation 5 consoles a whole day before the sale was announced. By the time the retailer closed the loophole that gave the bad actors access, people had picked up their PS5s—all before the general public even knew about the new stock.
Account creation bots
Companies often try to prevent bots by requiring all users to have an account to complete a purchase. Scalpers have an easy solution for this: account creation bots.
Scalpers can buy a list of fake email addresses online and use account creation bots to generate accounts in bulk, sometimes in the hundreds or thousands.
Credential stuffing & cracking bots
Instead of creating accounts from scratch, bad actors sometimes use bots to access other shopper’s accounts. Both credential stuffing and credential cracking bots attempt to steal account logins with (often illegally obtained) usernames and passwords.
In a credential stuffing attack, the shopping bot will test a list of usernames and passwords, perhaps stolen and bought on the dark web, to see if they allow access to the website.
A credential cracking bot will start with one value, like an email, and then test different password combinations until the login is successful.
Denial of inventory bots
Ever wonder how you’ll see products listed on secondary markets like eBay before the products even go on sale? Denial of inventory bots are to blame.
Representing the sophisticated, next-generation bots, denial of inventory bots add products to online shopping carts and hold them there. They don’t buy them—at least not initially.
By holding products in the carts, they deny other shoppers the chance to buy them. What often happens is that discouraged shoppers turn to resale sites and fork over double or triple the sale price to get what they couldn’t from the original seller.
Only when a shopper buys the product on the resale site will the bad actor have the bot execute the purchase.
Denial of inventory bots are especially harmful to online businesses’ sales because they can prevent retailers from selling all their inventory.
RELATED: Bots Explained: How Do Sneaker Bots Work?
Above are some examples of scalping bots grouped by their function, but there are thousands of bots grouped in a wide variety of ways.
There are scalping bots designed to target specific industries, such as:
- Sneaker bots
- Ticket bots
- Grinch bots—which target holiday season sales
There are bots designed to target specific websites or services, such as:
- NikeBot
- ShopifyBot
- Queue-it bot
- Ticketmaster bot
And there are bots grouped by the nature of the service, such as:
- All in one (AIO) bots
- Bot-as-a-service (BaaS) bots
- Add-to-cart bots
As you can probably tell from this long list, scalper botting is big business. There are scalper millionaires. Whole companies with dozens of employees who buy and resell products. And designated resale marketplaces with multi-billion-dollar valuations.
The estimated value of the global sneaker resale market is $10 billion. For tickets, it’s over $15 billion.
Where there’s money to be made reselling goods, there’s a scalper bot helping someone make it.
Using scalping bots to purchase tickets for resale purposes is illegal in the U.S., E.U., U.K., and in parts of the Canada and Australia. However, no laws exist prohibiting the use of scalping bots for purchasing retail goods.
The Stopping Grinch Bots Act aimed to change that, but it hasn’t progressed since it was introduced to U.S. congress in late 2021. This act would make it unlawful:
“…to circumvent a security measure, access control system, or other technological control or measure on an Internet website or online service to enforce posted purchasing limits or to manage inventory.” (In plain English: to use scalper bots to buy retail goods).
But even if the Grinch Bots Act became law, it’s unlikely much would change. The BOTS Act—which outlawed the use of ticket bots—proved that.
The first and only legal action under the BOTS Act came a full five years after its introduction, in 2021.
And years later, ticket botting remains alive and well.
RELATED: Everything You Need to Know About Ticket Bots
This means the task of stopping bots is up to the companies they’re attacking—be those in retail or ticketing.
That’s why major brands like Nike, Sony, Ticketmaster, Foot Locker, AXS, and The North Face are investing in bot mitigation strategies.
Let’s look at what those strategies are.
Monitoring is your website’s version of a smoke detector. It won’t stop the fire that is a bot attack, but it’ll tell you something is burning and keep it from getting out of control.
Monitoring is key to identifying suspicious behavior and separating genuine customers from scalper bots.
A high concentration of visitors using the same IP address, for example, strongly suggests bot traffic. At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address.
Other bot signals you can configure your monitoring to alert you to include:
|
Suspicious signal |
Probable malicious behavior |
|
Spikes in account creations |
Account creation bots |
|
Spikes in login failures |
Credential stuffing bots |
|
Outdated browsers (over 2-3 years old) |
Bots programmed for older browsers |
|
Spikes in identical requests |
Automated scalper bots |
|
Abnormal behavior (i.e. lightning-fast user journey, traffic directly to API call) |
Scripting bots flying straight to checkout |
|
Increase in cart abandonment |
Denial of inventory bots |
|
Traffic from unusual geographies |
Scalpers using proxies to mask their IP address |
|
Abnormal traffic spikes |
Bots hitting your site in large volumes |
Advanced bot analytics tools like Queue-it’s Traffic Insights have many of these bot detection features built in.
