How do sneaker bots work?
Because sneaker bots are just software programs following instructions, they work in many ways.
On the simpler end, there are automated bots that scrape inventory information from a web page. For example, this YouTuber shows how he pulls inventory information from the page URL. This bot could then be used to notify the bot operator when there’s a re-stock of sneakers.
On the more complex end, there are sneaker bots that inject pre-recorded mouse and click behavior from human users to fool sophisticated bot mitigation software.
In one instance, a bot operator knew what signs the bot mitigation software looked for and spent hundreds of hours recording thousands of “human” interactions on the sneaker website. As the company’s VP of web security said, “We have not seen that level of investment and time and energy and building for exploits or bypasses in other markets.”
Bot operators also go to great lengths to cover their tracks. The more sophisticated reseller bots will use proxies and VPNs to mask their IP addresses, for example. This makes it appear the bots are coming from unconnected, individual residential addresses instead of one coordinated address.
Sneaker bots go by many names. AIO bot, KodaiAIO, NikeShoeBot, and GaneshBot are just a few. Some are custom-made to target certain retailers, like Foot Locker, Nike, or Adidas.
The best way to group sneaker bots is based on their functions.
Some bots have just one. Some have several. Here’s the most common types of sneaker bots and how they work.
Like we saw above, scraping sneaker bots work by monitoring web pages to facilitate online purchases. These bots could scrape pricing info, inventory stock, and similar information.
Here we can see the unfairness of sneaker bots.
Imagine a sneakerhead wanting to compete with this bot. The sneakerhead would need to sit at her computer, manually refresh the browser, and stare at her screen 24/7 until the re-stock happens.
She could only keep this up for a few hours. And what if the re-stock happens when she’s having lunch or using the bathroom?
Scraper bots don’t eat. They don’t take breaks. And they don’t tire out.
Humans have no chance to compete with them.
Footprinting is like scraping, but involves the bot probing and scanning the website. For example, a footprinting bot could search for live web URLs that haven’t yet been made public.
Footprinting bots were the culprits behind the cancelled Strangelove Skateboards x Nike SB Dunk Low collaboration. Strangelove wrote that “the raging botbarians at the gate broke in the back door and created a monumental mess for us this evening… We regret to inform everyone that tomorrow’s launch has been cancelled and we will not be selling them on the site.”
The footprinting sneaker bots clearly accessed the products a day before the release even happened.
Account creation bots
For bot operators to finalize purchases, they need an account with the retail site. They can generate a list of free emails and then use an account creation bot to create hundreds or thousands of accounts in bulk.
Account takeover bots
Instead of creating new accounts from scratch, bad actors sometimes use bots to access other shopper’s accounts.
Both credential stuffing and credential cracking bots do multiple login attempts with (often stolen) usernames and passwords. In a credential stuffing attack, the bot will test the list of usernames and passwords to see if they allow access to the sneaker retailer’s site. A credential cracking bot will start with one value, maybe an email, and then test different password combinations until the login is successful.
Scalper bots, also known as resale bots or reseller bots, are probably the most well-known kind of sneaker bot.
Scalper bots use their speed and volume advantage to clear the digital shelves of sneaker shops before real sneakerheads even enter their email address.
A typical scalper bot will “sit” on the sneaker product page, constantly refreshing to click “add to cart” the second the sneaker drops. It will let the bot operator complete any CATPCHA tests, then zoom through the checkout process, autofill billing and shipping information, and press “buy” at lightning speed—as little as 0.2 seconds.
Denial of inventory bots
Ever wonder how you’ll see sneakers listed on secondary markets like StockX or eBay before the kicks even drop? Denial of inventory bots are to blame.
A perfect example of the sophisticated, next-gen bots, these bots add sneakers to online shopping carts and hold them there. They don’t buy them—at least not initially.
Holding sneakers in the cart denies other shoppers the chance to buy them. Often, discouraged sneakerheads will turn to resale sites and pay double or triple the MSRP to get what they couldn’t on the retailer’s site.
Only when a shopper buys the product on the resale site will the bot operator have the bot complete the purchase.
Cashing out bots
Some bot operators don’t just use bots to put sneakers in shopping carts. They’ll also use cashing out bots to validate stolen credit card information and then use the bots to buy the products reserved by their scalping or denial of inventory bots.
