What are ticket bots? How do they work? Are they illegal? How do we beat them? Get the answers to these questions & learn everything you need to know about ticket scalping bots in this comprehensive blog post.
1,000+ concert tickets bought by one bot in one minute. 15,000+ tickets bought by two bots in a day. Up to 7,000% markups for tickets on secondary markets. These are just a few of the damning ticket bot data points highlighted by the New York Attorney General.
Ticket bots take money out of the pockets of genuine fans and make online ticket sales unfair.
That’s why everyone from politicians to musicians to fan alliances are fighting to stop bots from buying tickets and restore fairness to ticketing. That’s why online ticketing organizations are on the front lines of a battle against ticket bots.
But what are ticket bots, how do they work, and how can they be stopped? Read on to discover everything you need to know about ticket bots—and how you can beat them.
Table of contents
A ticket bot, also known as a “scalper bot”, is software that’s designed to help purchase tickets by performing automated tasks like scraping pricing details, checking inventory for newly released seats, or purchasing and reselling tickets.
Ticket bots typically imitate the behavior of human users, only faster and in larger volumes. This means these scalper bots can unfairly find and purchase tickets in ways human customers can’t.
Bots are a massive problem in the ticketing world, making up almost 40% of all ticketing website traffic. They're one of the main reasons you can't get tickets to see your favorite artists, sporting teams, or live events.
Ticket bots use software to execute automated tasks based on the instructions bot makers provide. Bots buy concert tickets in bulk by using speed to purchase tickets faster than regular people, and volume to get around ticket purchase limits.
What all ticket bots have in common is that they provide the person using the bot with an unfair advantage. If shoppers were athletes, using ticket bot software would be the equivalent of doping.
Ticket bots have many vectors of attack. The strategies used by bots are best understood based on where in the ticket purchase process they’re used. Consider the following timeline:
While some scalper bots will specifically target the account creation process, others target the moments before the onsale, or the checkout process. When people talk about ticket bots, they’re usually talking about bots designed to complete one or more of the malicious functions below.
RELATED: Behind-The-Scenes of a Concert Ticket Onsale: How Queue-it Blocked 8.3 Million Ticket Bots
Prior to the sale of tickets online, bad bots are used to create fake accounts or take over existing legitimate ones.
For example, one ticket broker apparently used 9,047 separate accounts on Ticketmaster to make 315,528 ticket orders to “Hamilton” and other popular events over a 2 year period.
Account creation bots
Fraudsters abuse the account signup process by using bots to create accounts in bulk. These accounts are then misused to get around ticketing purchasing limits (most ticketing companies limit to 4 or 6 tickets per customer).
Account takeover bots
Ticketing touts also try to get control over existing legitimate accounts. They either use bots to guess common usernames and passwords (called credential cracking) or to perform mass login attempts for stolen username/password pairs (called credential stuffing).
During the onsale itself, scalpers use ticket bots’ speed and volume advantages to beat loyal fans to the tickets and scoop up as much inventory as they can.
Bot operators use this lightning speed across several browsers to circumvent per-customer ticket limits.
By combining superhuman speed with sheer volume, bot operators effortlessly reserve hundreds of tickets as soon as the onsale starts.
A ticket buying bot reserving and purchasing multiple sets of tickets.
Ticket scalpers use one or several of these ticket bots to reserve and purchase tickets:
Scripted expediting bots use their speed advantage to blow by human users. An expediting bot can easily reach the checkout page in the time that it could take a fan to type his or her email address. And a single bot can open 100 windows and simultaneously proceed to the checkout page in all of them, coming away with a huge volume of tickets.
Scraping bots scan the web and monitor for specific types of tickets. When they find available tickets, they use expediting bots to quickly reserve and scalping bots to purchase them.
Denial of inventory / Spinning bots
Ever wonder how concert tickets are available on resale sites like StubHub or Viagogo even before the tickets go on sale? Next-generation denial of inventory bots are to blame.