With detailed traffic breakdowns like those in Traffic Insights dashboard below, you can do in-depth analysis before, during, and after the sale. This lets you ensure both that bad bots aren’t snatching up products, and that you aren’t incorrectly booting genuine customers from your sale.
It’s one thing to identify suspicious traffic. It’s another to respond.
Your bot mitigation solution should have a range of features enabling you to block or slow down suspicious traffic, including but not limited to:
- Data center blocking
- Proof-of-Work challenges
- CAPTCHA tests
- Rate limiting
- Web application firewalls
- Honeypots (traps designed to trick bots into identifying themselves)
- Blocking or challenging traffic based on reputation scores
- Blocking or challenging traffic based on anomalous behavior
These bot blocking mechanisms vary widely in sophistication and efficacy, which is why best practice for bot mitigation is to deploy multiple layers of both detection and protection. The more layers of protection used, the less bots can slip through the cracks.
If you have four layers of bot protection that remove 50% of bots at each stage, 10,000 bots become 5,000, then 2,500, then 1,250, then 625. In this scenario, the multi-layered approach removes 93.75% of bots, even with solutions that only manage to block 50% of bots each.
A security checkpoint in an airport screens passengers before they can board their flight.
Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.
A virtual waiting room is uniquely positioned to filter out bots by allowing you to run visitor identification checks before visitors can proceed with their purchase.
It has the added benefit of providing a fair shopping experience during hyped product releases, by randomizing anyone who comes early and placing latecomers in the waiting room in a first-come, first-served order.
Ticketmaster, for instance, has blocked over 13 billion bots across more than 17,000 events using Queue-it’s virtual waiting room.
Post-sale audits are a crucial step in any good scalper bot prevention toolkit. This involves a team pouring over the details of purchasers or raffle entrants to identify suspicious customers.
Look for multiple orders containing the same:
- Credit card or purchase details
- Address or addresses (one trick botters use is to add different apartment numbers to the end of their home address to circumvent these checks).
- Phone number or email address
- Name or names
- IP address
It’s important that retailers or ticketers running post-sale audits have clauses in their terms of service that allow them to cancel orders they deem to be suspicious. Like Nike, you can even add a restocking fee to increase the cost of botting for those you catch out.
This can be a resource-intensive process, but it's highly effective for catching bad actors out.
With bots finding workarounds for so many different mitigation strategies, many companies have turned to just offering high heat drops and tickets to their best genuine customers.
Amazon, Walmart, The North Face, Ticketmaster, and more use secure early or exclusive access sales to block bots, reward loyalty, and gather first-party marketing data.
Nike CEO John Donahoe explains: “This approach sends personalized purchase offers to members based on their engagement with SNKRS, past purchase attempts, and other criteria, using data science to drive digital member targeting. For example, 90 percent of the invites for the Off-White Dunk went to members who had lost out on a prior Off-White collaboration over the past two years.”
Ticketmaster also does invite-only sales through its Verified Fan program, which vets fans who register, and provides “verified fans” with an exclusive access code, so only the people they choose can enter the onsale.
This program has been highly successful, with Ticketmaster reporting around 95% of tickets bought by verified fans are not resold.
The advantage of the invite-only strategy is that you choose who gets access to your drops. Bots can’t abuse your sales because they’re not invited to them.
RELATED: Keep Bots Out of Your Sales with Exclusive, Invite-only Access
Scalping bots are becoming more sophisticated, easier to access, and are costing companies more money with each passing year.
The brands that’ve struggled with bots for years, such as Nike, Ticketmaster, Sony, and Walmart, know the threat of bots and are working hard to protect against them. But it’s no longer just big ticketing and sneaker sites that are facing bots. Bot traffic is growing across ecommerce and is impacting small and large websites alike.
To summarize the key points you need to know about online scalper bots:
- Scalper bots are software designed to give users an unfair advantage while shopping online.
- They scan websites and execute lightning-fast purchases in massive volumes to clear out stock for resale on secondary markets.
- Scalping bots come in all shapes and sizes, from scraping bots to account creation bots to denial of inventory bots.
- You need a suite of bot mitigation tactics to stay on top of your bot problem, from CAPTCHAs to web traffic management to post-sale audits.
While there's no one-and-done solution to prevent every bot every time, there are many tools available to protect your ecommerce site from bots and the problems they bring with them.
It's important you evaluate your bot problem and take action, because as brands from Nike to Amazon to Sony to Foot Locker recognize, the fight against bots is a fight for your customers, your brand, and your bottom line.