How can sneaker retailers prevent sneaker bots?
If bots were easy to stop, someone would have done it by now.
Bot operators use cutting-edge methods of attack. As a sneaker retailer, your defenses need to be just as sophisticated.
In practice this means you need a combination of tools and strategies tailored to bots’ diverse attack vectors.
Here’s a list of some actions you can take to prevent sneaker bots from ruining your sneaker drops.
1. Block known bot traffic
One telltale sign of bot traffic is outdated browser versions.
Real visitors should be using an up-to-date version of a browser, but bot scripts frequently run on outdated versions.
Cyber security company Imperva recommends blocking browser versions that are over 3 years old and CAPTCHAing browser versions over 2 years old.
End of life over 2 years ago
End of life over 3 years ago
Traffic from data centers often comes from sneaker bots—in fact, 70% of bad bots emanate from data centers.
Scalpers and other bad actors can purchase server space in a data center and easily obtain hundreds of IP addresses.
That’s why Imperva also recommends blocking traffic from Digital Oceans, GigeNET, OVH Hosting, and Choopa, LLC data centers, and CAPTCHAing traffic coming from Amazon.com data centers.
Just like with the browser version, the most sophisticated bots won’t be making these mistakes. But you can take these decisive actions to cut down on low- to medium-sophistication bots.
2. Monitor & identify traffic
If you can’t measure it, you can’t improve it. So, if you don’t have tools to monitor and identify sneaker bot traffic, you’ll never stop it.
Professional bot mitigation platforms analyze behavioral indicators like mouse movements, frequency of requests, and time-on-page to identify suspicious traffic. For example, if a user visits several pages without moving the mouse, it’s most likely a bot.
Bot mitigation solutions help identify sneaker bots with digital fingerprinting. They look at known information like browser type, IP address, cookies, browser extensions, and so on to create a profile of users that can be flagged as suspicious.
Remember to look for bot mitigation solutions that monitor traffic across all channels—web site, mobile apps, and APIs. Sneaker bots can plug directly into retailer’s APIs to access products more quickly. You need to cover all entry points.
Finally, the best bot mitigation platforms use machine learning to constantly update to the threats on your specific web application. In the cat-and-mouse game of bot mitigation, your playbook can’t be based on last week’s attack.
3. Act on flagged traffic
Once you’ve identified suspicious traffic, you need to figure out what to do with it.
Your bot mitigation solutions should let you test suspicious traffic. Common tests include Google’s CAPTCHA and PerimeterX’s Human Challenge.
When you confirm visitors as bots, you need to tag and mitigate them. These actions range from blocking the bots completely, rate-limiting them, or redirecting them to decoy sites.
Logging information about these blocked bots can also increase your chances of preventing future attacks.
4. Filter bots with web traffic management
At airport security checkpoints, passengers are screened before they can proceed to their flight.
Similarly, a virtual waiting room acts as a checkpoint inserted between a web page on your website and the purchase path.
A virtual waiting room is uniquely positioned to weed out sneaker bots. It lets you run visitor identification checks before visitors can buy their sneakers.
And a virtual waiting room has the added benefit of providing a fair user experience during hyped sneaker releases. All early visitors are randomized when the sale starts, just like an old-fashioned sneaker raffle. Anyone arriving after the start of the sale gets their place in line in a first-come, first-served order—the gold standard of fairness.
5. Allocate time for after-sale audits
Even with the most bulletproof bot blocking strategy, some sneaker bots will still get through.
But just because the bot made a purchase doesn’t mean the battle is lost.
Dedicate resources to review order confirmations before shipping the sneaks. This is a strategy used by retailers including Walmart and Very, and can do much to boost consumer confidence that you’re truly trying to keep releases fair.
Review the orders and ask:
- Are there multiple orders shipping to the same address?
- Were several orders made using the same IP address?
- Was the same credit card used by different customers?
- Is there social media chatter from customers bragging about how they used bots to game your site?
The most advanced bot operators work to cover their tracks. They use residential proxies to obscure IP address and tweak shipping addresses—an industry practice known as “address jigging”—to fly under the radar of these checks. But taking a critical eye to the full details of each order can help identify illegitimate purchases.