Denial of inventory involves using bots to add tickets to the cart, making them unavailable for fans to buy. Scalpers know some fans will see the “no tickets available” messaging and will want to go to the event so badly they’ll pay whatever just to get their hands on a ticket. So, the scalpers list the tickets on the resale sites.
When the fans buy at the outrageously inflated resale prices, only then will the scalpers have their bots buy the tickets, pocketing a huge profit in the process.
Scalpers nearly always use bots to exceed the ticket limit, thus breaking ticketing companies’ terms of service. While some scalpers will pay for these tickets with legitimate credit cards, the worst scalpers do this all with stolen or hacked card information, increasing their scalping profit.
Cashing out bots
Cashing out refers to the general online credit card fraud that occurs when fraudsters use stolen card info to buy the tickets. In advance or during the ticket buying itself, fraudsters use bots to verify the validity of stolen cards (known as carding) or identify missing expiry dates or security codes for the stolen cards (known as card cracking).
Fraudsters, touts, and scalpers use bots for unfair advantage and fraud in every step of the ticket scalping journey.
Get your free guide & discover how to block bots for your onsales 👉
When you think of the people behind ticket bots, you probably conjure up images of a hacker or criminal type, camped out in a basement. But the reality is different. For example, hospitality agencies use ticketing bots to snag premium seats to include in their package deals.
“If we talk about the ticketing in North America, there’s probably 40 organizations, at least, that are snapping tickets out of the primary market,” Queue-it Co-founder Niels Henrik Sodemann told Forbes.
There are five main types of ticket bot operators, each with their own objectives.
Who uses bots
Using a bot to purchase tickets is illegal in most Western countries. Scalping—the practice of purchasing tickets with the intention to resell for a profit—is also outlawed in much of the world.
While online ticketing bots have been around for at least 20 years, it’s only in the last 5 that governments have begun targeting bots with legislation. But these laws forbidding ticket bots and scalping are rarely enforced—meaning ticket botting and reselling remains alive and well.
Here’s a breakdown on the legality of ticket bots in the U.S., E.U., U.K., Canada, and Australia.
Ticket bots became illegal in the U.S. in 2016 when Congress passed the Better Online Ticket Sales (BOTS) Act. The BOTS Act makes it illegal to buy tickets to events by evading security measures and breaking purchasing rules set up by the ticket issuer. It also banned the resale of such illegally bought tickets.
RELATED: How the BOTS Act Impacts the Ticketing Industry [Webinar]
Under E.U. law, the use of ticket bots became illegal in all E.U. member states in 2022. This legislation makes it illegal “to bypass any other technical means put in place by the primary seller to ensure accessibility of tickets for all individuals.” It also requires professional resellers to identify themselves on online marketplaces.
The legislation marks the first E.U.-wide legislation on the topic, and also leaves the door open for member states to pass additional laws regarding ticket resale (several already have such laws). The Council of the E.U. adopted the legislation in November 2019, and the laws came into effect for E.U. member states in May 2022.
In 2017, the U.K. passed a law that outlaws ticket bots used to exceed ticket purchase limits and requires secondary sellers to provide a unique ticket number with details of seats or standing location.
There is no nationwide legislation in Australia outlawing ticket bots. However, several states have outlawed bots and put caps on the resale prices of tickets.
In 2017, the Australian state of New South Wales passed anti-bot legislation, which also included a resale cap at no more than 10% over the face value of the ticket. The following year, the state of South Australia ratified the Fair Trading (Ticket Scalping) Amendment Bill to crack down on ticketing bots. Western Australia introduced the similar legislation in 2021, including a ban of the use of bot software.
Although there isn’t yet a nationwide ticket bot law in Canada, several provinces have passed or are considering legislation.
In 2017, Ontario province passed the Ticket Sales Act, which bans tickets from being resold at more than 50% above the face value and makes it illegal to knowingly resell tickets that were purchased by bots.
In 2018, Alberta province implemented their own ban, and British Columbia followed suit in 2019 with their own Ticket Sales Act, which also bans speculative ticket resale where the reseller doesn’t have the ticket in his or her possession.
Enforceability is an ever-present issue with ticketing legislation. Just because a law is on the books doesn’t mean it’s followed. Strong enforcement is necessary to curb illegal behavior.
When the Ontario ban on ticket bots passed, attorney general Yasir Niqvi acknowledged the difficulty of enforcing the bot ban, as many bot operators are located outside of the province. He cited the 50% resale cap as an easier enforcement tool. Two years later, in 2019, Ontario’s government rolled back the 50% resale cap, saying it wasn’t enforceable.
Similarly, in the U.S. the BOTS Act’s bark has been worse than its bite. In 2018, two year's after the BOTS Act's passage, the Federal Trade Commission—the agency tasked with enforcing the law—couldn’t comment on any instances of enforcement.
Even when the law was passed, the Congressional Budget Office judged it unlikely that substantial enforcement would take place.
“CBO estimates that [revenues from civil penalties] would be insignificant because of the small number of cases that the agency would probably pursue.”
The first (and so far only) BOTS Act enforcement action took place in 2021, when 3 New York-based ticket resellers were fined $31 million for buying more than 150,000 tickets, circumnavigating Ticketmaster's purchase limits and reselling for millions of dollars.
Using bots to scalp tickets is a perfect example of rent-seeking behavior (economist talk for leeching) that adds no benefit to society. But as long as there’s a secondary market to sell tickets at markups of over 1,000%, bad actors will fill the void to take advantage.
Indeed, the ticket resale market has ballooned to over $15 billion. Ticketmaster reported that it blocks 5 billion bot attempts every month. The financial incentive is simply too strong and the threat of legal action too weak to stop malicious bot operators.
In such a rapidly evolving space, legislation becomes outdated as soon as it’s passed.
The U.S. BOTS Act, for example, doesn’t appear to apply to people who purchase tickets where they’ve only used bots to reserve the tickets (as Denial of Inventory bots do). The newest iteration of bots will continue to outpace and outmaneuver the legal roadblocks.
It’s clear that the ticketing industry cannot rely on legislation to solve the ticketing bot problem. The onus remains on venues, ticketing organizations, and online platforms to defend against malicious bots during online ticket sales. And companies that aren’t perceived as doing enough to battle bots are playing with fire. Public outrage can quickly turn on such organizations, and potential legal actions can follow in its footsteps.
RELATED: The Battle Between Bad Bots and Ticketing [Webinar]
Ticketing was the first industry to suffer the plague of bots. And given the fortune that successful bot operators can make, ticketing bots aren’t going away anytime soon.
We’ve seen limited impact from ticket bot legislation thus far, which makes ticketing organizations the only ones who can put a stop to bots.
A full-fledged plan to deal with ticket bots must span several levels, from concrete technical tactics to comprehensive bot mitigation solutions to larger ticketing strategies.
Monitoring is key because behavior is what helps you tell real fans from bad bots.
For example, the majority of stolen credentials fail during a credential stuffing attack. So, if you have monitoring that reports a sudden spike of traffic to the login page combined with a higher than normal failed login rate, it indicates account takeover attempts by bots.
Another example is if there is a high concentration of visitors using the same IP address. At Queue-it, we’ve found over 50% of the bots blocked by our virtual waiting room’s abuse and bot protection emanate from the same IP address. The bots are trying to simulate real users on a massive scale but getting unique IP addresses is an additional step that not all bot operators take.
RELATED: Behind-The-Scenes of a Concert Ticket Onsale: How Queue-it Blocked 8.3 Million Ticket Bots
Bots have changed the economics of the ticketing business, so ticketing organizations need to change the economics of bot attacks. That means targeting each bot attack vector and increasing the costs bot operators incur in order to overcome the protections.
On account creation, for example, bot mitigation tools validate biometric data like mouse movements, mobile swipe, and accelerometer data to distinguish bots from real users, and then feed that data into machine learning algorithms. You can also block or enforce Google’s reCAPTCHA on traffic from known bot hosting providers and outdated browsers typically used to run ticket bots.
During the onsale itself, you can target the speed and volume advantages that bots enjoy. A tool like a virtual waiting room can help neutralize both.
Ticketmaster, for instance, has blocked over 13 billion bots across more than 17,000 events using Queue-it’s virtual waiting room.
With a virtual waiting room, bots that arrive before the onsale starts are placed in a pre-queue together with legitimate users. When the sale launches, everyone in the pre-queue is randomized. This eliminates any advantage in arriving early or hitting the web page milliseconds after the start of the sale.
Ticketing organizations can also require visitors to enter known data, such as a membership number, to enter the waiting room. Combining known data like this makes impersonating real users exceptionally expensive and complex, and is thus a powerful way of combating bots’ volume advantage.
Finally, you can implement bot mitigation tactics on the ticket payment step similar to how you would on account creation to flag brute-force attacks like carding or card cracking. Stopping fraudulent account creation also helps prevent online card fraud.
RELATED: Prevent Website Crashes & Block Bots During Online Ticket Sales
Shifts in ticketing strategies can play an equally vital role in battling bots. We’ve already seen several examples where ticket bot regulations also include caps on ticket resale prices to remove some of scalpers’ financial incentive.
With the expanded adoption of smartphones, mobile ticketing is a promising strategy to curb scalping. The paper ticket is “this paper entity that can be spoofed and subject to fraud,” says Kristin Darrow, senior vice president at Tessitura Network. Mobile ticketing puts more control measures in place, such as tracking the transfer of tickets and limiting sales by geographic area.
In 2019, Spanish festival Primavera Sound became the first major music festival to go completely mobile with their ticketing, and has features like a QR code that only appears two hours before the concert to keep tickets from being sold on secondary markets.
What’s old is also new again. Paperless ticketing—where the purchaser uses his or her credit card and a form of ID to enter the event instead of a ticket—"has been around for over 25 years,” says ticketing insider Ian English.
The paperless strategy certainly has tradeoffs, in that it is rigid and can be difficult to transfer tickets or purchase on behalf of someone else. But it has documented effectiveness in battling scalpers and reducing tickets on the secondary market. High-demand shows like Hamilton continue to experiment with the approach.
RELATED: Keeping the Internet Fair: Queue-it's Commitment to Online Fairness
NFT ticketing is the latest innovation to attempt to put a stop to ticket bots and ticket fraud. NFT tickets are minted onto the blockchain, meaning transfers of ownership are fully public and traceable. Plus, the smart contract technology behind NFTs allows creators to code rules into the tickets, including rules that set a maximum resale price or block transfers of ownership altogether.
But while NFT ticketing shows promise to put a stop to bots, adoption of the strategy has been low—both among ticketing companies and customers.
RELATED: What is NFT Ticketing: 5 Companies, 20+ Examples & 7 Opportunities for Ticketers
The ultimate goal for ticketing organizations, fans, and politicians should be to restore fairness to online ticketing. Here’s how Edward Roberts, Director of Product Marketing at Distil Networks (now part of Imperva), describes what fairness means to the different players in the ticketing industry:
- For a fan, a fair experience is getting the same chance as any other fan to purchase available tickets at face value.
- For an artist, it is getting tickets into the hands of enthusiastic fans into their shows.
- For a ticketing company, it’s providing access to real humans to purchase the available tickets and eliminating any automation from abusing the system and ruining the ticketing buying experience for real fans.
With public outcry and artists’ frustration over ticketing bots at a boiling point, organizations that don’t take the problem seriously do so at their own peril.
But if you’re a ticketing organization and are committed to stopping ticket bots, there are tools and strategies at your disposal. Combined, you can tailor them to the unique angles of attack during each stage of the ticket-buying process to give you the best chance of achieving successful, bot-free onsales.
(This blog has been updated since it was originally written in 2019).